Sentinel Ops Agent

AI-assisted SOC triage and MCP forensics platform that turns security alerts into investigations, executive briefings, and repeatable evidence-driven response workflows.

Comment

Inspiration

Security teams lose time moving between alert queues, SIEM searches, investigation notes, AI tools, forensic utilities, and executive reporting. We wanted Sentinel Ops Agent to show what a practical AI-assisted SOC workflow could look like when alert triage, incident investigation, leadership briefings, and MCP-based forensic tooling are connected in one project.

What it does

Sentinel Ops Agent combines two systems:

  • A full-stack SOC web app for alert triage, incident review, realtime investigation updates, executive briefings, metrics, and query workflows.
  • A Python FastMCP forensic agent that exposes investigation tools for disk, memory, packet, cloud, container, timeline, correlation, and YARA-oriented workflows.

The web app is designed to help analysts review alerts, correlate incidents, launch investigations, generate executive summaries, and keep sensitive response actions behind human approval. The MCP package provides repeatable forensic tooling and report generation for evidence-driven investigations.

How we built it

The SOC app uses React, Vite, TypeScript, Tailwind CSS, Radix UI, Express, tRPC, Drizzle ORM, MySQL, and Server-Sent Events. The backend includes authentication, alert and incident routers, investigation jobs, realtime event handling, AI provider integration points, and response-action approval controls.

The MCP layer is built in Python with FastMCP, Pydantic, Anthropic integration, forensic tool dispatch, deterministic evaluation, and HTML reporting. We also added a ransomware-style demo seed workflow that generates 193 synthetic security events across multiple attack stages through the Splunk mock path.

Challenges we ran into

The hardest part was making the project feel like a real security product instead of a UI mockup. We had to connect frontend workflows, backend authorization, database requirements, realtime updates, AI investigation paths, and MCP tooling while keeping the submission secure. During cleanup, we removed committed secrets and generated artifacts, added missing Python dependencies, required explicit MCP API key configuration, and fixed a self-approval vulnerability in response actions.

Accomplishments that we're proud of

  • Built a complete SOC-style application architecture with frontend, backend, database models, realtime transport, AI hooks, and security controls.
  • Added a separate FastMCP forensic agent with cloud, container, disk, memory, network, timeline, correlation, and YARA-oriented tooling.
  • Passed the automated validation suite: 63 TypeScript/Vitest tests and 305 Python/pytest tests.
  • Created a demo seed path for ransomware-style security events.
  • Hardened the project by removing secrets, eliminating generated artifacts from source control, enforcing explicit secret configuration, and preventing response action self-approval.

What we learned

We learned that AI security tooling is most useful when it is grounded in workflow, evidence, and governance. The strongest pattern was not simply asking an LLM for an answer, but wrapping AI around structured alerts, forensic tools, approval rules, and reports that analysts and executives can actually use.

What's next

Next we would add a hosted demo environment with configured MySQL and OAuth, richer end-to-end browser tests, production deployment templates, more SIEM integrations, signed audit logs, deeper role-based access control, and a polished evidence pack for judges to run the MCP agent against directly.

Built With

Share this project:

Updates