CI/CD Pipeline License: MIT Node.js Version Docker
AutoSec is a comprehensive, enterprise-grade cybersecurity platform designed for proactive network defense, advanced threat detection, behavioral analysis, and automated incident response. Built with modern microservices architecture, AutoSec provides real-time security monitoring, dynamic enforcement, and AI-powered threat intelligence.
- Dynamic IP Blocklisting - Real-time IP reputation management with automated enforcement
- Behavioral Analysis Engine - AI/ML-powered User and Entity Behavior Analytics (UEBA) and Network Behavior Analytics (NBA)
- Threat Intelligence Integration - Automated threat feed processing and correlation
- Incident Response Playbooks - Automated workflows for threat detection and response
- Attack Surface Management - Continuous asset discovery and vulnerability assessment
- Firewall Integration - Native support for Palo Alto, Cisco, iptables, and SDN controllers
- IAM/PAM Integration - Least privilege monitoring and access management
- Vulnerability Scanners - Integration with leading vulnerability assessment tools
- SIEM/SOAR Integration - Seamless integration with existing security infrastructure
- Role-Based Access Control - Granular permissions and user management
- Advanced Analytics - Real-time dashboards and customizable reporting
- High Availability - Kubernetes-ready with horizontal scaling and load balancing
- Compliance Reporting - Built-in compliance frameworks and audit trails
- Docker & Docker Compose - Latest version recommended (Docker 20.10+, Compose 2.0+)
- GeoIP Database - Download GeoLite2-City.mmdb from MaxMind (free registration required)
- Hardware Requirements:
- CPU: 4+ cores recommended (2+ minimum)
- RAM: 8GB+ recommended (4GB minimum)
- Storage: 20GB+ available space
- Network: Internet connection for threat intelligence feeds
-
Clone the repository:
git clone https://github.com/GizzZmo/AutoSec.git autosec cd autosec -
Setup GeoIP database:
mkdir -p data/geoip # Download GeoLite2-City.mmdb from MaxMind and place in data/geoip/ # Register at https://www.maxmind.com/en/geolite2/signup # Download the binary database (not CSV) wget -O data/geoip/GeoLite2-City.mmdb "YOUR_MAXMIND_DOWNLOAD_URL"
-
Configure environment:
# Backend configuration cp backend/.env.example backend/.env # Generate secure JWT secrets openssl rand -base64 64 # Use this for JWT_SECRET openssl rand -base64 32 # Use this for encryption keys # Edit backend/.env with your configuration: # - Change default passwords # - Set secure JWT secrets # - Configure external service credentials (optional)
-
Deploy the platform:
# Build and start all services docker compose up --build -d # Check service health docker compose ps docker compose logs -f autosec-backend
-
Initialize the system:
# Wait for all services to be healthy (may take 2-3 minutes) docker compose exec autosec-backend npm run db:migrate docker compose exec autosec-backend npm run db:seed # Create admin user (optional - can also register via UI) docker compose exec autosec-backend npm run create-admin
- Web Console: http://localhost:3000
- API Gateway: http://localhost:8080/api
- API Documentation: http://localhost:8080/api/docs (Swagger UI)
- RabbitMQ Management: http://localhost:15672 (guest/guest)
- Access the web console at http://localhost:3000
- Register an admin account or use the created admin credentials
- Configure your first blocking rule in the Rules section
- Test log ingestion using the API or web interface
- Review the dashboard for system status and metrics
# Test API health curl http://localhost:8080/api/health # Test GeoIP functionality curl "http://localhost:8080/api/geoip?ip=8.8.8.8" # Check all services are running docker compose ps # View service logs docker compose logs -f autosec-backend docker compose logs -f autosec-frontend # Test database connections docker compose exec autosec-backend npm run db:migrate -- --dry-run
AutoSec follows a modern, cloud-native microservices architecture designed for scalability, resilience, and security. The platform consists of over 14,000 lines of production-ready code implementing advanced cybersecurity capabilities.
