L01 · api · workersRuntime
Runtime
- ~/FastAPI
- ~/Python 3.11
- ~/Redis
- ~/Docker Compose
↳ 4 packagescore
soc · operational·uptime 99.97%·v0.9.1 · mit·region morocco·
main@8b793be← Back to projects
v0.9.1
Capstone · Cybersecurity Bootcamp 2025NexusSOC.
NexusSOC.
An AI agent that defends networks.
Local-first, plugin-driven, production-ready. Triage, correlate, learn, respond — without the alert payload ever leaving your network.
- ▸ Surfaces
- 8 shipped
- ▸ SIEMs
- 5 connectors
- ▸ LLM ops
- 3 providers
- ▸ Local
- 100% capable
nexussoc.local/releasestable
v0.9.1TP rate90%
FP rate10%
DLQ depth0
Skill conf.0.82
◆ kill-chain · last incident
contained @ C2
RECON
WPN
DEL
EXP
INST
C2
ACT
- Role
- AI Agent Dev
- Context
- JobInTech 2026
- License
- MIT · self-host
◆ stack.deps
Six layers. One repo.
Each layer owns a single responsibility and a single failure mode. No god-modules. No shared singletons.
06 layers · 18 deps
L01 → L06
L02 · operator UIFrontend
Frontend
- ~/React 18 + Vite
- ~/TypeScript
- ~/Tailwind
↳ 3 packagessupport
L03 · vector · sqlData & Memory
Data & Memory
- ~/PostgreSQL 15 + pgvector
- ~/Alembic migrations
- ~/nomic-embed-text
↳ 3 packagessupport
L04 · llm routerIntelligence
Intelligence
- ~/Ollama (local)
- ~/OpenAI
- ~/Anthropic
- ~/RAG retrieval
↳ 4 packagescore
L05 · metrics · logsObservability
Observability
- ~/Prometheus
- ~/Grafana
- ~/Audit log middleware
↳ 3 packagescore
L06 · authn · hardeningSecurity
Security
- ~/JWT + RBAC
- ~/Rate limiting
- ~/SSRF guards
- ~/Non-root containers
↳ 4 packagessupport
◆ highlights
Built for analysts who need sovereignty.
/ 01Memory
Self-learning memory
Every analyzed case embedded with nomic-embed-text and stored in pgvector. Similar past cases retrieved at decision time. EMA(α=0.15) confidence updates from analyst feedback close the loop.
pgvectornomic-embed-texttop-k=5EMA α=0.15
/ 02Ingestion
5 SIEM connectors
Wazuh, Elastic, Splunk, QRadar, generic webhook — every source normalized into one AlertSchema.
WazuhElasticSplunkQRadar
/ 03Routing
LLM Router
Primary + fallback across Ollama, OpenAI, Anthropic. No alert payload leaves the network unless cloud LLM is opted in.
OllamaOpenAIAnthropicfallback
/ 04Extensibility
Plugin system
Enrichment, notification (Discord, Slack, Teams), and export plugins toggled by env vars.
DiscordSlackTeamsVT/AbuseIPDB
/ 05Response
Response playbooks
Kill-chain tracking, automated response actions, incident workflow, status transitions.
MITRE ATT&CKplaybookskill-chain
/ 06Hardening
Production hygiene
JWT auth + RBAC, audit log middleware, rate limiting, SSRF guards, security headers, DLQ, non-root containers.
JWT+RBACaudit lograte limitDLQ
◆ architecture.flow
Detection → brain → action.
Detection Brain Action
nexus@agadir : ~/architecture.txt⌥
Detection layer (any SIEM) Wazuh · Suricata · Arkime · Zeek · Elastic · Splunk · QRadar · generic │ webhook ▼ POST /ingest/{connector_name} │ normalize → AlertSchema ▼ ┌───────────────────────────────────────────────┐ │ NexusSOC API │ │ FastAPI · JWT auth · RBAC │ │ Connectors Plugins Worker │ │ (5 SIEMs) enrich/notif retry + DLQ │ │ │ │ LLM Router │ │ primary + fallback (Ollama / OpenAI / Anthropic) │ │ │ pgvector memory · skills · incidents · DLQ │ │ Postgres 15 + Alembic migrations │ └───────────────────────────────────────────────┘ │ │ │ ▼ ▼ ▼ React UI Prometheus + Grafana Discord / Slack / Teams
▸ Ingest p95
< 80ms
normalize → enqueue
▸ Router fallback
2 hops
ollama → cloud
▸ Memory recall
top-k 5
cosine · pgvector
▸ DLQ retry
exp · 5×
audit on every fail
◆ product.walkthrough
Eight surfaces. One agent loop.
Each screen is a real view from the running app. Click anywhere to scroll to the next step.
- nexussoc.local/dashboard⌘K
01OverviewDashboard
Operator HUD. SOC health, TP/FP rate, DLQ depth, and the live activity stream — all on one pane.
route
/dashboard - nexussoc.local/incidents⌘K
02TriageIncidents & kill-chain
Status workflow open → triaging → contained → closed, with kill-chain progression mapped per case.
route
/incidents - nexussoc.local/memory⌘K
03Memorypgvector memory
Every analyzed case embedded with nomic-embed-text and stored in pgvector. Top-k=5 similar cases retrieved at decision time.
route
/memory - nexussoc.local/skills⌘K
04LearningSelf-learning skills
Detection patterns the agent has learned. EMA(α=0.15) confidence updates from analyst feedback close the loop.
route
/skills - nexussoc.local/analyze⌘K
05TriageAnalyze
Single alert or batch ingestion. Returns classification, confidence, MITRE ATT&CK mapping, and the chosen playbook.
route
/analyze - nexussoc.local/connectors⌘K
06Ingestion5 SIEM connectors
Wazuh, Elastic, Splunk, QRadar, generic webhook. Every source is normalized into one AlertSchema before the router runs.
route
/connectors - nexussoc.local/plugins⌘K
07ExtensibilityPlugin system
Enrichment (VirusTotal, AbuseIPDB), notification (Discord, Slack, Teams), export. Toggled by env vars, hot-reloadable.
route
/plugins - nexussoc.local/users⌘K
08SecurityRBAC users
JWT auth, role-scoped permissions, audit log middleware on every mutation. Non-root containers, SSRF guards, security headers.
route
/users
◆ outcome.log
Shipped: a production-grade SOC, by one operator.
- ▸ ui
- 8
- ▸ ingest
- 5
- ▸ router
- 3
- ▸ sovereignty
- 100%
Product surfaces
SIEM connectors
LLM providers
Local-first capable
Sovereignty
No alert payload leaves the network unless cloud LLM is opted in.
Self-improving
EMA(α=0.15) skill confidence learns from analyst feedback.
Production hygiene
JWT + RBAC, audit log, rate limiting, SSRF guards, DLQ, non-root containers.
Available for AI agent & SOC engagements
Need this kind of system running on your stack?
I design and ship local-first agent systems, SIEM tooling, and production-grade .NET / FastAPI services. Tell me what you're defending — I'll come back with a plan.
- Response
- Usually within 24h
- Based
- Agadir, Morocco · Remote-first
- Stack
- .NET · FastAPI · Next · pgvector