How I Built CoralSec Copilot: A Unified Enterprise SOC with Coral & Next.js in 4 Days

MEHRAAN AMIN — Sat, 30 May 2026 06:10:46 +0000

The tech industry is currently in a frenzy. Everyone is rushing to build the next big AI application, slapping a chatbot interface onto a database and calling it a day. But in this gold rush, we are leaving something critical behind: Enterprise Security.

Living in a Kali Linux environment and spending time hunting vulnerabilities teaches you one fundamental truth: security is entirely about context. Hardcoded API keys, undocumented access escalations, and compliance blind spots remain the number one cause of major data breaches. Security teams don’t just need a chatbot that can answer questions; they need a single pane of glass. They need a Security Operations Center (SOC).

For the Pirates of the Coral-Bean Hackathon (hosted by Coral and WeMakeDevs), I decided to tackle this massive industry problem. Over the course of 4 sleepless nights, I built CoralSec Copilot—an AI-powered, unified Enterprise SOC platform.

Here is the complete Captain's Log of my entire journey, the architecture, the roadblocks, and a reproducible guide so you can build and run it yourself.

Day 1: The Brainstorm, Grok, and Cursor AI

When the hackathon was announced, my initial thought was basic: "I'll build a CLI agent that scans code." I fired up my IDE, opened Cursor, and started bouncing ideas around. I even looked into some AI models like Grok to understand how they process vast amounts of real-time data.

But while brainstorming the architecture, I hit a wall. Scanning a GitHub commit for a leaked AWS key is great, but what if the AI also knew whether the developer who pushed that commit had recently escalated their admin privileges? What if it knew the exact SOC2 compliance policy from our company’s Notion workspace?

To do this traditionally, I would have to write dozens of messy REST API integrations. I'd have to handle rate limits, write custom Python scripts for GitHub, another set for Slack, another for Notion, and then build fragile ETL (Extract, Transform, Load) pipelines to bring all that data together.

It sounded like an absolute nightmare for a 4-day sprint. I needed a way to unify data without writing thousands of lines of glue code.

Day 2: The Magic of Coral MCP & Cross-Source SQL

This is where the Coral Protocol stepped in and completely changed my development trajectory.

Coral Protocol is not just a database wrapper; it is a unified data intelligence hub. It allowed me to replace all that custom glue code with read-only, cross-source SQL. By integrating the Coral Model Context Protocol (MCP), I gave my AI agent the ability to write a single query with LEFT JOIN semantics across entirely different platforms.

Instead of writing five different Python scripts to fetch data, my agent can now execute something conceptually like this under the hood:

[[Note for Mehru: Use the code block button in Dev.to for the SQL below]

`SELECT
github.cve_id,
slack.incident_channel,
notion.compliance_policy
FROM github_dependabot AS github
LEFT JOIN slack_channels AS slack ON slack.topic = github.cve_id
LEFT JOIN notion_pages AS notion ON notion.tags = 'SOC2'
WHERE github.state = 'open';`

[End Note]]

As a first-time Coral user, shifting my mindset from writing complex backend logic to simply leveraging Coral’s SQL interface for cross-platform joins was mind-blowing. It completely eliminated the data silos. My AI agent could now correlate a GitHub Dependabot vulnerability, an active Slack security channel, and an internal Notion compliance policy in a single execution path.

Day 3: Giving the AI Brain a Body (Next.js Dashboard)

An AI brain is incredibly powerful, but IT admins and security operators need a visual dashboard to monitor threats continuously. They can't just type prompts all day. I spent the third day wrapping my Coral-powered engine into a persistent Enterprise UI.

Using Next.js 15, Tailwind CSS, and shadcn/ui, I built a 4-module dashboard to act as a single pane of glass:

Global Risk Dashboard
This isn't just a static page. It calculates a dynamic risk score based on aggregated posture signals pulled live from the APIs. It gives security teams a bird's-eye view of their infrastructure's health.
Secret Scanner
Visualizes leaked Personal Access Tokens (PATs) and AWS keys from commit pipelines. It flags critical misconfigurations the moment they happen.
Vulnerability Intelligence
An interactive tracker for OSV and CVE data aligned with Dependabot. It breaks down threats by severity, highlighting things like OpenSSL buffer over-reads or prototype pollution in lodash.
Compliance Monitor
A live ledger that directly compares GitHub admin access against Notion SOC2 policy pages. If someone gets unauthorized admin access on GitHub, the dashboard flags it against the company policy instantly.

Day 4: Resiliency, Python Fallbacks, and The Cybersecurity Mindset

What happens if the cloud alert tables are entirely empty? A security tool cannot just fail silently. I needed this platform to be bulletproof.

To achieve this, I built a resilient Python and LangChain scanner as a fallback. If the primary cloud scans return empty, the system triggers zero-day commit parsing. It uses structured tool calls to parse local commit diffs and surface historical leak patterns before they hit production.

I also engineered bulletproof API pushdowns. I structured the SQL so that queries like Dependabot use exact states (e.g., state = 'open' OR state IS NULL). This ensures that if a third-party API returns a null severity, my dashboard doesn't accidentally drop a valid open alert.

The Sandbox Deployment Decision

When it came time to deploy, I faced a serious dilemma. I wanted the hackathon judges and the community to experience the beautiful Next.js UI. However, as a cybersecurity researcher, I strictly follow security best practices.

Exposing my active Personal Access Tokens (GitHub, Slack, Notion) on a public Vercel domain was an absolute no-go. It defeats the entire purpose of building a security tool.

So, I deployed the live link as an interactive Sandbox / Demo Mode. By adding a simple environment variable, the app renders a safe UI where anyone can explore the UX and the AI agent's frontend flow safely without exposing real company data. But to experience the real-time scanning engine, developers must clone the repo and run it locally with their own keys.

Charting the Course: Build Your Own CoralSec Copilot

If you want to run this Enterprise SOC on your own company's repositories, here is the exact reproducible route to get the real-time scanning engine fired up on your local machine.

Prerequisites:
You will need two terminal windows to run the Next.js UI and the Coral MCP Engine simultaneously.

Step 1: Setup Environment
Clone the repository and set up your environment variables.

[Note for Mehru: Use the code block button in Dev.to for the bash commands below]
git clone https://github.com/CodeWithMehru/coral-security-copilot.git
cd coral-security-copilot
cp .env.example .env
[End Note]

Open the .env file and insert your GitHub, Notion, and Slack tokens. Make sure to set CORALSEC_USE_DEMO=false so you exit the Sandbox and run the live engine!

Step 2: Start Coral Engine
Open your first terminal in the root directory and start the Coral Studio:

[Note for Mehru: Use the code block button in Dev.to for the bash command below] coral mcp studio [End Note]

Step 3: Start the Next.js Frontend
Open a second terminal, install the dependencies, and start the development server:

[Note for Mehru: Use the code block button in Dev.to for the bash command below]
cd frontend
npm install
npm run dev
[End Note]

Open localhost:3000 in your browser to view the live dashboard. You now have a fully functional, AI-powered Enterprise Security Operations Center running on your local machine!
Final Thoughts

Building CoralSec Copilot was an absolute masterclass in data correlation. Coral eliminated the most painful parts of API integration and allowed me to focus entirely on building a robust, intelligent security product.