SAW (Security Analyst Workspace) Multi-Agent Security Operations Assistant (MSOA)
The Adaptive Security Agent (ASA) / Multi-Agent Security Operations Assistant (MSOA) is a production-grade multi-agent system designed for automated security log triage, threat classification, and incident mitigation tracking. It leverages a hybrid approach, combining fast pre-filtering with Deep AI reasoning capabilities.
To combat alert fatigue in Security Operations Centers (SOC). By automating repetitive log triaging tasks and applying deterministic and LLM-assisted validation, security analysts can focus their time on complex incidents that require human judgment, backed by consistent automated incident reporting.
Security Analysts, SOC Managers, and DevSecOps teams looking for an automated first-line defense investigator capable of providing consistent, explainable threat assessments.
It operates in real-time, ingesting logs and network behavior outputs from edge systems, firewalls, and application gateways as incidents occur, allowing for immediate automated triage.
It is deployed as a FastAPI backend service. It can run locally, in Docker containers, or directly integrated into Cloud infrastructure to act as a listener for security events.
The system utilizes a multi-agent orchestration pattern (via Google ADK):
- Coordinator Agent: Receives and plans the response workflow.
- Detection Agent: Normalizes logs and classifies the initial threat type using heuristic rules or LLM checks.
- Risk Agent: Scopes the severity of the alert, factors in historical attack memory (rapid escalation vs. single events), and formulates an action framework.
- Mitigation & Audit Agents: Recommends immediate mitigations and records full explainable tracing.
The project operates primarily in a hybrid execution pattern:
- Deterministic Pipeline: Applies standard signature-matching, rule-based filtering, and rate-limiting limits to drop or tag obvious issues quickly with near-zero latency.
- LLM-Assisted Pipeline: For ambiguous or low-confidence logs, or when behavior overrides require complex thought, the system escalates to Google ADK-powered AI agents (Gemini) capable of examining contextual subtleties that bypass static rules.
Follow these steps to set up and run the ASA server on your local machine.
- Python 3.10+
- (Optional but Recommended) Google / Gemini API Key for active LLM agent reasoning.
- Open PowerShell and navigate to your desired directory.
- Clone / Prepare your project folder.
- Create a Virtual Environment:
python -m venv .venv - Activate Native Environment:
.\.venv\Scripts\Activate.ps1
- Install the Dependencies:
python -m pip install --upgrade pip pip install -r requirements.txt
- Environment Variables setup:
Copy the sample configuration file to instantiate your local
.env.OpenCopy-Item .sampleenv .env.envin a text editor. Add your API Key toGOOGLE_API_KEY=orGEMINI_API_KEY=if you wish to run the LLM-assisted tools instead of pure deterministic fallback mode.
Start the Uvicorn-based FastAPI real-time server:
python -m uvicorn app.main:app --host 0.0.0.0 --port 8080 --reloadThe server will be reachable at http://127.0.0.1:8080.
(The root endpoint / serves an interactive frontend UI dash).
- FastAPI / Uvicorn: High-performance asynchronous API layer.
- Pydantic: Robust schema enforcement and data validation.
- Google GenAI SDK: Core interface for interaction with Gemini models.
- Google ADK: Multi-agent orchestration, state sharing, and system boundaries.
Here are the critical REST endpoints for system integration:
GET /health: Basic ping and uptime status.GET /metrics-json: Live statistics for inflight requests, rate limits, and system status variables.GET /latest: Fetches the response structure of the most recent processed incident for dashboarding.
POST /ingest-log: Primary endpoint. Accepts raw application strings or structured JSON to investigate a potential threat. Required Header:x-api-key.POST /assistant/request: Flexible endpoint handles specific conversational request types like"log_triage","incident_followup", or"task_command".POST /agent-test: Debugging route explicitly testing LLM orchestration against a prompt payload.
GET /tasks: Query the currently assigned tracking tasks / manual reviews remaining. Support incident filtering via?incident_id=xyz.POST /tasks: Manually assign a follow up or review token for Analyst users.POST /tasks/{task_id}/complete: Resolve an assigned investigation item.
Built for robust SOC security triage and rapid threat deployment workflows. Stay secure!