DEV Community: Slavyan Donev The latest articles on DEV Community by Slavyan Donev (@stonebig12). https://dev.to/stonebig12 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3924641%2Fae405dbc-e93e-4a24-89bb-bbb582d8859e.jpg DEV Community: Slavyan Donev https://dev.to/stonebig12 en How I Built an AI-Powered Alert Triage System — Now with MCP Architecture Slavyan Donev Mon, 11 May 2026 09:46:56 +0000 https://dev.to/stonebig12/how-i-built-an-ai-powered-alert-triage-system-in-2-weeks-langgraph-virustotal-mitre-attck-4b5d https://dev.to/stonebig12/how-i-built-an-ai-powered-alert-triage-system-in-2-weeks-langgraph-virustotal-mitre-attck-4b5d <h1> How I Built an AI-Powered Alert Triage System — Now with MCP Architecture </h1> <h1> agents #ai #automation #cybersecurity </h1> <h2> The Problem </h2> <p>Every SOC analyst and MSP team I've talked to has the same complaint:</p> <blockquote> <p>"We get 200 alerts a day. Maybe 10 are real. But someone has to check all 200."</p> </blockquote> <p>That's alert fatigue. And it's not a small problem — the average analyst spends 3-5 hours daily on manual triage. Most of that time is wasted on false positives.</p> <p>I decided to build something to fix this. Two weeks later, I had a working MVP. Then I went a step further and refactored it with <strong>Model Context Protocol (MCP)</strong> — Anthropic's open standard for connecting AI agents to external tools. Here's exactly how I built it.</p> <h2> The Architecture (v2 — MCP Edition) </h2> <p>The original system had the agent calling tools directly. The new architecture introduces an <strong>MCP server</strong> as a modular tool layer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Alert Input (Defender/SentinelOne/JSON) ↓ Alert Normalizer ↓ LangGraph Triage Agent ├── Enrich Node ──► MCP Client ├── Analyze Node ↓ └── Human-in-the-Loop MCP Server ↓ ├── virustotal_check() Output (Risk Score ├── mitre_lookup() + Slack + Audit Log) └── slack_notify() </code></pre> </div> <p><strong>Why MCP?</strong> Instead of hardcoding tool calls inside the agent, MCP separates them into a dedicated server. The agent doesn't care <em>how</em> VirusTotal works — it just calls a tool by name and gets a result. This makes the system modular, testable, and easy to extend.</p> <h2> Step 1: Alert Normalizer </h2> <p>The first challenge: every security tool outputs alerts in a different format. Defender looks different from SentinelOne, which looks different from a generic SIEM.</p> <p>I built a normalizer that takes any alert format and converts it to a single internal structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@dataclass</span> <span class="k">class</span> <span class="nc">NormalizedAlert</span><span class="p">:</span> <span class="n">alert_id</span><span class="p">:</span> <span class="nb">str</span> <span class="n">source</span><span class="p">:</span> <span class="nb">str</span> <span class="c1"># defender / sentinelone / generic </span> <span class="n">severity</span><span class="p">:</span> <span class="nb">str</span> <span class="c1"># Low / Medium / High / Critical </span> <span class="n">title</span><span class="p">:</span> <span class="nb">str</span> <span class="n">timestamp</span><span class="p">:</span> <span class="nb">str</span> <span class="n">mitre_technique</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="n">hostname</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="n">username</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="n">source_ip</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="n">raw</span><span class="p">:</span> <span class="nb">dict</span> <span class="c1"># Original alert for audit </span></code></pre> </div> <p>This means the rest of the system doesn't care where the alert came from. It always works with the same format.</p> <h2> Step 2: LangGraph State Machine </h2> <p>I used LangGraph to build the agent as a state machine. Each step in the triage process is a separate node:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">TriageState</span><span class="p">(</span><span class="n">TypedDict</span><span class="p">):</span> <span class="n">alert</span><span class="p">:</span> <span class="nb">dict</span> <span class="n">enrichment</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">dict</span><span class="p">]</span> <span class="n">risk_score</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">int</span><span class="p">]</span> <span class="n">risk_level</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="n">explanation</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="n">recommendation</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="n">needs_human</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">bool</span><span class="p">]</span> <span class="n">error</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> </code></pre> </div> <p>The graph flows like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>enrich → analyze → [human_review if score &gt;= 70] → format_output </code></pre> </div> <p>Why LangGraph instead of a simple chain? Because real triage isn't linear. You need conditional routing — a Critical alert should follow a different path than a Low one. LangGraph makes this explicit and debuggable.