{"id":50745559,"url":"https://github.com/edycutjong/siftglass","last_synced_at":"2026-06-10T20:30:39.421Z","repository":{"id":353911691,"uuid":"1217236998","full_name":"edycutjong/siftglass","owner":"edycutjong","description":"🔬 SIFT.Glass — OpenClaw-powered IR agent with live React Flow attack graph visualization. FIND EVIL! (SANS) Hackathon 2026.","archived":false,"fork":false,"pushed_at":"2026-04-26T07:53:17.000Z","size":3457,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-26T08:35:46.399Z","etag":null,"topics":["ai-agent","cybersecurity","fastapi","incident-response","mcp","nextjs","openclaw","react-flow","siem","supabase","threat-intelligence"],"latest_commit_sha":null,"homepage":"https://siftglass.edycu.dev","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/edycutjong.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-21T17:23:55.000Z","updated_at":"2026-04-26T07:53:22.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/edycutjong/siftglass","commit_stats":null,"previous_names":["edycutjong/siftglass"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/edycutjong/siftglass","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edycutjong%2Fsiftglass","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edycutjong%2Fsiftglass/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edycutjong%2Fsiftglass/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edycutjong%2Fsiftglass/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/edycutjong","download_url":"https://codeload.github.com/edycutjong/siftglass/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edycutjong%2Fsiftglass/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34170162,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-10T02:00:07.152Z","response_time":89,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-agent","cybersecurity","fastapi","incident-response","mcp","nextjs","openclaw","react-flow","siem","supabase","threat-intelligence"],"created_at":"2026-06-10T20:30:36.514Z","updated_at":"2026-06-10T20:30:39.414Z","avatar_url":"https://github.com/edycutjong.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n  \u003ca href=\"https://youtu.be/fsi0KBf0MBk\"\u003e\u003cimg src=\"app/opengraph-image.png\" alt=\"SIFT.Glass OG Image\" width=\"800\"\u003e\u003c/a\u003e\n  \u003ch1\u003eSIFT.Glass 🔍\u003c/h1\u003e\n  \u003cp\u003e\u003cem\u003eAI incident response agent that livestreams threat-hunting reasoning to a real-time visual attack graph — built for \u003cstrong\u003eFIND EVIL! 2026\u003c/strong\u003e. Powered by the official \u003ca href=\"https://github.com/teamdfir/protocol-sift\"\u003eteamdfir/protocol-sift\u003c/a\u003e framework.\u003c/em\u003e\u003c/p\u003e\n\n[![YouTube Demo](https://img.shields.io/badge/▶_Watch_Demo-FF0000?style=for-the-badge\u0026logo=youtube\u0026logoColor=white)](https://youtu.be/fsi0KBf0MBk)\n[![Live Demo](https://img.shields.io/badge/Live_App-siftglass.edycu.dev-000000?style=for-the-badge\u0026logo=vercel\u0026logoColor=white)](https://siftglass.edycu.dev)\n[![Devpost](https://img.shields.io/badge/Devpost-Submission-003E54?style=for-the-badge\u0026logo=devpost\u0026logoColor=white)](https://devpost.com/software/sift-glass)\n\n[![Next.js 16](https://img.shields.io/badge/Next.js-16-000000?style=flat-square\u0026logo=next.js)](https://nextjs.org)\n[![React 19](https://img.shields.io/badge/React-19-61DAFB?style=flat-square\u0026logo=react\u0026logoColor=white)](https://react.dev)\n[![Supabase](https://img.shields.io/badge/Supabase-Realtime-3FCF8E?style=flat-square\u0026logo=supabase\u0026logoColor=white)](https://supabase.com)\n\u003cbr\u003e\n[![Python](https://img.shields.io/badge/Python-Agent-3776AB?style=flat-square\u0026logo=python\u0026logoColor=white)](https://python.org)\n[![Anthropic](https://img.shields.io/badge/Anthropic-Claude_Sonnet_4-D97757?style=flat-square\u0026logo=anthropic\u0026logoColor=white)](https://anthropic.com)\n[![MCP](https://img.shields.io/badge/MCP-Tool_Orchestration-06b6d4?style=flat-square)](https://modelcontextprotocol.io)\n[![License: MIT](https://img.shields.io/badge/License-MIT-22c55e?style=flat-square)](LICENSE)\n\n\u003c/div\u003e\n\n---\n\n## 📸 See it in Action\n\n\u003e **[▶ Watch the full autonomous investigation](https://youtu.be/fsi0KBf0MBk)** — Complete kill chain reconstruction in under 2 minutes.