A self-hosted endpoint defense platform for Linux and Windows
Real telemetry. Rule-driven detections. Correlated findings. Controlled response.
SecOS Defender v2 transforms this repository from a prototype into a modern endpoint defense stack. It combines a FastAPI detection backend, a live analyst console, a pluggable Go agent scaffold, Sigma-style YAML rule packs, and inventory-based vulnerability correlation into one coherent platform.
This repository is designed for:
- π Security analysts who need a live triage and investigation surface
- π§ Blue-team engineers who want normalized telemetry and rule-driven detection
- βοΈ Builders who want a strong starting point for a self-hosted EDR/XDR-style product
| Capability | Description |
|---|---|
| π¨ Runtime detections | Normalized event ingestion with rule-based alert generation |
| π§© Correlated findings | Deduplicated findings across runtime and vulnerability evidence |
| π¦ Vulnerability intelligence | Software inventory matched against a seeded vulnerability feed |
| π₯οΈ Analyst console | React-based UI for alerts, findings, hosts, exposure, and actions |
| ποΈ Response orchestration | Manual approval flow for host actions such as isolation or artifact collection |
| π‘ Live updates | WebSocket-backed streaming updates with polling fallback |
| π§ͺ Demo telemetry | Fixture-driven producer for realistic sample events and inventory |
| ποΈ Extensible agent | Go agent scaffold with local buffering, polling, and TLS-ready client code |
flowchart LR
A["π°οΈ Agent / Demo Producer"] --> B["π₯ FastAPI Ingest API"]
B --> C["π§ Rule Engine"]
B --> D["π¦ Inventory Correlator"]
C --> E["π¨ Alerts"]
C --> F["π§© Findings"]
D --> F
D --> G["π Vulnerabilities"]
E --> H["π‘ WebSocket Stream"]
F --> H
G --> H
H --> I["π₯οΈ Analyst Console"]
I --> J["ποΈ Response Actions"]
J --> B
B --> K["ποΈ PostgreSQL"]
server/: FastAPI backend, SQLAlchemy models, ingest pipeline, rule engine, worker, and vulnerability feedconsole/: React + TypeScript analyst console built with Viteagent/: Go-based agent scaffold with fixture collectors, persistent queue, heartbeat, and action looprules/default/: Sigma-compatible detection packs in YAMLfixtures/demo/: Demo events and inventory reports for Linux and Windowssrc/simulation/attack_simulator.py: Demo producer that sends data into the v2 APIs
SecOS Defender v2 is built around a few clear principles:
- High signal first: the system prioritizes alerts, findings, and exposure that operators can act on
- Normalized telemetry: collectors and producers converge on a single event shape
- Detection as content: rules are versioned YAML packs rather than hard-coded scripts
- Self-hosted by default: everything is designed to run inside your own environment
- Controlled response: actions are queued and approved deliberately instead of executed blindly
.
