Technical Deep Dive

Built by practitioners,
for practitioners

T-SecOps runs a fully local AI stack — no cloud dependency, no SaaS lock-in. Every model, every detection algorithm, and every data pipeline runs in your environment. Here's exactly how it works under the hood.

5
ML Models
6
LLM Modelfiles
9
Core Services
0
Cloud Calls
Detect. Enrich. Alert.

End-to-end detection pipeline

From raw packet to AI-generated alert — the full flow from network capture to analyst dashboard, with latency targets at each stage.

Network Interface
AF_PACKET / SPAN
Suricata 7
EVE-JSON → Redis
FastAPI Worker
Celery + APScheduler
TimescaleDB
PostgreSQL + pgvector
ML Analysis
scikit-learn / XGBoost
Ollama LLM
qwen2.5:7b local
React Dashboard
Vite + TypeScript
Three Layers. One Pipeline.

Three-layer service stack

T-SecOps runs as a Docker Compose stack. Services are grouped into data collection, AI processing, and user interface layers — each independently scalable and replaceable.

Collection & Storage
Suricata 7.x
suricata.service — EVE-JSON output, custom rules, Sigma rule engine, pfBlockerNG integration
TimescaleDB
timescaledb — time-series hypertables for alert logs and metrics with auto-compression
PostgreSQL 16
postgres — relational data, agent configs, compliance evidence store, pgvector extension
Redis 7
redis — Celery broker, task queues, short-lived alert buffers, session state
AI & Processing
FastAPI
backend — REST + WebSocket API, Pydantic v2 schemas, async SQLAlchemy ORM
Celery + APScheduler
worker — 5 autonomous background jobs, queue-based task dispatch, retry logic
Ollama
ollama — local LLM runtime, 6 custom Modelfiles, GPU/CPU inference, context streaming
scikit-learn + XGBoost
ml-engine — 5 trained models loaded at startup, inference <15ms per event
Interface & Integration
React 19 + Vite
frontend — TypeScript, Tailwind CSS, Recharts, WebSocket live feed
pfSense / UniFi API
firewall-connector — read-only rule sync, pfBlockerNG log ingestion, UniFi client tracking
7 Threat Intel APIs
ti-worker — AbuseIPDB, OTX, GreyNoise, Shodan, Feodo, Spamhaus, URLhaus
Endpoint XDR Agent
xdr-agent — Windows + Linux, Go binary, eBPF on Linux, WMI on Windows
Five Models. Zero Cloud.

Five detection algorithms

All models are trained on real network telemetry and run entirely on-premises. No external inference API, no data leaving your environment.

Isolation Forest
anomaly_detector.pkl · scikit-learn
Unsupervised anomaly detection across 24 network features. Identifies rare traffic patterns without requiring labeled attack data. Contamination factor tuned to 0.05 on live network baselines. Runs every 2 minutes over rolling 30-minute windows.
Unsupervised 24 features 2 min interval Anomaly Detection
XGBoost + HDBSCAN
c2_beaconing_model.pkl · gradient boosting
Two-stage C2 beaconing detector: HDBSCAN first clusters periodic connections by jitter-normalized intervals, then XGBoost classifies each cluster with 97 connection-level features. Beaconing score 0.0–1.0 surfaces in the AI SOC panel. Runs every 6 hours.
Supervised 97 features 6h interval C2 Beaconing
Shannon Entropy — DGA
dga_detector.pkl · character n-grams
Domain generation algorithm classifier using bigram/trigram character frequency distributions combined with Shannon entropy scoring. Trained on 2.4M legitimate domains and 800K DGA samples from 47 malware families. Runs at query time on all DNS lookups.
n-gram model 47 DGA families Real-time DNS Threat
DNS Payload Analysis
dns_tunnel_detector.pkl · payload entropy
DNS tunneling detector measuring query length distribution, TXT record entropy, CNAME chain depth, and subdomain randomness. Detects iodine, dnscat2, and custom exfiltration tools. Threshold-calibrated against 0.1% false-positive rate on enterprise DNS profiles.
Payload entropy 0.1% FPR Real-time DNS Tunneling
pgvector RAG Index
nomic-embed-text · 768-dim vectors
Semantic similarity store for the AI analyst's retrieval-augmented generation. Embeds historical alerts, playbook entries, and threat intel summaries into 768-dimensional vectors using nomic-embed-text. Enables analysts to ask natural-language questions over months of alert history.
768 dimensions cosine similarity 30 min sync RAG
On-Prem. Always Private.

