Skip to main content
Glama
M507

SamiGPT

by M507
OverviewSchemaRelated ServersScoreDiscussions
Python
Hybrid

SamiGPT

SamiGPT is an AI-powered security investigation and incident response platform that provides security operations teams with intelligent automation for case management, SIEM analysis, and CTI enrichment through the Model Context Protocol (MCP).

Note: This project is currently under active development. Features, APIs, and documentation may change as development progresses.

Demo

Watch the demo video to see SamiGPT in action:

Demo Video

Performance & Cost

Key Metrics:

  • ~ $0.18 per alert

  • ~ 50 seconds to investigate an alert per agent/tab

For detailed cost and usage data, see: Cost Data CSV

For detailed documentation and presentation materials:

AI Agents Presentation PDF

Quick Start

SamiGPT can be used in two ways:

Method 1: AI Controller (Web Interface)

The AI Controller provides a web-based interface and uses the Cursor IDE cursor-agent binary for command execution.

Prerequisites:

  • Cursor IDE must be installed (download from cursor.sh)

  • Verify cursor-agent binary is available:

    which cursor-agent # Should show path like: /usr/local/bin/cursor-agent or ~/.local/bin/cursor-agent

Steps:

  1. Activate virtual environment:

    source venv/bin/activate # On Windows: venv\Scripts\activate

  2. Start the AI Controller web interface:

    python3 cursor_agent.py --web --port 8081 --host 127.0.0.1

  3. Open your browser: Navigate to http://127.0.0.1:8081 to access the web interface.

Method 2: MCP Server (Direct Integration)

Use the MCP server directly to connect SamiGPT tools to Cursor, Claude Desktop, or other MCP-compatible tools.

Steps:

  1. Activate virtual environment:

    source venv/bin/activate # On Windows: venv\Scripts\activate

  2. Start the MCP server:

    python -m src.mcp.mcp_server

  3. Configure your AI tool (see "Connect MCP Server to AI Tools" section below for detailed instructions)

Note: The MCP server method doesn't require the Cursor IDE cursor-agent binary - it works directly with any MCP-compatible tool.

Overview

SamiGPT acts as an MCP server that exposes security investigation and response capabilities as tools that can be used by AI agents, LLM tools, and automated workflows. It provides a unified, vendor-neutral API layer that connects to:

  • Case Management Systems (TheHive, IRIS)

  • SIEM Platforms (Elastic)

  • EDR Solutions (Elastic Defend)

  • Threat Intelligence (OpenCTI, Local TIP)

The platform enables automated triage, investigation, correlation, and response workflows through intelligent agent profiles organized by SOC tier (SOC1, SOC2).

Features

Core Capabilities

  • Automated Alert Triage: Intelligent initial assessment and classification of security alerts

  • Case Management: Create, update, and manage security cases with observables, comments, and timeline tracking

  • SIEM Integration: Search security events, pivot on indicators, and correlate activities across environments

  • EDR Response: Endpoint isolation, process termination, and forensic artifact collection

  • Threat Intelligence: IOC enrichment and reputation analysis

  • Multi-Tier SOC Workflows: Structured workflows for SOC1 (triage) and SOC2 (investigation)

Agent Profiles & Runbooks

SamiGPT includes pre-configured agent profiles with specialized runbooks:

  • SOC1 Agents: Initial alert triage, enrichment, and false positive identification

  • SOC2 Agents: Deep investigation, correlation, and case analysis

Workflows

SamiGPT uses structured workflows organized by SOC tier. The following diagrams illustrate the execution flow:

Agent Profiles Flow

This diagram shows how agent profiles are organized and how routing rules direct cases to the appropriate SOC tier agents.

Agent Profiles Flow

Initial Alert Triage (SOC1)

The initial alert triage workflow handles new security alerts, performs quick assessment, enrichment, and determines whether to create a case or close as false positive.

Initial Alert Triage

Case Analysis (SOC2)

The SOC2 case analysis workflow performs deep investigation, SIEM analysis, CTI enrichment, correlation, and prepares cases for SOC3 escalation.

Case Analysis

Installation

Prerequisites

  • Python 3.9 or higher

  • pip package manager

Setup

  1. Clone the repository:

    git clone <repository-url> cd SamiGPT

  2. Create and activate virtual environment:

    python3 -m venv venv source venv/bin/activate # On Windows: venv\Scripts\activate

  3. Install dependencies:

    pip install --upgrade pip pip install -r requirements.txt

  4. Configure integrations (see Configuration section below)

Connect MCP Server to AI Tools

If you're using Method 2: MCP Server (see Quick Start above), configure your AI tool to connect to the MCP server:

Cursor Integration

  1. Open Cursor Settings → Features → Model Context Protocol

  2. Add SamiGPT server configuration:

    { "mcpServers": { "sami-gpt": { "command": "python", "args": ["-m", "src.mcp.mcp_server"], "cwd": "/absolute/path/to/SamiGPT" } } }