</p> <h2> Step 3: The MCP Server (New in v2) </h2> <p>This is the biggest architectural change. All three enrichment tools are now exposed via a FastMCP server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># mcp-server/server.py </span><span class="kn">from</span> <span class="n">mcp.server.fastmcp</span> <span class="kn">import</span> <span class="n">FastMCP</span> <span class="kn">from</span> <span class="n">tools.virustotal</span> <span class="kn">import</span> <span class="n">check_ip</span> <span class="kn">from</span> <span class="n">tools.mitre</span> <span class="kn">import</span> <span class="n">get_technique_summary</span> <span class="kn">from</span> <span class="n">tools.slack_notifier</span> <span class="kn">import</span> <span class="n">send_alert_notification</span> <span class="n">mcp</span> <span class="o">=</span> <span class="nc">FastMCP</span><span class="p">(</span><span class="sh">"</span><span class="s">Alert Triage MCP Server</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@mcp.tool</span><span class="p">()</span> <span class="k">def</span> <span class="nf">virustotal_check</span><span class="p">(</span><span class="n">ip</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Проверява IP адрес в VirusTotal и връща reputation данни.</span><span class="sh">"""</span> <span class="n">result</span> <span class="o">=</span> <span class="nf">check_ip</span><span class="p">(</span><span class="n">ip</span><span class="p">)</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="s">IP: </span><span class="si">{</span><span class="n">result</span><span class="p">.</span><span class="n">ip</span><span class="si">}</span><span class="s"> | Malicious: </span><span class="si">{</span><span class="n">result</span><span class="p">.</span><span class="n">malicious_votes</span><span class="si">}</span><span class="s"> | Known bad: </span><span class="si">{</span><span class="n">result</span><span class="p">.</span><span class="n">is_known_bad</span><span class="si">}</span><span class="sh">"</span> <span class="nd">@mcp.tool</span><span class="p">()</span> <span class="k">def</span> <span class="nf">mitre_lookup</span><span class="p">(</span><span class="n">technique_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Търси MITRE ATT&amp;CK техника по ID (напр. T1059.001).</span><span class="sh">"""</span> <span class="k">return</span> <span class="nf">get_technique_summary</span><span class="p">(</span><span class="n">technique_id</span><span class="p">)</span> <span class="nd">@mcp.tool</span><span class="p">()</span> <span class="k">def</span> <span class="nf">slack_notify</span><span class="p">(</span><span class="n">alert_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">risk_score</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="p">...)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Праща Slack нотификация за критичен алерт.</span><span class="sh">"""</span> <span class="n">success</span> <span class="o">=</span> <span class="nf">send_alert_notification</span><span class="p">(</span><span class="n">triage_result</span><span class="p">)</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Sent</span><span class="sh">"</span> <span class="k">if</span> <span class="n">success</span> <span class="k">else</span> <span class="sh">"</span><span class="s">Failed</span><span class="sh">"</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">mcp</span><span class="p">.</span><span class="nf">run</span><span class="p">()</span> </code></pre> </div> <p>The agent connects to this server via an MCP client wrapper:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># agents/mcp_tools.py </span><span class="k">async</span> <span class="k">def</span> <span class="nf">_call_tool</span><span class="p">(</span><span class="n">tool_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">args</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">server_params</span> <span class="o">=</span> <span class="nc">StdioServerParameters</span><span class="p">(</span> <span class="n">command</span><span class="o">=</span><span class="sh">"</span><span class="s">python</span><span class="sh">"</span><span class="p">,</span> <span class="n">args</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">mcp-server/server.py</span><span class="sh">"</span><span class="p">]</span> <span class="p">)</span> <span class="k">async</span> <span class="k">with</span> <span class="nf">stdio_client</span><span class="p">(</span><span class="n">server_params</span><span class="p">)</span> <span class="nf">as </span><span class="p">(</span><span class="n">read</span><span class="p">,</span> <span class="n">write</span><span class="p">):</span> <span class="k">async</span> <span class="k">with</span> <span class="nc">ClientSession</span><span class="p">(</span><span class="n">read</span><span class="p">,</span> <span class="n">write</span><span class="p">)</span> <span class="k">as</span> <span class="n">session</span><span class="p">:</span> <span class="k">await</span> <span class="n">session</span><span class="p">.</span><span class="nf">initialize</span><span class="p">()</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">session</span><span class="p">.</span><span class="nf">call_tool</span><span class="p">(</span><span class="n">tool_name</span><span class="p">,</span> <span class="n">args</span><span class="p">)</span> <span class="k">return</span> <span class="n">result</span><span class="p">.