Note: This project was developed with AI assistance (Gemini).
An AI-powered security analysis tool that ingests security artifacts, correlates events using pattern matching and MITRE ATT&CK mapping, and leverages an LLM (via OpenRouter) for expert-level threat analysis.
- Ingests data - Reads JSON files containing SIEM-style logs and vuln scan results
- Correlates events - Groups related events by time, IP/user/host, and matches against known attack patterns (MITRE ATT&CK mapped)
- AI analysis - Sends the correlated data to an LLM for a more narrative threat assessment
- Prints a report - Color-coded console output with severity levels and recommendations
# Install deps (I used uv, but pip works too)
uv sync
# or: pip install -r requirements.txt
# Copy env file and add your OpenRouter key
cp .env.example .env
# edit .env and add: OPENROUTER_API_KEY=your_key# With sample data
python -m security_analyst
# Point to your own data
python -m security_analyst /path/to/data
# Skip the AI part (just correlation)
python -m security_analyst --no-aiThere's also a chat interface if you want to interact with the agent:
# Terminal 1: backend
python agentos.py
# Terminal 2: frontend
cd agent-ui && npm run devThen hit http://localhost:3000 and connect to http://localhost:7777.
src/security_analyst/
├── main.py # CLI entry point
├── ingester.py # Loads JSON artifacts
├── correlator.py # Time/entity/pattern correlation
├── patterns.py # MITRE ATT&CK pattern definitions
├── analyzer.py # Agno agent + OpenRouter integration
├── prompts.py # System/analysis prompts for the LLM
├── reporter.py # Rich console output
├── models.py # Pydantic data models
└── tools.py # DuckDB query tools for the agent
The data/samples/ folder has synthetic logs that simulate a basic attack chain: brute force → login → add user → privesc → exfil. I generated these to test the correlation logic.
- JSON only (no CSV, Splunk exports, etc.)
- Batch processing only (no streaming)
- Token limits can be an issue with large datasets
If I had more time:
- DuckDB/ClickHouse for larger datasets
- Multi-agent setup (triage agent → investigation agent)
- RAG with threat intel feeds
- REST API for integration
Built with Python, Agno, OpenRouter, DuckDB, and Rich.