MarlinSpike is built around packet captures in and no packets sent back into the environment.
MarlinSpike documentation for deployment, architecture, and OT response workflows.
Use this wiki to understand how MarlinSpike is deployed, how the analysis chain works, where the repo family is headed, and how operators and contributors should navigate the project.
The normal deployment is a reverse-proxied Docker host that multiple responders can use together.
The JSON report artifact is the handoff between packet analysis and downstream review.
Start here
If you only need the main picture, read the pages below in order: what MarlinSpike is, how to launch it, how the analysis chain is structured, and where the codebase is heading as the repo family splits out.
Getting started
Product positioning, quick-start commands, core workflow, and the documentation trail for new operators.
Open pageDeployment
Docker Compose setup, reverse proxy guidance, persistent data, upgrades, backups, and remote deployment notes.
Open pageArchitecture
The five-stage analysis chain, report artifact boundary, protocol coverage, exports, and standards-aligned findings.
Open pageRepo family
How the suite repo, workbench, engine, plugins, and Rust engines are being split into authoritative component repos.
Open pageDocumentation map
The wiki is organized around the actual checked-in project docs, not invented marketing categories. Each page below has a clear source document trail back into the repository.
| Page | What it covers | Main source docs |
|---|---|---|
| Getting Started | Product identity, quick start, workflow, and the main reading path. | README.md, INSTALL.md |
| Deployment | Docker, reverse proxy, persistent volumes, upgrades, backups, remote deployment, live capture. | INSTALL.md |
| Architecture | Five-stage analysis chain, report artifact boundary, detection coverage, exports, and operator flow. | README.md |
| Repo Family | Suite repo, component repos, subtree model, and transition state. | docs/repo-family.md, CONTRIBUTING.md |
| Extensibility | Rust engines, Python plugins, YAML rule packs, and compatibility expectations. | docs/extensibility-contracts.md |
| Presets | What the public repo does and does not ship for local capture libraries. | presets/README.md, README.md |
| Contributing | Focused PR guidance, local checks, subtree helpers, and data-handling rules. | CONTRIBUTING.md |
| Releases | Engine history, web UI versioning, live-viewer track, and recent highlights. | releases.md, releases-live.md |
How to read the project
The repository makes more sense once you keep four ideas in view:
- MarlinSpike is breach-triage-first, not a generic packet viewer. Passive traffic goes in, responder-facing output comes out.
- The report artifact is central. The workbench reads it, plugins extend it, and teams can archive it or move it elsewhere.
- The normal operating model is a temporary shared host with a shared URL, not a single-user desktop thick client.
- The codebase is intentionally splitting into a repo family so the suite repo can vendor a known-good combination of engine, workbench, plugins, and Rust engines.
The report artifact remains the handoff between passive analysis, responder review, and downstream tooling.
Need source downloads or package status next?
The downloads page tracks the official repo, source archives, Docker deployment path, and the honest state of public binaries and packages.