\n\n| Timestamp | What's Happening                                                               |\n| --------- | ------------------------------------------------------------------------------ |\n| `00:00`   | 🖥️ SOC Dashboard loads — military-grade dark UI with scanning lines            |\n| `00:02`   | 🚨 SIEM alert triggers — agent begins autonomous investigation                 |\n| `00:25`   | 🤖 OpenClaw agent initializes, starts artifact scanning                        |\n| `00:42`   | 🔀 Parallel threat intelligence dispatch across MCP tools                      |\n| `01:03`   | ⚡ **AI Self-Correction** — false positive detected and shattered in real-time |\n| `01:26`   | 🔗 Full kill chain correlated (97% confidence) — attack graph complete         |\n| `01:30`   | 📋 7-step containment playbook auto-generated                                  |\n\n\u003cdiv align=\"center\"\u003e\n  \u003cimg src=\"docs/screenshots/dashboard.png\" alt=\"SIFTGlass SOC Dashboard — live attack graph with AI self-correction\" width=\"800\"\u003e\n  \u003cp\u003e\u003cem\u003eSOC Dashboard: Real-time attack graph with confidence scores, live terminal, and AI reasoning banner\u003c/em\u003e\u003c/p\u003e\n\u003c/div\u003e\n\n---\n\n## 💡 The Problem \u0026 Solution\n\n**The Problem:** Security analysts spend 45+ minutes manually investigating each SIEM alert — correlating logs, querying threat intel APIs, and building kill chain diagrams by hand. SOC teams face alert fatigue with thousands of alerts daily, and the reasoning behind each investigation is lost the moment it ends.\n\n**SIFT.Glass** solves this by deploying an autonomous AI agent (OpenClaw) that **livestreams its entire investigative reasoning** to a real-time React Flow attack graph. Every hypothesis, tool call, and piece of evidence appears live. When the agent detects a false positive, the bad node **shatters** and the agent self-corrects — all visible to the analyst.\n\n**Key Features:**\n\n- ⚡ **Sub-2-Minute Investigations** — Full APT-41 kill chain reconstructed autonomously\n- 🧠 **Self-Correcting AI** — Agent detects and eliminates false positives in real-time with visual \"shatter\" animation\n- 📊 **Transparent Reasoning** — Every hypothesis, confidence score, and tool call is visible in the attack graph\n- 🔴 **Live Terminal** — Watch the agent's raw thought process as it investigates\n- 📋 **Auto-Generated Playbooks** — Investigation concludes with actionable containment steps\n\n---\n\n## 🏗️ Architecture \u0026 Tech Stack\n\n| Layer             | Technology                       | Purpose                                |\n| ----------------- | -------------------------------- | -------------------------------------- |\n| **Frontend**      | Next.js 16, React 19, React Flow | Real-time attack graph visualization   |\n| **Styling**       | Tailwind CSS v4                  | Military SOC aesthetic, dark mode      |\n| **State**         | Supabase (PostgreSQL + Realtime) | Live event streaming via subscriptions |\n| **Agent**         | Python + Claude Sonnet 4         | Autonomous reasoning engine            |\n| **Orchestration** | Model Context Protocol (MCP)     | Structured tool calls for IR workflow  |\n| **Threat Intel**  | Hash + Domain Constraint DB      | Built-in false-positive detection      |\n\n```mermaid\ngraph TD\n    subgraph AgentBoundary [\"🔒 Agent Enclave\"]\n        SIEM[\"📋 SIEM Alert\u003cbr/\u003e(mock_siem.py)\"]\n        Agent[\"🤖 OpenClaw IR Agent\u003cbr/\u003e(Python + Claude)\"]\n        ThreatIntel[\"🔍 Threat Intel DB\u003cbr/\u003e(Hash + Domain)\"]\n    end\n\n    subgraph StateBoundary [\"⚡ State Management\"]\n        MCP[\"🔌 MCP Server\u003cbr/\u003e(9 IR Tools)\"]\n        Supabase[\"🗄️ Supabase\u003cbr/\u003e(PostgreSQL + Realtime)\"]\n    end\n\n    subgraph WebBoundary [\"🖥️ Visualization (Web)\"]\n        NextJS[\"Next.js 16\u003cbr/\u003eApp Router\"]\n        ReactFlow[\"React Flow\u003cbr/\u003eAttack Graph\"]\n    end\n\n    SIEM --\u003e|\"Alert Trigger\"| Agent\n    ThreatIntel --\u003e|\"Constraint Check\"| Agent\n    Agent --\u003e|\"Tool Calls\"| MCP\n    MCP --\u003e|\"SQL Writes\"| Supabase\n    Supabase -.