Defensive, enterprise-grade AI-assisted cybersecurity operations platform for regulated environments.
Current version: 0.6.1
MX CyberOps Agent Platform is a read-only-first SecOps agent framework that normalizes alerts, enriches identity/device/network context, builds incident timelines, produces typed evidence packs, and routes any impactful action through policy and approval gates.
This repository is designed for defensive operations only:
- Read-only mode by default.
- No arbitrary shell execution.
- No autonomous destructive action.
- No exploitation tooling.
- No unbounded remediation.
- Every tool request is policy-evaluated.
- Every agent decision is auditable.
- Jira/JSM output is draft-only unless a future approval-gated workflow is added.
- Write-like connector operations are denied by read-only connector contracts.
- SOC triage agent
- Identity security agent
- Defensive hunt/query generation agent
- Microsoft Graph connector for Entra sign-in/audit logs and Intune device compliance
- Okta System Log connector
- Tanium asset/client-health connector scaffold
- Jira/JSM draft-ticket connector
- Unified enrichment pipeline
- Typed enrichment evidence export
- Policy engine
- Prompt-injection firewall
- Audit logger
- FastAPI service
- CLI runner
- Mock mode by default, live connectors opt-in by env vars
python -m venv .venv
source .venv/bin/activate
pip install -e .[dev]
pytest -qRun sample enrichment in mock mode:
mxcyber enrich \
--upn exec@example.com \
--hostname SURFACE-FLOOR-001 \
--incident-id SEC-2026-0001Run API:
uvicorn apps.api.main:app --reloadDocker lab:
docker compose up --buildGET /health
GET /connectors
GET /connectors/health
POST /connectors/{name}/query
POST /enrichment/run
GET /hunts
POST /hunt/generate
POST /identity/assess
POST /identity/aggregate # backward-compatible; delegates to enrichment pipeline
POST /policy/evaluate
The enrichment CLI writes typed artifacts under:
runtime/evidence/<incident_id>/<run_id>/
Artifact manifest:
identity-events.json
device-posture.json
tanium-health.json
jira-draft.json
connector-health.json
identity-assessment.json
timeline.json
evidence-refs.json
warnings.json
manifest.json
executive-summary.md
All live connectors are disabled unless explicitly enabled.
MX_GRAPH_ENABLED=true
MX_GRAPH_TENANT_ID=<tenant-id>
MX_GRAPH_CLIENT_ID=<app-client-id>
MX_GRAPH_CLIENT_SECRET=<client-secret>
MX_OKTA_ENABLED=true
MX_OKTA_ORG_URL=https://example.okta.com
MX_OKTA_API_TOKEN=<read-only-token>
MX_TANIUM_ENABLED=true
MX_TANIUM_BASE_URL=https://tanium.example.com
MX_TANIUM_API_TOKEN=<read-only-token>
MX_JIRA_ENABLED=true
MX_JIRA_BASE_URL=https://example.atlassian.net
MX_JIRA_EMAIL=analyst@example.com
MX_JIRA_API_TOKEN=<token>
MX_JIRA_PROJECT_KEY=SEC- NIST Cybersecurity Framework 2.0: https://www.nist.gov/cyberframework
- NIST AI Risk Management Framework: https://www.nist.gov/itl/ai-risk-management-framework
- CISA Secure by Design: https://www.cisa.gov/securebydesign
- OWASP Top 10 for LLM Applications: https://owasp.org/www-project-top-10-for-large-language-model-applications/
- MITRE ATT&CK: https://attack.mitre.org/