- React Web Console - Modern, responsive cybersecurity dashboard with cyberpunk theme
- Real-time Dashboards - Live threat monitoring and system status using WebSocket connections
- Mobile-Responsive UI - Optimized for desktop, tablet, and mobile access
- Component Architecture - Modular React components for maintainability
- Express.js API Gateway - Centralized API management and routing with middleware
- Authentication Service - JWT-based authentication with refresh tokens and RBAC
- Security Middleware - Rate limiting, input validation, CORS, and security headers
- Swagger Documentation - Auto-generated API documentation and testing interface
- Behavioral Analysis Engine - UEBA and NBA with multiple ML algorithms
- Threat Detection Models - Real-time anomaly detection using clustering and statistical methods
- Risk Scoring Engine - Dynamic threat prioritization with ensemble models
- Feature Extraction - Advanced temporal, frequency, and statistical pattern analysis
- PostgreSQL - Structured data (users, rules, configurations, audit logs)
- MongoDB - Unstructured data (logs, events, analytics, behavioral data)
- Redis - Caching, session management, and real-time data
- Message Queues - RabbitMQ for asynchronous processing and job queues
- SDN Controllers - OpenDaylight and ONOS integration for network flow control
- SIEM Systems - Complete Splunk and QRadar integration with automated event correlation
- Vulnerability Scanners - Nessus, OpenVAS, and Qualys integration with automated scanning
- Ticketing Systems - JIRA and ServiceNow integration for incident management
- Threat Intelligence - MISP, STIX/TAXII, and AlienVault OTX feed integration
- Automated Playbooks - Workflow engine with customizable response automation
- Incident Management - Complete incident lifecycle with timeline tracking and escalation
- IOC Management - Comprehensive indicators of compromise with enrichment and matching
- Asset Discovery - Network, DNS, service, and cloud asset discovery and inventory
- Compliance Reporting - Automated SOC 2, ISO 27001, NIST, and GDPR compliance reports
- Docker/Kubernetes - Container orchestration with health checks
- Message Queues - RabbitMQ for reliable asynchronous processing
- Load Balancing - Nginx configuration for high availability
- Monitoring - Built-in health checks and metrics endpoints
- Dynamic IP Blocklisting - Real-time threat blocking
- Geo-blocking - Country and region-based filtering
- Rate Limiting - DDoS and brute-force protection
- Network Segmentation - Automated micro-segmentation
- User Behavior Analytics (UBA) - Anomalous user activity detection
- Entity Behavior Analytics (EBA) - Device and service monitoring
- Network Behavior Analytics (NBA) - Traffic pattern analysis
- Machine Learning Models - Adaptive threat detection
- Automated Playbooks - Response workflow automation
- Threat Hunting - Proactive threat investigation with pre-built templates
- Forensic Analysis - Detailed incident reconstruction
- Compliance Reporting - Automated audit and compliance
- Microservices architecture with Docker
- PostgreSQL and MongoDB database integration
- Redis caching and session management
- RabbitMQ message queue system
- React frontend with responsive cyberpunk-themed design
- REST API with Express.js and Swagger documentation
- GeoIP integration for location-based analysis
- JWT-based authentication system with refresh tokens
- Role-based access control (RBAC) with granular permissions
- Multi-factor authentication (MFA) with TOTP support
- Single sign-on (SSO) integration framework
- Password hashing with bcrypt
- Session management and security middleware
- Dynamic IP blocklist management (single IPs, ranges, countries, organizations)
- Real-time log ingestion and processing via RabbitMQ
- Advanced threat detection and alerting
- Network flow analysis and monitoring
- Geographic-based filtering and geo-blocking
- Rate limiting and DDoS protection
- Security headers and input validation
- Machine learning models for anomaly detection using multiple algorithms
- User and Entity Behavior Analytics (UEBA) with risk scoring
- Network Behavior Analytics (NBA) with statistical analysis
- Real-time behavior monitoring and alerting
- ML-based clustering and classification
- Advanced feature extraction for temporal, frequency, and statistical patterns
- Palo Alto Networks firewall integration with XML API
- Cisco ASA/FTD integration with SSH/API support
- iptables/netfilter integration for Linux systems
- Firewall integration manager with unified interface
- SDN controller integration (OpenDaylight, ONOS)
- Enhanced SIEM/SOAR connectors (Splunk, QRadar, etc.)