-\u003e|\"Realtime Subscriptions\"| NextJS\n    NextJS --\u003e|\"Render Graph\"| ReactFlow\n```\n\n---\n\n## 🏆 Sponsor Tracks \u0026 Bounties\n\n| Sponsor                          | How We Used It                                                                                                                                              | Code Location                                                                        |\n| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------ |\n| **SANS Institute**               | Natively embedded the official [`teamdfir/protocol-sift`](https://github.com/teamdfir/protocol-sift) experimental framework. Our agent dynamically consumes the SIFT persona (`CLAUDE.md`) and DFIR skill libraries directly into its reasoning engine. | [`agent/protocol-sift/`](agent/protocol-sift/)       |\n| **Model Context Protocol (MCP)** | Custom MCP-based tool orchestration for all 9 IR tools — the agent calls `report_node`, `cancel_hypothesis`, `domain_reputation`, etc. via the MCP protocol | [`agent/mcp_server.py`](agent/mcp_server.py)                                         |\n| **Supabase**                     | Realtime PostgreSQL subscriptions power the live attack graph — every node/edge/log streams instantly to the frontend                                       | [`lib/supabase.ts`](lib/supabase.ts), [`supabase/migrations/`](supabase/migrations/) |\n| **Anthropic (Claude)**           | Claude Sonnet 4 drives the autonomous investigation — the agent reasons, self-corrects, and generates containment playbooks                                 | [`agent/agent.py`](agent/agent.py)                                                   |\n\n---\n\n## 🚀 Run it Locally (For Judges)\n\n\u003e [!NOTE]\n\u003e **For Judges:** The app includes a **hardcoded demo scenario** that runs automatically without any API keys. Simply run `pnpm dev` and visit `http://localhost:3000` — no Supabase or Anthropic key required to see the full investigation playback.\n\n### Prerequisites\n\n- [Docker Desktop](https://www.docker.com/products/docker-desktop/) (required by Supabase CLI)\n- Node.js 20+ and pnpm\n- Python 3.11+\n- [Supabase CLI](https://supabase.com/docs/guides/cli) — `brew install supabase/tap/supabase` (macOS) or `npm i -g supabase` (all platforms)\n- Anthropic API key ([get one free](https://console.anthropic.com/settings/keys))\n\n### Quick Start\n\n```bash\n# 1. Clone and install\ngit clone https://github.com/edycutjong/siftglass.git\ncd siftglass\npnpm install\n\n# 2. Set up environment variables\ncp .env.local.example .env.local\n# Edit .env.local and add your ANTHROPIC_API_KEY\n\n# 3. Start Supabase locally\nnpx supabase start\nnpx supabase db reset   # applies SIFTGlass schema\n\n# 4. Start the frontend\npnpm dev\n# → http://localhost:3000\n```\n\n### Run the Live Agent (Optional)\n\nTo watch the agent investigate in real-time:\n\n```bash\n# Terminal 2 — start the agent\ncd agent\npython -m venv .venv \u0026\u0026 source .venv/bin/activate\npip install -r requirements.txt\npython agent.py\n```\n\nThe dashboard automatically switches from **DEMO MODE** to **AGENT LIVE** when the Python agent is running. The React Flow graph and terminal panel update in real time.