βββ agent/ # Go agent scaffold
βββ console/ # React/Vite analyst console
βββ fixtures/demo/ # Demo event and inventory payloads
βββ rules/default/ # YAML rule packs
βββ server/ # FastAPI backend and worker
βββ src/simulation/ # Demo producer entrypoint
βββ tests/ # API and integration-oriented tests
βββ docker-compose.yml # Local multi-service startup
βββ .env.example # Example environment variables
Bring up PostgreSQL, the API, the worker, and the analyst console:
docker compose up --buildThen open:
- API health: http://localhost:8000/api/v1/health
- Analyst console: http://localhost:5173
Create a virtual environment and install backend dependencies:
python -m venv .venvActivate the environment:
.\.venv\Scripts\Activate.ps1or:
source .venv/bin/activateInstall dependencies and start the API with a shell-agnostic command:
pip install -r server/requirements.txt
python -m uvicorn --app-dir server app.main:app --host 0.0.0.0 --port 8000If you explicitly want to use PYTHONPATH instead:
- PowerShell:
$env:PYTHONPATH = "server" - cmd.exe:
set PYTHONPATH=server - macOS / Linux:
export PYTHONPATH=server
cd console
npm install
npm run dev -- --host 0.0.0.0With the API running:
python src/simulation/attack_simulator.pyThe demo producer sends:
- Linux process events that trigger
curl | bashand dangerous permission change detections - Windows Sysmon-style PowerShell encoded-command activity
- Software inventory that generates vulnerability findings from the seeded advisory feed
The v2 backend exposes the following primary endpoints:
POST /api/v1/ingest/eventsPOST /api/v1/ingest/inventoryPOST /api/v1/agents/heartbeat
GET /api/v1/actions/pollPOST /api/v1/actionsPOST /api/v1/actions/{id}/approvePOST /api/v1/actions/{id}/result
GET /api/v1/overviewGET /api/v1/alertsGET /api/v1/findingsGET /api/v1/vulnerabilitiesGET /api/v1/hostsGET /api/v1/rulesGET /api/v1/actions
WS /api/v1/ws/stream
The platform is organized around a few key entities:
- Normalized events: platform-agnostic telemetry from collectors and producers
- Alerts: direct rule-triggered signals
- Findings: correlated, deduplicated investigative objects
- Software inventory: per-host package and version data
- Vulnerabilities: correlated package exposure records
- Response actions: analyst-queued operational tasks
- Audit log: action lifecycle traceability
The intended runtime datastore is PostgreSQL. Tests use SQLite for speed and simplicity.
Detection packs live in rules/default/ and follow a Sigma-style structure:
idversiontitlestatusdescriptionlogsourcedetectionleveltagsreferencesmitre_attackresponses
Included examples detect:
β οΈ PowerShell encoded-command execution on Windows- π₯
curl | bashexecution on Linux - π Dangerous permission changes on critical Linux files
The console is not a static mock. It reads real data from the backend and presents:
- Alert ledger for current rule output
- Correlated findings for analyst triage
- Exposure watch for vulnerability-backed risk
- Host roster showing active reporting endpoints
- Response queue with manual approval workflow
The UI is designed to feel like a forensic operations workspace, not a generic dashboard.
The Go agent scaffold includes:
- Local file-backed event buffering
- Periodic heartbeat reporting
- Fixture-based event and inventory collection
- Action polling and result reporting
- TLS-ready HTTP client wiring
Run it locally with Go installed:
go run ./agent/cmd/secos-agent -config agent/config.sample.jsonIf you prefer not to install Go locally, you can build it via the included agent/Dockerfile.
Run backend tests:
python -m pytestCurrent automated coverage includes:
- Event ingest and rule-triggered alert creation
- Idempotent ingest behavior
- Inventory correlation into vulnerability records
- Vulnerability resolution flows
- Response action lifecycle from creation to completion
Build the console for production:
cd console
npm run buildExample configuration is provided in .env.example:
SECOS_DATABASE_URL=postgresql+psycopg://secos:secos@localhost:5432/secosFor the fastest way to see the platform working:
- Start the backend and console
- Run
python src/simulation/attack_simulator.py - Open the analyst console
- Inspect:
- live alerts
- correlated findings
- vulnerability exposure
- queued response actions
The older prototype modules under src/ still exist in the repository for historical reference, but the active v2 platform is built from:
server/console/agent/rules/fixtures/
Strong next steps for contributors:
- Add additional collectors beyond fixtures
- Expand the rule library and ATT&CK mapping
- Introduce richer correlation logic and suppression controls
- Add certificate enrollment and stronger production auth flows
- Extend the response engine with safer allowlisted automations
- Add packaging and deployment hardening for production use
This project is licensed under the MIT License. See LICENSE for details.
SecOS Defender v2 is a serious foundation for building a self-hosted, cross-platform endpoint defense product. It is structured to be understandable, extensible, and immediately runnable while still leaving room for deeper collectors, richer detections, and production-grade operational hardening.