SentinelIQ is an AI-assisted SOC and SOAR-lite platform built to demonstrate modern security platform engineering.
It combines log ingestion, detection engineering, alerting, incident investigation, AI-assisted analysis, automation, webhooks, and production-readiness practices into one full-stack security project.
Phase 1 ✅ SOC Core
Phase 2 ✅ Detection Engine
Phase 3 ✅ Investigation Workspace
Phase 4 ✅ AI Analyst
Phase 5 ✅ Automation
Phase 6 ✅ Production Readiness
- Organizations
- Users
- Assets
- Log sources
- Security events
- Failed login detection
- Port scan detection
- Suspicious IP detection
- Detection rules
- Alert generation
- Alert deduplication
- Incident management
- Alert-to-incident workflow
- Linked alerts
- Incident timeline
- Analyst notes
- Status tracking
- Alert explanation
- Incident summaries
- Incident report generation
- AI report persistence
- AI audit logging
- AI panels in the frontend
- Webhook infrastructure
- Webhook delivery tracking
- Notification service
- Automation service
- Auto-create incidents for high-severity alerts
- n8n webhook integration
- Daily SOC summary
- Production Dockerfiles
- Production Docker Compose
- Environment-based configuration
- GitHub Actions CI
- Backend unit tests
- Secrets hygiene baseline
Frontend:
Next.js
Backend:
FastAPI
SQLAlchemy
Alembic
PostgreSQL
Redis
Automation:
Webhook Service
Notification Service
Automation Service
n8n
- Next.js
- React
- TypeScript
- FastAPI
- SQLAlchemy
- Alembic
- Pydantic
- PostgreSQL
- Redis
- Webhooks
- n8n integration
- Docker
- Docker Compose
- GitHub Actions
Start the development environment:
docker compose up -dRun database migrations:
docker compose exec backend alembic upgrade headOpen the application:
Frontend: http://localhost:3000
Backend: http://localhost:8000
Health: http://localhost:8000/health
Build production images:
docker compose -f docker-compose.prod.yml buildStart production-style containers:
docker compose -f docker-compose.prod.yml up -dVerify backend health:
curl http://localhost:8000/healthGET /api/assets
GET /api/events
GET /api/detection-rules
GET /api/alerts
GET /api/incidents
POST /api/alerts/{id}/create-incident
POST /api/ai/alerts/{id}/explain
POST /api/ai/incidents/{id}/summarize
POST /api/ai/incidents/{id}/report
GET /api/webhooks
POST /api/webhooks
GET /api/soc-summary/daily
Run backend tests:
cd backend
python3 -m pytestThe GitHub Actions pipeline validates:
- Backend imports
- Backend tests
- Frontend production build
- Production Docker Compose config
- Production Docker image builds
SentinelIQ includes:
- Pydantic request validation
- Audit logging for sensitive AI actions
- Webhook delivery tracking
- Environment-based configuration
- No committed
.envfiles - Placeholder-only
.env.example - Production Docker containers running as non-root users
See:
docs/security.md
docs/threat-model.md
Planned improvements:
- Authentication and RBAC enforcement
- Rate limiting
- Structured logging
- Prometheus metrics
- Expanded integration tests
- Deployment guide for cloud hosting
- Expanded integration tests
- Cloud deployment guide
- Additional detection rules
- Extended demo dataset
SentinelIQ is designed as a security engineering portfolio project.
It demonstrates:
- Detection engineering
- Incident response workflows
- AI-assisted security analysis
- SOAR-lite automation
- Backend architecture
- Production-readiness practices