\n\nTo replay a specific session: `python agent.py --session \u003cuuid\u003e`\nTo watch from the frontend: `http://localhost:3000?session=\u003cuuid\u003e`\n\n### Replay the Demo\n\nTo reset the database and re-run the demo from scratch:\n\n```bash\n# Wipe all data and re-apply schema (no need to delete Docker volumes)\nnpx supabase db reset\n\n# Restart the frontend\npnpm dev\n```\n\n\u003e [!TIP]\n\u003e `supabase db reset` drops all tables, re-applies migrations, and gives you a clean slate. You do **not** need to stop/remove Docker containers or volumes.\n\n---\n\n## 📁 Project Structure\n\n```\n🔍 siftglass/\n│\n├── 📂 app/\n│   ├── page.tsx                # Hero landing page\n│   └── dashboard/page.tsx      # SOC Dashboard: React Flow + Realtime\n│\n├── 📂 components/soc/\n│   ├── AgentBanner.tsx         # Top bar: phase, objective, reasoning, confidence\n│   ├── InvestigationNode.tsx   # Custom node with status + confidence bar\n│   └── TerminalPanel.tsx       # Live terminal log viewer\n│\n├── 📂 lib/\n│   ├── types.ts                # Shared TypeScript types\n│   ├── demo-data.ts            # Hardcoded golden-path fallback (no API needed)\n│   └── supabase.ts             # Supabase client (lazy init, safe when unconfigured)\n│\n├── 📂 agent/\n│   ├── agent.py                # 🤖 OpenClaw agent — Claude drives investigation\n│   ├── mcp_server.py           # 🔌 MCP server with 9 IR tools\n│   ├── mock_siem.py            # Mock SIEM alert for demo scenario\n│   └── requirements.txt\n│\n├── 📂 supabase/migrations/\n│   └── 20260425_siftglass.sql  # Schema: nodes, edges, agent_state, terminal_lines\n│\n├── 📄 .env.local.example       # Environment template for judges\n├── 📄 README.md                # ← You are here\n└── 📄 package.json\n```\n\n---\n\n## 🔌 MCP Tools (9 IR Instruments)\n\n| Tool                    | Description                                             |\n| ----------------------- | ------------------------------------------------------- |\n| `set_session`           | Initialize an investigation session                     |\n| `report_node`           | Add an artifact node to the attack graph                |\n| `update_node_status`    | Update node status (investigating → malicious / benign) |\n| `add_edge`              | Add a relationship edge between nodes                   |\n| `hash_constraint_check` | Validate SHA256 hash against threat intel               |\n| `domain_reputation`     | Check domain reputation (detects false positives)       |\n| `cancel_hypothesis`     | 💥 Shatter a false-positive node + remove edges         |\n| `update_agent_state`    | Update the dashboard banner (phase, confidence)         |\n| `log_terminal`          | Append a line to the live terminal panel                |\n\n---\n\n## 🙏 Acknowledgments\n\nBuilt for the [**FIND EVIL! 2026**](https://findevil.devpost.com) hackathon — pushing the frontier of autonomous incident response.\n\n|                  |                                                                                                                                    |\n| ---------------- | ---------------------------------------------------------------------------------------------------------------------------------- |\n| **Organizer**    | [SANS Institute](https://www.sans.org)                                                                                             |\n| **Platform**     | [SIFT Workstation](https://www.sans.org/tools/sift-workstation) + [Protocol SIFT (MCP)](https://github.com/teamdfir/protocol-sift) |\n| **Architecture** | Custom MCP Server (9 IR tools)                                                                                                     |\n| **AI**           | [Anthropic Claude](https://anthropic.com)                                                                                          |\n\n---\n\n## 📜 License\n\nMIT — see [LICENSE](LICENSE) for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fedycutjong%2Fsiftglass","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fedycutjong%2Fsiftglass","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fedycutjong%2Fsiftglass/lists"}