December 18, 2025 — Abstractions Lab announces the release of IDPS-ESCAPE v0.6, now available on GitHub. This release continues the evolution initiated with the introduction of the RADAR subsystem in v0.4, and significantly strengthens IDPS-ESCAPE’s position as an open, modular, and research-driven SOAR (Security Orchestration, Automation, and Response) platform.
Following the functional expansion delivered throughout the v0.5 series, v0.6 focuses on consolidation, robustness, and maintainability. The release enhances RADAR’s operational scenarios, improves transparency through detailed documentation, and refactors the automation layer to support long-term evolution and reproducibility. The current scenario set includes signature-based detection for suspicious login and GeoIP-based whitelist-based detection and an anomaly-detection scenario using RRCF for monitoring log volume change.
Key Highlights of v0.6
Enhanced RADAR Scenarios on Real Wazuh Data
This release adds new RADAR log-volume anomaly detection scenario configurations, including ingestion scripts, transformation logic, and pipeline definitions. These improvements enable more accurate aggregation and anomaly detection on real Wazuh telemetry, strengthening RADAR’s hybrid detection model combining signature-based and machine-learning-based approaches.
Suspicious login detection has been refined with improved rules and simplified inline detection logic, increasing robustness while reducing operational complexity.
Refactored Infrastructure-as-Code Automation
A major architectural improvement in v0.6 is the refactoring of the Wazuh Manager Ansible playbooks. Tasks previously contained in a large monolithic file have been modularized into clearly scoped components covering bootstrap, host configuration, decoders, rules, responses, OSSEC, Filebeat, lists, and staging. This change improves readability, maintainability, and extensibility of the deployment stack.
For completeness and traceability, the original monolithic playbook has been preserved in an archive within the repository.
Deeper Insight into RADAR Internals
IDPS-ESCAPE v0.6 introduces comprehensive technical documentation describing the internal execution pipeline of run-radar.sh. The new material details the three-stage RADAR workflow — data ingestion, detector creation, and monitor setup — reinforcing the project’s emphasis on traceability, explainability, and reproducible security experimentation.
Deployment documentation for automated Wazuh and RADAR activation via Ansible has been further refined, providing a clearer operational reference for both research and production-oriented environments.
Reliability and Correctness Improvements
IDPS-ESCAPE v0.6 fixes several RADAR-related issues, including bugs that could corrupt previously installed scenarios depending on execution order. The RADAR CLI Docker image has been corrected, and multiple scenario templates and documentation gaps have been resolved. Improvements to connectivity handling, webhooks, and alert processing further increase runtime stability.
Availability
IDPS-ESCAPE v0.6 is available now as a free and open-source release on GitHub:
https://github.com/AbstractionsLab/idps-escape
The repository includes updated documentation, deployment automation, technical specifications, and validation artifacts. Community feedback and contributions are welcome.
Roadmap
- Hybrid risk computation using ML-based AD and signature-based detection
- Integration of the DECIPHER subsystem of SATRAP to enhance RADAR detections with CTI enrichment and playbooks
- Integration of Flowintel into the RADAR detection cycle through DECIPHER
- New RADAR scenarios: hybrid suspicious login (ML-based + signature-based)
- ADBox v2.0 redesign
- Integration of ADBox and RADAR
- OpenTide threat objects integration