Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/samkit511/SAW---Security-Analyst-Workspace/llms.txt

Use this file to discover all available pages before exploring further.

SAW (Security Analyst Workspace) is a multi-agent security operations assistant designed to eliminate alert fatigue in Security Operations Centers. It ingests raw or structured logs, classifies threats deterministically and with LLM assistance, and produces actionable EXECUTE / OBSERVE / IGNORE decisions — all through a simple REST API.

Quickstart

Set up the server and triage your first security log in under 5 minutes.

API Reference

Explore every endpoint, request schema, and response field.

Architecture

Understand how the Coordinator, Detection, Risk, Mitigation, and Audit agents work together.

Configuration

Tune thresholds, feature flags, rate limits, and model settings.

How it works

SAW operates in a hybrid execution model: fast heuristic pre-filtering handles obvious threats at near-zero latency, while ambiguous or low-confidence signals are escalated to Google ADK-powered Gemini agents for deeper reasoning.
1

Install and configure

Clone the repo, create a virtual environment, install dependencies, and copy .sampleenv to .env. Optionally add your Gemini API key for LLM-assisted analysis.
2

Start the server

Run python -m uvicorn app.main:app --host 0.0.0.0 --port 8080 --reload. The dashboard is available at http://127.0.0.1:8080.
3

Ingest a security log

POST a raw log string or structured JSON to /ingest-log with your x-api-key header. SAW returns a full triage result including threat type, risk score, decision, and recommended mitigations.
4

Manage analyst tasks

Use the /tasks endpoints to assign, track, and complete follow-up investigations surfaced by the Mitigation Agent.

Key capabilities

Threat detection

Detects SQL Injection, XSS, Brute Force, and Path Traversal via heuristics and Gemini LLM fallback.

Escalation engine

Identifies burst and sustained attack patterns using per-IP memory tracking over a rolling 60-second window.

Decision engine

Produces EXECUTE, OBSERVE, or IGNORE decisions based on configurable risk score thresholds.

Task management

Automatically creates analyst follow-up tasks for incidents that require human review.

Build docs developers (and LLMs) love

Get started for freeTalk to us