  3. Restart Cursor and start using SamiGPT tools in chat

Claude Desktop Integration

Edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{ "mcpServers": { "sami-gpt": { "command": "python", "args": ["-m", "src.mcp.mcp_server"], "cwd": "/absolute/path/to/SamiGPT" } } }

Other MCP-Compatible Tools

The MCP server can also be connected to:

  • Open WebUI (via MCP configuration)

  • Other LLM tools that support the Model Context Protocol

Architecture

Infrastructure Overview

Infrastructure Diagram

Directory Structure

SamiGPT/ ├── src/ │ ├── api/ # Generic interfaces (CaseManagementClient, SIEMClient, EDRClient) │ ├── core/ # Configuration, logging, errors, DTOs │ ├── integrations/ # Vendor-specific implementations │ │ ├── case_management/ # TheHive, IRIS integrations │ │ ├── siem/ # Elastic integration │ │ ├── edr/ # EDR platform integrations │ │ ├── cti/ # Threat intelligence integrations │ │ └── eng/ # Engineering board integrations │ ├── mcp/ # MCP server, runbook manager, agent profiles │ ├── orchestrator/ # Workflow orchestration │ └── web/ # Web UI for configuration ├── run_books/ # SOC tier runbooks and workflows ├── config/ # Agent profiles and configuration └── client_env/ # Client-specific infrastructure data

Design Principles

  • Vendor-Neutral APIs: All integrations implement generic interfaces, allowing easy swapping of security tools

  • Separation of Concerns: AI/orchestrator layer only interacts with generic APIs, never vendor-specific code

  • Modular Integration: Each vendor integration is self-contained with HTTP client, models, mappers, and client implementation

Configuration

Configuration is managed through config.json and can be edited via the web interface or directly.

Configuration File Structure

See config.json.example for the complete configuration schema. Key sections:

  • iris / thehive: Case management configuration

  • elastic: SIEM configuration

  • edr: EDR platform configuration

  • cti: Threat intelligence configuration

  • eng: Engineering board configuration (ClickUp, Trello, GitHub)

  • ai_controller: AI controller web interface settings

  • logging: Logging configuration

Usage Examples

Basic Case Operations

# List all open cases cases = list_cases(status="open") # Review a specific case case = review_case(case_id="123") # Add an observable to a case attach_observable_to_case( case_id="123", observable_type="ip", observable_value="192.168.1.100", description="Suspicious source IP" )

SIEM Investigation

# Search for security events events = search_security_events( query="source.ip: 192.168.1.100", hours_back=24 ) # Get file report report = get_file_report(file_hash="abc123...") # Pivot on an indicator related_events = pivot_on_indicator("192.168.1.100")

EDR Response

# Get endpoint summary endpoint = get_endpoint_summary(endpoint_id="host-123") # Isolate an endpoint isolate_endpoint(endpoint_id="host-123") # Collect forensic artifacts collect_forensic_artifacts( endpoint_id="host-123", artifact_types=["processes", "network", "filesystem"] )

Agent Profile Execution

# Execute as SOC1 triage agent execute_as_agent( agent_id="soc1_triage_agent", alert_id="alert-123" ) # Execute specific runbook execute_runbook( runbook_name="initial_alert_triage", alert_id="alert-123", case_id="case-456" )

Logging

SamiGPT provides comprehensive logging:

  • MCP Server Logs: logs/mcp/mcp_all.log, mcp_requests.log, mcp_responses.log, mcp_errors.log

  • Application Logs: logs/debug.log, logs/error.log, logs/warning.log

Development

Adding a New Integration

  1. Create integration directory under src/integrations/

  2. Implement generic interface from src/api/

  3. Add HTTP client, models, and mappers

  4. Register in configuration

Example structure:

src/integrations/case_management/new_vendor/ ├── __init__.py ├── client.py # HTTP client ├── models.py # Vendor-specific models ├── mapper.py # Vendor ↔ Generic DTO mapping └── case_client.py # Implements CaseManagementClient

Running Tests

# Run all tests pytest tests/ # Run specific integration tests pytest tests/integrations/case_management/

Contributing

When contributing:

  1. Keep all vendor-specific code under src/integrations/

  2. Ensure all integrations implement the generic APIs in src/api/

  3. Add tests for new integrations

  4. Update documentation as needed

License

MIT

Support

For issues, questions, or contributions, please open an issue on the repository.

Acknowledgments

The following projects helped and inspired us during the literature review:

This server cannot be installed

-
security - not tested
A
license - permissive license
-
quality - not tested

How are these scores calculated?

Resources

New MCP Servers

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/M507/AI-SOC-Agent'

If you have feedback or need assistance with the MCP directory API, please join our Discord server