A high-performance security data pipeline with a real-time rules engine and deeply integrated LLM agents — built for modern SOC and detection engineering teams.
Process, enrich, detect, and respond at scale — with simple XML-based rules, CEP, rich plugins, and AI-powered analysis wired directly into the stream.

If you work in security operations, you probably deal with massive volumes of raw logs and alerts every day. You need to normalize, enrich, correlate, and route them — and ideally detect threats in real time, not in batch jobs. AgentSmith-HUB is built to handle all of this in a single, opinionated platform:
<sequence>, <threshold>, <iterator>, and <checklist>memory_notes, auto-commit updates, and continuously improve agent behaviorAgentSmith-HUB uses a straightforward pipeline model:
INPUT (Kafka / SLS / ...) → RULESET / AGENT → RULESET / AGENT → OUTPUT (Kafka / ES / ClickHouse / SLS / ...)
Rulesets and agents can be freely chained within a Project, giving you full control over data flow and allowing you to mix “hard” rules with “soft” LLM judgement in the same stream:

hub_ruleset_editor for ruleset CRUD.INPUT → RULESET / AGENT → OUTPUT flows.At the heart of AgentSmith-HUB is a streaming rules engine designed for security detections:
login -> !mfa, recon -> exploit -> exfil) with <sequence>.A minimal example that enriches with threat intel and then detects on the enriched field:
<rule id="enrich_and_detect" name="Enrich with TI then alert">
<append type="PLUGIN" field="threat_info">threatbook(src_ip)</append>
<check type="EQU" field="threat_info.severity">high</check>
<append field="alert_level">critical</append>
</rule>
For the full syntax (all operations, modes, and best practices), see the Complete Guide.
Agents are LLM-powered components that sit in the pipeline alongside rulesets. They process events independently, call an LLM with tool-use support, and forward enriched results downstream.
# Agent: AI-powered alert triage
model: gpt-4o-mini
system_prompt: |
For each alert, add llm_confidence (0-1) and llm_analysis fields.
skills:
- hub_ruleset_expert # Knowledge skill: rules engine reference
tools: all # Expose all plugins as LLM tools
max_rounds: 3
timeout: 30s
# Optional long-term memory (recommended as YAML sequence)
memory_notes:
- Keep output JSON compact and stable.
- Treat routine CI scanner traffic as lower priority unless other signals exist.
Skills provide modular capabilities to agents:
- Knowledge skills — Reference docs loaded on-demand (progressive disclosure)
- Builtin skills — Go-implemented tools (e.g., hub_ruleset_editor for reading/writing rulesets)
Quick production tips:
- Prefer tools: [] by default and allowlist only needed plugin tools.
- Use tools: all only for broad assistant agents (rule-authoring / deep triage).
- In cluster mode, memory write/generate actions must go to the leader node.
Use agents in your project like any other component:
content: |
INPUT.kafka_alerts -> AGENT.alert_reviewer
AGENT.alert_reviewer -> OUTPUT.enriched_alerts
For full agent details (fields like reasoning_mode, reasoning_budget_tokens, memory_notes, and memory workflow in UI/API), see the Complete Guide.
AgentSmith-HUB ships with production-ready detection rulesets that you can deploy immediately — no rule-writing required. All rules are mapped to MITRE ATT&CK for seamless integration with your security workflows.
AgentSmith-HUB includes Kubernetes security rulesets out of the box. You can use them directly without writing custom XML first:
config/ruleset/k8s_security/k8s_audit_baseline.xmlconfig/ruleset/k8s_security/k8s_audit_intrusion.xmlRecommended onboarding flow:
Two Sysmon rulesets are provided for medium/high-confidence endpoint detection use cases:
config/ruleset/sysmon_security/sysmon_baseline.xmlconfig/ruleset/sysmon_security/sysmon_intrusion.xmlconfig/ruleset/sysmon_security/sysmon_exclude.xml (strict allowlist template)Recommended onboarding flow for Sysmon:
sysmon_baseline.xml first and validate behavior in test mode.sysmon_intrusion.xml and tune based on your endpoint baseline.More built-in rulesets for additional data sources are on the roadmap. Contributions are welcome!
| **Rule Editing**  | **Rule Testing**  |
| **Project Orchestration**  | **Plugin Testing**  |
| **Input Connection Check**  | **Search**  |
| **Error Logs & Operations History**  | **Comment-to-memory learning loop**  |
/opt/agentsmith-hubcp -r /opt/agentsmith-hub/config /opt/hub_config/opt/hub_config/config.yaml# Follower mode (uses the same Redis as leader) ./start.sh --follower
# See all options
./start.sh --help
5. Access token is generated at `/etc/hub/.token` on first run
6. Install and configure Nginx:bash
sudo cp /opt/agentsmith-hub/nginx/nginx.conf /etc/nginx/
sudo nginx -s reload
``
7. Openhttp://your-host` in your browser (port 80)
AgentSmith-HUB is licensed under the Apache License 2.0 with the Commons Clause restriction.
You are free to use, modify, and deploy this software — the restriction only prevents selling the software itself as a commercial product or service. Internal enterprise use is fully permitted.
$ claude mcp add AgentSmith-HUB \
-- python -m otcore.mcp_server <graph>