Six custom Ollama Modelfiles

Each model is a system-prompted specialization of qwen2.5:7b (or nomic-embed-text for RAG). They run fully locally via the Ollama runtime — no API keys, no internet required.

t-secops-analyst
Primary threat analysis and natural-language explanation
ANALYST 
# Modelfile: t-secops-analyst
FROM qwen2.5:7b
PARAMETER temperature 0.1
PARAMETER num_ctx 8192
SYSTEM """
You are a senior SOC analyst for T-SecOps. You analyze
network alerts and produce structured threat assessments
with MITRE ATT&CK mappings and actionable recommendations.
Response format: severity, summary, indicators, actions.
"""
Handles on-demand alert explanation, threat hunting queries, and executive summaries. Temperature 0.1 ensures deterministic, factual responses. 8K context window allows full alert history to be included in the prompt.
t-secops-classifier
Structured severity and category classification
CLASSIFIER 
# Modelfile: t-secops-classifier
FROM qwen2.5:7b
PARAMETER temperature 0.0
PARAMETER num_ctx 4096
SYSTEM """
You are a classification engine. Given a Suricata alert,
output ONLY valid JSON: {"severity":"critical|high|medium|low",
"category":"c2|lateral|exfil|recon|exploit|other",
"confidence":0.0-1.0,"mitre":"TXXXX.XXX"}
No prose. No explanation.
"""
Used by the autonomous classification job every 2 minutes. Temperature 0.0 ensures reproducible JSON output. The strict output format is validated by Pydantic before database insertion.
t-secops-correlator
Multi-alert correlation and kill-chain mapping
CORRELATOR 
# Modelfile: t-secops-correlator
FROM qwen2.5:7b
PARAMETER temperature 0.2
PARAMETER num_ctx 16384
SYSTEM """
You correlate multiple security alerts into unified threat
campaigns. Map observed indicators to the MITRE ATT&CK
kill chain. Identify source IP, affected assets, and
estimated attack stage. Output structured JSON only.
"""
Runs every 10 minutes on the last hour of alerts. The 16K context window allows full batch processing. Correlation results are stored in the campaign_correlations table and visualised in the Campaign Explorer view.
t-secops-briefer
Daily AI-generated security briefing (07:00)
BRIEFER 
# Modelfile: t-secops-briefer
FROM qwen2.5:7b
PARAMETER temperature 0.3
PARAMETER num_ctx 12288
SYSTEM """
You write concise daily security briefings for SMB security
teams. Given 24h alert summaries, produce: executive summary
(3 sentences), top 5 events with context, recommended actions
ranked by priority, and overnight threat trend. Plain English.
"""
Generates the morning briefing at 07:00 daily. Slightly higher temperature (0.3) for more natural prose. The briefing is emailed to stakeholders and pinned in the AI SOC dashboard.
t-secops-compliance
NIS2 / NIST CSF / CIS gap analysis and remediation
COMPLIANCE 
# Modelfile: t-secops-compliance
FROM qwen2.5:7b
PARAMETER temperature 0.1
PARAMETER num_ctx 8192
SYSTEM """
You are a compliance specialist for NIS2 Directive, NIST CSF
2.0, and CIS Controls v8.1. Analyse security posture gaps,
map to framework controls, and produce remediation steps
ordered by risk impact. Output JSON with control IDs.
"""
Powers the Compliance page's AI Remediation Advisor. Receives detected gaps from the evidence engine and produces structured remediation recommendations mapped to specific control IDs.
t-secops-rag
Semantic embedding for vector store and RAG queries
EMBEDDING 
# Modelfile: t-secops-rag
FROM nomic-embed-text
# No system prompt — pure embedding model
# Output: 768-dimensional dense vectors
# Stored in: pgvector (PostgreSQL extension)
# Used by: t-secops-analyst RAG lookups
# Sync interval: every 30 minutes
The only non-generative model in the stack. Converts alert text, playbook entries, and threat intel into 768-dimensional vectors stored in pgvector. The analyst model queries this store for semantically similar historical incidents at inference time.
From Packet to Alert.

From packet capture to alert

Step-by-step data flow with latency targets at each stage and the services responsible.