- Advanced vulnerability scanner integrations (Nessus, OpenVAS, Qualys)
- External threat feed integration (MISP, STIX/TAXII)
- IOC (Indicators of Compromise) management
- Automated threat correlation and intelligence
- Advanced threat hunting capabilities
- Automated response playbooks and workflows
- Advanced incident management and forensic analysis
- Compliance reporting automation (SOC 2, ISO 27001, NIST, GDPR)
- Integration with ticketing systems (JIRA, ServiceNow)
- Automated asset discovery and inventory
- Continuous security posture assessment
- Risk assessment and scoring optimization
- Kubernetes deployment with Helm charts
- High availability and horizontal scaling
- Advanced monitoring and observability (Prometheus/Grafana)
- Disaster recovery and backup systems
- Service mesh integration (Istio)
- Advanced dashboard customization and widgets
- Real-time threat visualization and 3D network maps
- Custom report generation with scheduled delivery
- Executive summary dashboards and KPI tracking
- Machine learning model performance monitoring
- Zero Trust Network Access (ZTNA) integration
- Cloud security posture management (CSPM)
- Container security scanning and runtime protection
- Data loss prevention (DLP) integration
- Advanced deception technology and threat hunting
-
Install development dependencies:
# Backend development cd backend npm install # Frontend development cd ../frontend npm install
-
Database setup:
# Start only databases and message broker for development docker compose up postgres mongodb redis rabbitmq -d # Wait for services to be healthy docker compose ps
-
Environment configuration:
# Backend configuration cd backend cp .env.example .env # Edit .env with your specific configuration: # - Database connection strings # - JWT secrets (generate secure random strings) # - GeoIP database path # - External service credentials # Frontend configuration cd ../frontend cp .env.example .env # Configure API base URL and other frontend settings
-
Start development servers:
# Start backend with hot reload cd backend npm run dev # In another terminal, start frontend cd frontend npm start
# Backend tests (unit, integration, and API tests) cd backend npm test # Run all tests npm run test:watch # Run tests in watch mode npm run test:coverage # Generate coverage report # Frontend tests cd frontend npm test # Run React tests npm run test:coverage # Generate coverage report # End-to-end testing npm run test:e2e # Full application testing # Load testing npm run test:load # Performance and load testing
# Backend linting and formatting cd backend npm run lint # ESLint check npm run lint:fix # Auto-fix linting issues npm run format # Prettier formatting # Security auditing npm audit # Check for security vulnerabilities npm run security:check # Additional security scanning # Frontend linting cd frontend npm run lint npm run lint:fix # Dependency checking npm run deps:check # Check for outdated dependencies npm run deps:update # Update dependencies
# PostgreSQL migrations and seeding cd backend npm run db:migrate # Run database migrations npm run db:seed # Seed database with initial data npm run db:reset # Reset database (dev only) # MongoDB setup npm run mongo:setup # Initialize MongoDB collections npm run mongo:index # Create database indexes
AutoSec is designed for cloud-native deployment with Kubernetes support:
# Deploy with Helm (coming soon) # helm repo add autosec https://gizzmo.github.io/AutoSec-helm-charts # helm install autosec autosec/autosec-platform # Or use kubectl kubectl apply -f k8s/namespace.yaml kubectl apply -f k8s/postgres.yaml kubectl apply -f k8s/mongodb.yaml kubectl apply -f k8s/rabbitmq.yaml kubectl apply -f k8s/backend.yaml kubectl apply -f k8s/frontend.yaml kubectl apply -f k8s/ingress.yaml
# Example production values.yaml for Helm replicaCount: backend: 3 frontend: 2 autoscaling: enabled: true minReplicas: 2 maxReplicas: 10 resources: backend: requests: memory: "512Mi" cpu: "500m" limits: memory: "1Gi" cpu: "1000m" persistence: postgresql: size: 100Gi storageClass: "fast-ssd" mongodb: size: 500Gi storageClass: "fast-ssd"
# SSL/TLS Configuration kubectl create secret tls autosec-tls \ --cert=path/to/cert.pem \ --key=path/to/key.pem # Database encryption kubectl create secret generic db-encryption-key \ --from-literal=key=$(openssl rand -base64 32) # Service mesh (Istio) kubectl label namespace autosec istio-injection=enabled
# Prometheus & Grafana helm install prometheus prometheus-community/kube-prometheus-stack # ELK Stack helm install elasticsearch elastic/elasticsearch helm install kibana elastic/kibana # Jaeger for distributed tracing kubectl apply -f https://github.com/jaegertracing/jaeger-operator/releases/download/v1.29.0/jaeger-operator.yaml
AutoSec provides a comprehensive REST API with Swagger/OpenAPI documentation available at /api/docs.
