DEV Community: Slavyan Donev The latest articles on DEV Community by Slavyan Donev (@stonebig12). https://dev.to/stonebig12 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3924641%2Fae405dbc-e93e-4a24-89bb-bbb582d8859e.jpg DEV Community: Slavyan Donev https://dev.to/stonebig12 en How I Built an AI-Powered Alert Triage System in 2 Weeks (LangGraph + VirusTotal + MITRE ATT&CK) Slavyan Donev Mon, 11 May 2026 09:46:56 +0000 https://dev.to/stonebig12/how-i-built-an-ai-powered-alert-triage-system-in-2-weeks-langgraph-virustotal-mitre-attck-4b5d https://dev.to/stonebig12/how-i-built-an-ai-powered-alert-triage-system-in-2-weeks-langgraph-virustotal-mitre-attck-4b5d <h2> The Problem </h2> <p>Every SOC analyst and MSP team I've talked to has the same complaint:</p> <blockquote> <p>"We get 200 alerts a day. Maybe 10 are real. But someone has to check all 200."</p> </blockquote> <p>That's alert fatigue. And it's not a small problem — the average analyst spends 3-5 hours daily on manual triage. Most of that time is wasted on false positives.</p> <p>I decided to build something to fix this. Two weeks later, I had a working MVP. Here's exactly how I built it.</p> <h2> The Architecture </h2> <p>The system has 4 main components:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Alert Input (Defender/SentinelOne/JSON) ↓ Alert Normalizer ↓ LangGraph Triage Agent ├── Enrich Node (VirusTotal + MITRE ATT&amp;CK) ├── Analyze Node (LLM risk scoring) └── Human-in-the-Loop Node (Critical alerts) ↓ Output (Risk Score + Slack + Audit Log) </code></pre> </div> <h2> Step 1: Alert Normalizer </h2> <p>The first challenge: every security tool outputs alerts in a different format. Defender looks different from SentinelOne, which looks different from a generic SIEM.</p> <p>I built a normalizer that takes any alert format and converts it to a single internal structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@dataclass</span> <span class="k">class</span> <span class="nc">NormalizedAlert</span><span class="p">:</span> <span class="n">alert_id</span><span class="p">:</span> <span class="nb">str</span> <span class="n">source</span><span class="p">:</span> <span class="nb">str</span> <span class="c1"># defender / sentinelone / generic </span> <span class="n">severity</span><span class="p">:</span> <span class="nb">str</span> <span class="c1"># Low / Medium / High / Critical </span> <span class="n">title</span><span class="p">:</span> <span class="nb">str</span> <span class="n">timestamp</span><span class="p">:</span> <span class="nb">str</span> <span class="n">mitre_technique</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="n">hostname</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="n">username</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="n">source_ip</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="n">raw</span><span class="p">:</span> <span class="nb">dict</span> <span class="c1"># Original alert for audit </span></code></pre> </div> <p>This means the rest of the system doesn't care where the alert came from. It always works with the same format.</p> <h2> Step 2: LangGraph State Machine </h2> <p>I used <strong>LangGraph</strong> to build the agent as a state machine. Each step in the triage process is a separate node:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">TriageState</span><span class="p">(</span><span class="n">TypedDict</span><span class="p">):</span> <span class="n">alert</span><span class="p">:</span> <span class="nb">dict</span> <span class="n">enrichment</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">dict</span><span class="p">]</span> <span class="n">risk_score</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">int</span><span class="p">]</span> <span class="n">risk_level</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="n">explanation</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="n">recommendation</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="n">needs_human</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">bool</span><span class="p">]</span> <span class="n">error</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> </code></pre> </div> <p>The graph flows like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>enrich → analyze → [human_review if score &gt;= 70] → format_output </code></pre> </div> <p>Why LangGraph instead of a simple chain? Because real triage isn't linear. You need conditional routing — a Critical alert should follow a different path than a Low one. LangGraph makes this explicit and debuggable.</p> <h2> Step 3: Enrichment Tools </h2> <p>Before the LLM sees the alert, two tools run automatically:</p> <h3> VirusTotal IP Lookup </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">check_ip</span><span class="p">(</span><span class="n">ip</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">IPReputation</span><span class="p">:</span> <span class="n">url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">https://www.virustotal.com/api/v3/ip_addresses/</span><span class="si">{</span><span class="n">ip</span><span class="si">}</span><span class="sh">"</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">x-apikey</span><span class="sh">"</span><span class="p">:</span> <span class="n">api_key</span><span class="p">}</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">10</span><span class="p">)</span> <span class="c1"># Returns malicious_votes, country, as_owner, is_known_bad </span></code></pre> </div> <p><strong>Why this matters:</strong> An alert marked "Low severity" came in for SSH login attempts. The source IP had 4 malicious votes on VirusTotal. The system automatically escalated it to High. Without enrichment, that alert would have been ignored.