Building AgentSmith-HUB: A High-Performance Security Data Pipeline with Real-Time Detection

E_Bwill — Fri, 01 Aug 2025 09:26:14 +0000

Over the past few months, I’ve been working on a project called AgentSmith-HUB. It started as an experiment to build a lightweight, flexible rules engine for security data processing, but eventually became a full platform for real-time threat detection and response.

This post explains why I built it, how it works, and what kind of use cases it supports.

Why I Built It

Security teams often deal with massive volumes of logs and alerts. Traditional SIEMs can be heavy, expensive, or inflexible. In many cases, teams want to build their own detection logic, integrate with existing systems, and have full control over data pipelines.

I wanted something that:

Processes logs in real time
Allows flexible detection logic (regex, thresholds, enrichment)
Supports custom plugins for threat intel lookups, automated responses, or data transformations
Can run in distributed mode and scale easily
Is fast enough to handle high-throughput data

What It Is

AgentSmith-HUB is an open-source security data pipeline platform with a built-in real-time detection engine.

Main features:

Flexible rules engine with a simple XML-like syntax (, , , )
Plugin system (built-in and custom) for enrichment, alerting, and external integrations
Cluster/distributed mode for scalability
Full-featured web UI for building and testing workflows visually
MCP (Model Context Protocol) support, so it can integrate with LLM-based assistants for rule editing and operations
Integrates with Kafka, Elasticsearch, and cloud logging services

Performance

In testing (8 complex rules), it processed around 40,000 messages per second with sub-millisecond latency on a 2‑CPU, 4‑GB server.

Typical Use Cases

Intrusion detection with flexible rules and enrichment
Automated response workflows (block IP, send alerts, enrich data with threat intel)
Real-time log analysis and masking of sensitive information
A lightweight alternative to heavy SIEM setups

Example Rule

Here’s a simple rule that detects admin logins and appends additional fields:

<rule id="detect_admin_login" name="Detect Admin Login">
  <check type="EQU" field="username">admin</check>
  <append field="alert">admin login detected</append>
</rule>

The engine supports flexible execution order. You can append data before checks, use thresholds, or call custom plugins as part of rule execution.

More Functions Show

Dashboard:

Ruleset Example:

Edit Rule:

Edit Project:

Push Changes:

Ruleset Test:

MCP:

Plugin Test:

Search:

What’s Next

I’m planning to add more built-in plugins, improve cluster management, and explore deeper MCP-based integrations for LLM-assisted SOC operations.

Links

GitHub: https://github.com/EBWi11/AgentSmith-HUB

If you’ve built similar tools or worked on custom detection pipelines, I’d love to hear your thoughts and feedback!

DEV Community: E_Bwill