RedTrace

Enterprise-grade threat intelligence for teams without enterprise budgets, transforming attacker telemetry into continuously improving defence.

Comment

Project Story — RedTrace

Inspiration

  • Origin: Born from the need to turn noisy honeypot telemetry into actionable fixes, not just alerts.
  • Vision: Automate the loop from detection → triage → remediate so defenders can move faster.
  • Motivation: Reduce mean-time-to-fix for configuration and code-level weaknesses exposed by attackers.
  • User focus: Make security work practical and auditable for small ops teams.

What it does

  • Real-time detection: Ingests honeypot logs and streams live events to a dashboard.
  • Contextual analysis: Maps events to MITRE ATT&CK tactics and produces per-event risk scores.
  • Automated remediation: Generates agent tickets with suggested patches and instructions for a GitHub agent.
  • Visibility: Broadcasts classification, correlation chains, and ticket progress via SSE so the team sees the whole pipeline.

How we built it

  • Backend: FastAPI + Uvicorn serving async endpoints and an in-process SSE bus.
  • LLM integration: Google Gemini (via google-generativeai) to classify and synthesize remediation artifacts.
  • Frontend: React + Vite with Tailwind-style utilities and lucide-react icons for a compact dashboard UI.
  • Automation: Helper scripts (gh CLI) and agent workflows that can post issues / create PRs programmatically.

Challenges we ran into

  • LLM reliability: Model responses can be noisy or disconnect; required robust JSON extraction and retries.
  • Output consistency: Needed strict prompt schemas and post-processing to make automation safe.
  • Integration surface: Coordinating SSE, background tasks, and optional external gh CLI behavior without blocking the API.
  • UX clarity: Conveying complex attack context and automated remediation in a small, scannable UI.

Accomplishments we're proud of

  • End-to-end flow: From raw honeypot logs to a runnable agent ticket containing a suggested patch.
  • Practical automation: The system can produce concrete patch text and step-by-step instructions for a GitHub agent.
  • Real-time UX: A compact dashboard that shows classification, correlation chains, and a ticket workflow animation.
  • Resilience: Defensive code around LLM outputs and optional external integrations to avoid failing the pipeline.

What we learned

  • Prompts matter: Clear schemas and explicit instructions dramatically improve machine-generated artifacts.
  • Fail-safe defaults: External integrations must be optional and the system should always emit fallback events.
  • Developer ergonomics: Fast feedback loops (SSE + live UI) make iteration far faster than log-only approaches.
  • Scope control: Automated fixes need human-in-the-loop checkpoints for non-trivial changes.

What's next for RedTrace

  • Automated PR application: Safely wire the GitHub agent to create PRs and run CI checks automatically.
  • Feedback loop: Capture PR outcomes and CI results to refine the classifier and ticket generation prompts.
  • Role-based controls: Add approval workflows and safety gates for high-impact production changes.
  • Expanded telemetry: Ingest additional sensors (Wazuh, network) and enrich correlation with threat intel.

Built With

Share this project:

Updates