</p> <h3> MITRE ATT&amp;CK Context </h3> <p>Instead of hitting an API for every request, I built a local database of the most common techniques:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">MITRE_DB</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">T1059.001</span><span class="sh">"</span><span class="p">:</span> <span class="nc">MitreTechnique</span><span class="p">(</span> <span class="sh">"</span><span class="s">T1059.001</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">PowerShell</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Execution</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Adversaries use PowerShell to execute commands, often with encoded payloads...</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">high</span><span class="sh">"</span> <span class="p">),</span> <span class="sh">"</span><span class="s">T1486</span><span class="sh">"</span><span class="p">:</span> <span class="nc">MitreTechnique</span><span class="p">(</span> <span class="sh">"</span><span class="s">T1486</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Data Encrypted for Impact (Ransomware)</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Impact</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Adversary encrypts data to disrupt availability...</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">high</span><span class="sh">"</span> <span class="p">),</span> <span class="p">}</span> </code></pre> </div> <p>This context goes directly into the LLM prompt — giving the model real knowledge about what each technique means and how dangerous it is.</p> <h2> Step 4: The LLM Analysis </h2> <p>The Triage Agent sends the enriched alert to <strong>Groq (Llama 3.3 70B)</strong> with a structured prompt that returns JSON:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"risk_score"</span><span class="p">:</span><span class="w"> </span><span class="mi">95</span><span class="p">,</span><span class="w"> </span><span class="nl">"risk_level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Critical"</span><span class="p">,</span><span class="w"> </span><span class="nl">"explanation"</span><span class="p">:</span><span class="w"> </span><span class="s2">"The source IP is flagged as MALICIOUS by 17 VirusTotal engines..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"recommendation"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Block IP immediately and isolate the device."</span><span class="p">,</span><span class="w"> </span><span class="nl">"needs_human"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Key design decision: <strong>temperature 0.1</strong>. Security analysis needs consistency, not creativity.</p> <h2> Step 5: Human-in-the-Loop </h2> <p>For any alert with risk score &gt;= 70, the system sends a Slack notification and waits for human approval. AI assists — humans decide on critical actions.</p> <h2> Step 6: REST API with FastAPI </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@router.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/triage</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_model</span><span class="o">=</span><span class="n">TriageResponse</span><span class="p">)</span> <span class="k">def</span> <span class="nf">triage_alert</span><span class="p">(</span><span class="n">alert_request</span><span class="p">:</span> <span class="n">AlertRequest</span><span class="p">):</span> <span class="n">normalized</span> <span class="o">=</span> <span class="nf">normalize_alert</span><span class="p">(</span><span class="n">alert_request</span><span class="p">.</span><span class="nf">model_dump</span><span class="p">(</span><span class="n">exclude_none</span><span class="o">=</span><span class="bp">True</span><span class="p">))</span> <span class="n">result</span> <span class="o">=</span> <span class="nf">run_triage</span><span class="p">(</span><span class="n">normalized</span><span class="p">)</span> <span class="k">return</span> <span class="nc">TriageResponse</span><span class="p">(...)</span> </code></pre> </div> <p>Microsoft Defender can now send a webhook to <code>POST /triage</code> and get back a full analysis in ~3 seconds.</p> <h2> Real Results </h2> <p>Running 6 sample alerts through the system:</p> <ul> <li>A "Low severity" SSH alert was escalated to <strong>High</strong> because VirusTotal flagged the source IP (4 malicious votes)</li> <li>A data exfiltration alert scored <strong>95/100 Critical</strong> — destination IP had 17 VirusTotal votes, known Tor exit node used for C2</li> </ul> <h2> Tech Stack </h2> <ul> <li> <strong>Python 3.12</strong> + <strong>LangGraph</strong> + <strong>FastAPI</strong> </li> <li> <strong>Groq (Llama 3.3 70B)</strong> — free tier</li> <li> <strong>VirusTotal API</strong> — free tier (500 req/day)</li> <li> <strong>Slack Webhooks</strong> — notifications</li> </ul> <p>Total cost for MVP: <strong>$0</strong></p> <h2> Key Lessons </h2> <ol> <li> <strong>Enrich before you analyze</strong> — LLM without real threat intel is just guessing</li> <li> <strong>LangGraph over simple chains</strong> — conditional routing requires a proper state machine</li> <li> <strong>Human-in-the-Loop is not optional</strong> — never automate critical security decisions</li> <li> <strong>Start with the data</strong> — understanding real alerts before coding saved hours</li> </ol> <p>Currently looking for MSP and SOC teams for a <strong>free 2-week pilot</strong>.<br> If your team deals with alert fatigue — comment below or DM me.</p> <p><em>Tags: <code>python</code> <code>security</code> <code>ai</code> <code>langgraph</code> <code>cybersecurity</code></em><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5l4rnomw1kb6qwm5byqz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5l4rnomw1kb6qwm5byqz.png" alt=" "></a></p> agents ai automation cybersecurity