# User authentication POST /api/auth/register # Register new user POST /api/auth/login # User login POST /api/auth/logout # User logout POST /api/auth/refresh # Refresh access token GET /api/auth/profile # Get user profile PUT /api/auth/profile # Update user profile POST /api/auth/change-password # Change user password # Multi-Factor Authentication POST /api/mfa/setup # Setup MFA for user POST /api/mfa/verify # Verify MFA token POST /api/mfa/disable # Disable MFA GET /api/mfa/qr # Get QR code for MFA setup # User management (Admin only) GET /api/users # List all users POST /api/users # Create new user GET /api/users/:id # Get user by ID PUT /api/users/:id # Update user DELETE /api/users/:id # Delete user POST /api/users/:id/roles # Assign roles to user
# Blocklist management GET /api/rules # Get all blocking rules with pagination POST /api/rules # Create new blocking rule PUT /api/rules/:id # Update existing rule DELETE /api/rules/:id # Delete blocking rule # Threat intelligence and analysis GET /api/threats # Get threat indicators POST /api/threats/scan # Initiate threat scan GET /api/threats/feeds # Manage threat feeds POST /api/threats/ioc # Add indicators of compromise # Behavioral analysis GET /api/behavior/user/:id # Get user behavior analysis GET /api/behavior/network # Get network behavior metrics POST /api/behavior/analyze # Trigger behavior analysis GET /api/behavior/anomalies # Get detected anomalies GET /api/behavior/risk-score # Get current risk scores # Threat hunting POST /api/threat-hunting/start # Start new threat hunting campaign GET /api/threat-hunting # Get all threat hunts GET /api/threat-hunting/active # Get active threat hunts GET /api/threat-hunting/stats # Get threat hunting statistics GET /api/threat-hunting/templates # Get available hunt templates GET /api/threat-hunting/:huntId # Get specific threat hunt POST /api/threat-hunting/:huntId/stop # Stop a running hunt DELETE /api/threat-hunting/:huntId # Delete a threat hunt
# Log ingestion and retrieval POST /api/logs # Ingest log data (accepts batch) GET /api/logs # Retrieve logs with advanced filtering GET /api/logs/search # Full-text search in logs GET /api/logs/stats # Get log statistics and metrics GET /api/logs/export # Export logs (CSV, JSON) # Real-time analytics GET /api/analytics/dashboard # Main dashboard data GET /api/analytics/threats/live # Live threat feed GET /api/analytics/network/traffic # Network traffic analysis GET /api/analytics/users/behavior # User behavior patterns GET /api/analytics/geo # Geographic threat distribution
# GeoIP and location services GET /api/geoip?ip=<IP> # Get GeoIP information for IP GET /api/geoip/bulk # Bulk GeoIP lookup # System health and monitoring GET /api/health # System health check GET /api/status # Detailed system status GET /api/metrics # System performance metrics GET /api/version # API version information
AutoSec provides built-in integrations with major security infrastructure components.