1
Packet Capture
Suricata listens on the mirror/SPAN port (or inline with NFQ). EVE-JSON events streamed to Redis queue within milliseconds of detection.
AF_PACKETNFQUEUE<5ms
2
Event Normalisation
Celery worker consumes Redis queue. Parses EVE-JSON, enriches with GeoIP, reverse-DNS, and threat intel lookups. Inserts into TimescaleDB hypertable.
CeleryGeoIP2<200ms
3
ML Scoring
Isolation Forest scores each event in real-time. DGA and DNS tunnel classifiers score DNS events. XGBoost beaconing runs on batched connection data every 6 hours.
scikit-learnXGBoost<15ms/event
4
LLM Classification
t-secops-classifier assigns severity and MITRE category. Runs in batches every 2 minutes. Structured JSON output validated before storage.
Ollama2 min batchPydantic v2
5
Campaign Correlation
t-secops-correlator groups related alerts into threat campaigns every 10 minutes. Results stored in campaign_correlations and surfaced in the Campaign Explorer.
LLM correlation10 minMITRE ATT&CK
6
Dashboard & Alerting
React frontend subscribes to FastAPI WebSocket. Critical alerts push immediately. Smart alert rules evaluated on each classification event to prevent alert fatigue.
WebSocket7 alert rulesReal-time
Latency & Throughput Targets
EVE-JSON → Redis
< 5ms
Normalisation + enrich
< 200ms
ML scoring / event
< 15ms
LLM classification (batch)
< 3s/batch
WebSocket push to UI
< 50ms
Event throughput
10K+ ev/s
Resource Baseline (Segmented Mode)
CPU (idle)
4–8 cores
RAM (all services)
12–16 GB
Storage (90-day logs)
~120 GB
LLM inference (GPU)
RTX 3060+
LLM inference (CPU)
~8s/response
Security & Privacy

Built-in security posture

T-SecOps is designed to handle sensitive network telemetry. These are the architectural decisions that govern how data is handled, transported, and protected.

mTLS service mesh
All inter-service communication is encrypted with mutual TLS. Certificates auto-generated at first run via internal CA. Redis, TimescaleDB, and Ollama only accept authenticated connections from the FastAPI backend.
Zero cloud dependency
No telemetry, no licensing calls, no model downloads after initial setup. Every inference runs on the local Ollama runtime. Threat intel APIs are optional and individually configurable — the platform functions fully offline.
Air-gap compatible
Docker images and Ollama models can be loaded from a private registry or USB media. The platform runs on networks with no internet access. Sigma rules and threat intel can be synced manually or via internal feeds.
Role-based access (RBAC)
Three built-in roles: Administrator, Analyst, and Viewer. JWT-based session tokens with configurable expiry. Audit log for all user actions. API key support for SIEM/SOAR integrations with per-key permission scoping.
Read-only sensor mode
The network sensor (Suricata) operates in passive IDS mode by default. IPS blocking requires explicit opt-in and separate configuration. pfSense and UniFi integrations are read-only — T-SecOps never modifies firewall rules without operator approval.
Immutable audit trail
All alert classifications, analyst actions, and compliance evidence entries are append-only in TimescaleDB. PostgreSQL row-level security prevents modification of historical records. Evidence packages include cryptographic timestamps for legal defensibility.
Integration

REST API & WebSocket

The FastAPI backend exposes a full REST API with OpenAPI docs at /docs. WebSocket endpoints power real-time alert streaming. All endpoints accept JWT bearer tokens or API keys.

Key REST Endpoints
GET /api/v1/alerts Paginated alert list with filters
POST /api/v1/ai/analyze Trigger on-demand LLM analysis
GET /api/v1/compliance/score Current NIS2/NIST/CIS scores
GET /api/v1/dns/analytics DNS threat and DGA results
POST /api/v1/hunt Natural-language threat hunt
WS /ws/alerts Real-time alert stream
Example: Trigger Analysis
# Analyze alert ID 12345
curl -X POST https://t-secops.local/api/v1/ai/analyze \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"alert_id": 12345, "model": "analyst"}'

# Response
{
  "severity": "high",
  "summary": "Suspected C2 beaconing to 185.220.101.x",
  "mitre": "T1071.001",
  "confidence": 0.87,
  "actions": ["block_ip", "isolate_host"]
}
Ready to deploy

Installation guide & full documentation

Docker Compose deployment on Ubuntu, ARM64, or NVIDIA GPU. Full step-by-step guide with hardware requirements, configuration, and first-run verification.

Installation Guide Full Platform Overview Request a Demo