Thornmail was inspired by the frustration of seeing real security threats buried under thousands of noisy alerts. Instead of treating every log as a separate issue, we wanted to build a system that thinks the way human analysts do by organizing activity into clear, connected stories rather than scattered events.

Through this project, we learned how to design reliable security algorithms for clustering and risk scoring, while using AI as a support tool for highlighting key points and important patterns in the data, not as the final decision maker. Our platform uses a structured pipeline that ingests logs, groups related activity into transparent and explainable cases, scores risk using clear rules, and then uses AI to surface critical details, relationships, and recommended next steps.

A core goal of Thornmail is to keep security analysts in control. The system organizes and explains what happened, points out what matters most, and reduces noise, but the final judgment is always made by a human analyst. One of our biggest challenges was balancing intelligence with trust. We focused on making the system explainable, conservative, and auditable, while still being powerful enough to highlight real security threats.

Built With

  • fastapi-0.115.5
  • next.js-16.1.4
  • numpy-2.1.3
  • ollama-+-llama-3
  • pandas-2.2.3
  • postcss
  • python-3.11+
  • react-19.2.3
  • sse-starlette
  • tailwind-css-4
  • typescript-5
  • uvicorn-0.32.0
  • watchdog-3.0.0
Share this project:

Updates