// Palo Alto Networks Integration const PaloAltoIntegration = require('./integrations/paloAltoIntegration'); const paloAlto = new PaloAltoIntegration({ hostname: 'firewall.company.com', username: process.env.PALO_ALTO_USERNAME, password: process.env.PALO_ALTO_PASSWORD, // or use API key authentication apiKey: process.env.PALO_ALTO_API_KEY, vsys: 'vsys1' }); // Block IP address with context await paloAlto.blockIP('192.168.1.100', { reason: 'Suspicious activity detected', severity: 'high', source: 'AutoSec Behavioral Analysis' }); // Create address group for batch blocking await paloAlto.createAddressGroup('autosec-threats', [ '10.0.0.100', '10.0.0.101', '10.0.0.102' ]); // Cisco ASA Integration const CiscoASAIntegration = require('./integrations/ciscoASAIntegration'); const ciscoASA = new CiscoASAIntegration({ hostname: 'asa.company.com', username: process.env.CISCO_USERNAME, password: process.env.CISCO_PASSWORD, enablePassword: process.env.CISCO_ENABLE_PASSWORD }); // Add access control rule await ciscoASA.addAccessRule({ name: 'BLOCK_THREAT_192.168.1.100', source: '192.168.1.100', destination: 'any', action: 'deny', protocol: 'ip' }); // iptables Integration for Linux systems const IptablesIntegration = require('./integrations/iptablesIntegration'); const iptables = new IptablesIntegration({ sudo: true, chain: 'INPUT' }); await iptables.blockIP('192.168.1.100', { protocol: 'tcp', port: 22, comment: 'AutoSec: SSH brute force attempt' });
const MFAService = require('./services/mfaService'); const mfaService = new MFAService(); // Setup MFA for user const mfaSetup = mfaService.generateSecret(username, 'AutoSec'); const qrCode = await mfaService.generateQRCode(mfaSetup.dataURL); // Verify MFA token const isValid = mfaService.verifyToken(token, user.mfaSecret); // Generate backup codes const backupCodes = mfaService.generateBackupCodes();
const MLBehaviorAnalysisService = require('./services/mlBehaviorAnalysisService'); const mlService = new MLBehaviorAnalysisService(); // Analyze user behavior patterns const behaviorAnalysis = await mlService.analyzeUserBehavior({ userId: 'user123', loginTimes: [...], ipAddresses: [...], deviceFingerprints: [...], accessPatterns: [...] }, 'user123'); // Get risk score const riskScore = behaviorAnalysis.riskScore; if (riskScore > 0.8) { // Trigger additional security measures await triggerMFAChallenge(userId); } // Analyze network behavior const networkAnalysis = await mlService.analyzeNetworkBehavior({ trafficPatterns: [...], connectionMetrics: [...], protocolDistribution: [...] });
const { threatHuntingService } = require('./services/threatHuntingService'); // Start a threat hunt using a pre-built template const hunt = await threatHuntingService.startThreatHunt({ name: 'APT Detection Hunt', description: 'Hunting for Advanced Persistent Threat indicators', template: 'apt-detection', // Use pre-built template timeRange: '7d', // Search last 7 days priority: 'high', userId: 'admin-user-id' }); // Start a custom threat hunt const customHunt = await threatHuntingService.startThreatHunt({ name: 'Custom Data Exfiltration Hunt', description: 'Looking for unusual data transfers', hypothesis: 'Insider threat performing data exfiltration via cloud storage', queries: [ { name: 'Large uploads to external domains', type: 'network', pattern: 'bytes_out > 100MB AND destination NOT internal', timeWindow: '24h' }, { name: 'After-hours file access', type: 'behavior', pattern: 'login_time NOT IN working_hours AND file_access_count > 50', timeWindow: '12h' } ], timeRange: '24h', priority: 'critical', userId: 'admin-user-id' }); // Get hunt status and findings const huntResults = await threatHuntingService.getThreatHunt(hunt._id); console.log(`Hunt status: ${huntResults.status}`); console.log(`Findings: ${huntResults.summary?.totalFindings || 0}`); // Get threat hunting statistics const stats = await threatHuntingService.getThreatHuntingStats(); console.log(`Total hunts: ${stats.totalHunts}`); console.log(`Active hunts: ${stats.activeHunts}`); console.log(`Available templates: ${stats.availableTemplates.join(', ')}`);
We welcome contributions to AutoSec! Please see our Contributing Guide for details.
- Code Style: Follow ESLint and Prettier configurations
- Testing: Maintain 90%+ test coverage
- Documentation: Update docs for all new features
- Security: Follow secure coding practices
- Performance: Optimize for high-throughput scenarios
- Security Issues: Report privately via GitHub Security Advisories
- Bug Reports: Use GitHub Issues with detailed reproduction steps
- Feature Requests: Use GitHub Discussions for community input
This project is licensed under the MIT License - see the LICENSE file for details.
- Documentation: Project Documentation and GitHub Wiki
- Community Forum: GitHub Discussions
- Bug Reports & Feature Requests: GitHub Issues
- Security Issues: Report privately via GitHub Security Advisories
- MaxMind for GeoIP data
- The open-source security community
- Contributors and maintainers
- Enterprise customers and partners
AutoSec - Advanced Cybersecurity Operations Platform Built with β€οΈ for the cybersecurity community