SAW (Security Analyst Workspace) is a production-grade multi-agent system built to automate the first line of security log triage in a Security Operations Center. Instead of requiring an analyst to manually review every alert, SAW ingests raw or structured log data, classifies the threat, scopes its severity, and recommends mitigations — all through a FastAPI backend you can run locally, in Docker, or on cloud infrastructure.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/samkit511/SAW---Security-Analyst-Workspace/llms.txt
Use this file to discover all available pages before exploring further.
The 5W1H
| Question | Answer |
|---|---|
| What | A multi-agent system for automated log triage, threat classification, and incident mitigation tracking |
| Why | To reduce alert fatigue in SOCs by automating repetitive triage and providing explainable, consistent threat assessments |
| Who | Security analysts, SOC managers, and DevSecOps teams that need an automated first-line investigator |
| When | Real-time ingestion as incidents occur — from edge systems, firewalls, and application gateways |
| Where | Deployed as a FastAPI service: local, Docker, or cloud |
| How | A four-agent orchestration pipeline (Coordinator → Detection → Risk → Mitigation/Audit) powered by Google ADK and Gemini |
Key capabilities
Hybrid execution
Deterministic signature-matching runs first for near-zero latency on obvious threats. Ambiguous logs escalate to LLM-assisted Gemini agents for deep contextual reasoning.
Multi-agent pipeline
Four specialized agents — Coordinator, Detection, Risk, and Mitigation/Audit — each own a discrete stage of the triage workflow with full trace output.
Explainable decisions
Every triage result includes a structured trace with agent orchestration plans, ADK review status, and influenced outcome flags so analysts understand exactly what happened.
Task management
Built-in task tracking lets analysts assign follow-up reviews, filter by incident, and resolve items through dedicated REST endpoints.
Rate limiting and replay protection
Per-IP rate limiting, in-flight request caps, and event ID replay detection protect the service under load.
Interactive dashboard
The root endpoint
/ serves a browser-based UI for monitoring live triage results and orchestration state.Tech stack
| Component | Role |
|---|---|
| FastAPI / Uvicorn | High-performance async API layer |
| Google ADK | Multi-agent orchestration, state sharing, and system boundaries |
| Google GenAI SDK / Gemini | LLM reasoning for low-confidence and ambiguous log events |
| Pydantic | Schema enforcement and data validation for all request/response models |
| python-dotenv | Environment variable configuration |
Architecture and execution modes
SAW operates in a hybrid execution pattern controlled by theASA_MODE environment variable.
Deterministic pipeline — applies signature matching, rule-based filtering, and rate-limiting to tag or drop obvious issues with near-zero latency.
LLM-assisted pipeline — for ambiguous logs or low-confidence decisions, the system delegates to Google ADK-powered agents running Gemini models (gemini-2.5-flash by default) that can examine contextual subtleties that static rules miss.
The four agents in the pipeline:
- Coordinator agent — receives the log and plans the response workflow
- Detection agent — normalizes the log and classifies the initial threat type
- Risk agent — scopes severity, checks attack history memory, and formulates an action framework
- Mitigation & Audit agents — recommends immediate mitigations and records full explainable tracing
Where to go next
Quickstart
Get a local SAW server running and triage your first log in under ten minutes.
Architecture overview
Understand the multi-agent pipeline and hybrid execution model in depth.
POST /ingest-log
API reference for the primary log ingestion endpoint.