Mother Security Agent

Mother is an agent-assisted security simulator that turns complex traffic into an interactive dashboard. It generates real background noise, stages realistic attack phases, classifies each event.

Comment

Mother Security Agent — Devpost Submission

How to Use the Demo

• When the page loads, Mother boots with a splash screen. • After pressing ENTER you land on the Dashboard. This view shows posture, severity counts, and live deltas.

Simulating an attack 1. Click Simulate Attack. 2. Mother injects a fully-modeled attack chain: recon → intrusion → exploit, with delays and timestamps based on an internal schedule. 3. The Dashboard updates in real time as chain events arrive.

Viewing events 1. Navigate to Events. 2. Every item in the list is a structured Event object produced by the engine or noise generator. 3. Chain events are labeled with a chain ID for correlation. 4. Clicking an event opens the Inspector, which shows the raw event, parsed metadata, classification, and Mother’s recommendation.

Chain filtering • When viewing an event, click View Full Chain to filter the timeline to only that attacker’s activity. • Clear the filter with the button that appears at the top of the Events view.

Understanding the data • Noise events simulate background internet traffic. • Attack events are synthetic but internally consistent sequences designed to mimic real intrusion progression. • Mother’s classification and recommendation fields are computed live using the classifier and recommender modules. • Posture (MONITOR/ELEVATED/RESTRICT/LOCKDOWN) reflects the system’s real-time interpretation of severity, frequency, and chain risk.

Inspiration

Modern security tools are either too simple (log viewers, dashboards) or far too complex for real-time understanding. I wanted something interactive, inspectable, and honest about how attacks unfold. The inspiration was to build a transparent security simulator where you can watch an attacker move from recon to intrusion to exploit, see how a defender reasons about it, and understand the logic as it happens.

What it does

Mother Security Agent is a fully local, self-contained security simulation and analysis environment. It:

  • Generates live network noise and multi-stage attack chains (recon → intrusion → exploit).
  • Classifies events and attacker chains using real rules.
  • Derives a security posture (“MONITOR”, “ELEVATED”, “RESTRICT”, “LOCKDOWN”).
  • Assigns recommendations such as watch, investigate, block, or isolate.
  • Provides an interactive dashboard, event inspector, and attack chain viewer.
  • Streams all telemetry as if you were watching an actual compromised environment.

Everything happens in real time, with timestamps tied to attack execution, not simulation start.

How we built it

  • Backend: FastAPI service with modular security logic (classifier, posture engine, recommender).
  • Attack engine: Generates coherent attacker behavior with timed delays and realistic metadata.
  • Event pipeline: Central state manager stores rolling telemetry and annotates each event.
  • Frontend: Pure static HTML/CSS/JS dashboard rendered live from API endpoints.
  • Realism features: Dynamic timestamps, chain grouping, severity scoring, and per-event recommendations.

The system is intentionally small, explicit, and readable—no hidden magic, no opaque ML.

Challenges we ran into

  • Getting event timing right so chains feel real instead of instantly emitted.
  • Ensuring all frontend panels (dashboard, events, inspector) stayed in sync after patching.
  • Designing a classification model that is simple but meaningful for judges.
  • Maintaining state consistency while dozens of noise and attack events streamed in.
  • Avoiding accidental scope creep while upgrading the engine mid-build.

Accomplishments that we're proud of

  • First working version of a full attacker→defender pipeline in under 48 hours.
  • A clean event inspector that can reconstruct an entire attack from real telemetry.
  • A posture system that updates based on actual behavior, not fixed thresholds.
  • Zero errors on the frontend despite significant rewrites to the event subsystem.
  • A project that is genuinely fun to watch in action.

What we learned

  • Small, well-named modules scale faster than large abstractions.
  • Security simulations feel real only when timing, metadata, and categorization line up.
  • Real-time UIs require disciplined backend contracts—one mismatch breaks everything.
  • The importance of grounding recommendations in simple, explainable rules.

What's next for Mother Security Agent

  • Add a CLI console for interacting with the agent in real time.
  • Expand attack surfaces (database, RDP, cloud metadata abuse, etc.).
  • Add a proper recommendation feed summarizing ongoing threats.
  • Explore a lightweight ML layer to rank chains by likelihood of compromise.
  • Publish a hosted demo environment with replayable attack scenarios. ⸻

Built With

Share this project:

Updates