Engineering skills applied in the project
Nemesis exercises, in practice, a broad set of skills: operating systems, kernel, security, Rust and DevSecOps. Each one is mapped to the point in the code that evidences it and to the page that explains it.

How to read
Each row points to the concept page and the real source file. It is a traceable index of applied study, not a buzzword list. And the material’s rule holds: protection is the sum of layers (the coefficient), never the count of visitors.
In 30 seconds
The project joins the low level (kernel, eBPF, LSM, Landlock) with defensive software engineering (fail-closed Rust, linear regex, determinism) and static analysis (AST, taint, entropy), tied into a DevSecOps process with an adversarial gate. The three layers (the isolated concept), the way they reinforce each other (the correlation) and the real block before execution (the convergence) are what each page details.
The isolated concept: skills by domain
Operating systems and low-level engineering
| Skill | Evidence in the code | Study |
| POSIX process model, stdio, exit code as contract | hook reads stdin, std::process::exit(2); spawn with null stdio | 1 |
| Kernel programming with eBPF, verifier and BPF-LSM | nemesis-block.bpf.c, mapas, lsm/bprm_check_security | 2 |
| Rootless sandbox and egress control (cgroup, Landlock) | landlock.rs::apply_sandbox, lsm/socket_connect, LPM trie | 3 |
Rust and software engineering
| Skill | Evidence in the code | Study |
| Workspace, reproducible build, committed Cargo.lock | Cargo.toml, --locked no CI | 4 |
| Errors without exceptions (Result/Option) and fail-closed (catch_unwind → exit 2) | main.rs match em fs::read; nemesis-pretool-check-unix.rs::main | 4 |
| Algorithmic safety (linear regex, ReDoS) and determinism | crate regex; MAX_DECODE_DEPTH, faixas de tamanho | 4 |
Static analysis and language theory
| Skill | Evidence in the code | Study |
| Parsing and AST traversal (tree-sitter, Visitor pattern) | ast_scanner.rs::traverse_* | 5 |
| Layered pipeline architecture | lib.rs::scan_content | 5 |
| Information theory (entropy) and data flow (taint) | entropy.rs::shannon_entropy; taint_tracker.rs (3 passadas) | 5 |
AI and application security
| Skill | Evidence in the code | Study |
| Agent integration (multi-IDE hooks), interception | tool-to-intent translation in the pretool | 6 |
| Deterministic vs probabilistic enforcement | compute_severity (pure function) | 6 |
| Defense against prompt injection and IDE poisoning | prompt_injection.rs, ide_config_poisoning.rs | 7 |
| Malware and supply chain detection | recursive decoder + manifest_scanner + AST visitors (method) | 8 |
Defense architecture and DevSecOps
| Skill | Evidence in the code | Study |
| Defense in depth (3 independent layers) | pretool + daemon + eBPF | 9 |
| Trust modeling (corroboration, reversibility) | Tier A/B em compute_severity, quarentena | 9 |
| Honest threat modeling (declared limits) | self-audit.yml notas, AGENTS.md §2 | 10 |
| Build chain (SLSA, SHA pinning, audit) and observability | self-audit.yml, release.yml, nemesis-doctor, run-pentest.sh | 10 |
How it correlates
None of these skills stands alone. Exit code (1) only contains because Rust's fail-closed (4) guarantees even an error ends in a block; the kernel (2) only acts with scope because the cgroup (3) knows which process is the agent; code reading (5) only matters because it feeds the decision (9); and the decision is only trustworthy because the process (10) validates it adversarially. Maturity is not in knowing each piece, it is in making them reinforce each other.
How Nemesis applies it (the convergence)
All of this converges into a single observable fact: a destructive command or a malicious payload is blocked with exit 2 (or -EPERM in the kernel) before executing, or a hostile file is moved to quarantine before causing damage. That is what separates a prototype from a security tool: engineering becomes real containment, reversible and honest about its limits.
Synthesis
The thread is joining the low level (kernel/eBPF) with defensive software engineering (fail-closed Rust, determinism) and process (CI as an adversarial gate), with honesty about limits. That set is what the project develops and what this material evidences.