- Termtrix Sentinel is a human-in-the-loop SecOps automation platform built on the Model Context Protocol (MCP).
It helps security teams enrich alerts, investigate threats, and orchestrate incident response safely using deterministic tools and AI-assisted reasoning.
- Enrich IPs, domains, hashes using MCP tools
- Aggregate threat intelligence
- Produce SOC-ready risk summaries
- Keep full audit logs
- No automatic destructive actions
- FastAPI → API & orchestration
- FastMCP → Tool servers (WHOIS, Threat Intel, DNS)
- LLM → Summarization & reasoning only
- Human approval → Required for actions (future)
- Python
- FastAPI
- FastMCP
- Docker
- (Optional) Next.js UI
git clone https://github.com/TermTrix/Termtrix-Sentinel/
cd Termtrix-Sentinel
cp .env.example .env
docker-compose up --build
# PHASE 3 FLOW
# LangGraph controls flow
# ↓
# LLM plans actions
# ↓
# LangGraph pauses
# ↓
# Human approves
# ↓
# LangGraph resumes
# ↓
# MCP executes
HOST
├─ Suricata → /var/log/suricata/eve.json
├─ Sentinel logs → ./logs/sentinel/app.log
├─ Vector (host)
│ └─ ships ALL logs
│
DOCKER
└─ Sentinel API + Redis + Workers
<!-- Think of Phase 2 as a SOC Analyst Brain 🧠
Phase 1 = Research Intern
Phase 2 = L2 SOC Analyst
Phase 3 = SOAR Engineer
Your Phase 2 is effectively:
“Given all evidence, what would a trained SOC analyst do?” -->
# You can add Shodan, AbuseIPDB, GreyNoise later