</span><span class="n">content</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="n">text</span> <span class="k">def</span> <span class="nf">virustotal_check</span><span class="p">(</span><span class="n">ip</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="k">return</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="nf">_call_tool</span><span class="p">(</span><span class="sh">"</span><span class="s">virustotal_check</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">ip</span><span class="sh">"</span><span class="p">:</span> <span class="n">ip</span><span class="p">}))</span> <span class="k">def</span> <span class="nf">mitre_lookup</span><span class="p">(</span><span class="n">technique_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="k">return</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="nf">_call_tool</span><span class="p">(</span><span class="sh">"</span><span class="s">mitre_lookup</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">technique_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">technique_id</span><span class="p">}))</span> </code></pre> </div> <p><strong>The result:</strong> The LangGraph agent no longer imports tools directly. It goes through MCP — clean separation of concerns.</p> <h2> Step 4: Enrichment Tools </h2> <p>Before the LLM sees the alert, two tools run automatically via MCP:</p> <h3> VirusTotal IP Lookup </h3> <p>Why this matters: An alert marked "Low severity" came in for SSH login attempts. The source IP had 4 malicious votes on VirusTotal. The system automatically escalated it to High. Without enrichment, that alert would have been ignored.</p> <h3> MITRE ATT&amp;CK Context </h3> <p>Instead of hitting an API for every request, I built a local database of the most common techniques:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">MITRE_DB</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">T1059.001</span><span class="sh">"</span><span class="p">:</span> <span class="nc">MitreTechnique</span><span class="p">(</span> <span class="sh">"</span><span class="s">T1059.001</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">PowerShell</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Execution</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Adversaries use PowerShell to execute commands, often with encoded payloads...</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">high</span><span class="sh">"</span> <span class="p">),</span> <span class="sh">"</span><span class="s">T1486</span><span class="sh">"</span><span class="p">:</span> <span class="nc">MitreTechnique</span><span class="p">(</span> <span class="sh">"</span><span class="s">T1486</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Data Encrypted for Impact (Ransomware)</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Impact</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Adversary encrypts data to disrupt availability...</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">high</span><span class="sh">"</span> <span class="p">),</span> <span class="p">}</span> </code></pre> </div> <p>This context goes directly into the LLM prompt — giving the model real knowledge about what each technique means and how dangerous it is.</p> <h2> Step 5: The LLM Analysis </h2> <p>The Triage Agent sends the enriched alert to Groq (Llama 3.3 70B) with a structured prompt that returns JSON:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"risk_score"</span><span class="p">:</span><span class="w"> </span><span class="mi">95</span><span class="p">,</span><span class="w"> </span><span class="nl">"risk_level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Critical"</span><span class="p">,</span><span class="w"> </span><span class="nl">"explanation"</span><span class="p">:</span><span class="w"> </span><span class="s2">"The source IP is flagged as MALICIOUS by 17 VirusTotal engines..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"recommendation"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Block IP immediately and isolate the device."</span><span class="p">,</span><span class="w"> </span><span class="nl">"needs_human"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Key design decision: <strong>temperature 0.1</strong>. Security analysis needs consistency, not creativity.</p> <h2> Step 6: Human-in-the-Loop </h2> <p>For any alert with risk score &gt;= 70, the MCP <code>slack_notify</code> tool fires a formatted Slack notification. AI assists — humans decide on critical actions.</p> <h2> Step 7: REST API with FastAPI </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@router.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/triage</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_model</span><span class="o">=</span><span class="n">TriageResponse</span><span class="p">)</span> <span class="k">def</span> <span class="nf">triage_alert</span><span class="p">(</span><span class="n">alert_request</span><span class="p">:</span> <span class="n">AlertRequest</span><span class="p">):</span> <span class="n">normalized</span> <span class="o">=</span> <span class="nf">normalize_alert</span><span class="p">(</span><span class="n">alert_request</span><span class="p">.</span><span class="nf">model_dump</span><span class="p">(</span><span class="n">exclude_none</span><span class="o">=</span><span class="bp">True</span><span class="p">))</span> <span class="n">result</span> <span class="o">=</span> <span class="nf">run_triage</span><span class="p">(</span><span class="n">normalized</span><span class="p">)</span> <span class="k">return</span> <span class="nc">TriageResponse</span><span class="p">(...)</span> </code></pre> </div> <p>Microsoft Defender can now send a webhook to <code>POST /triage</code> and get back a full analysis in ~3 seconds.</p> <h2> Real Results </h2> <p>Running 6 sample alerts through the system:</p> <ul> <li>A "Low severity" SSH alert was escalated to <strong>High</strong> because VirusTotal flagged the source IP (4 malicious votes)</li> <li>A data exfiltration alert scored <strong>95/100 Critical</strong> — destination IP had 17 VirusTotal votes, known Tor exit node used for C2</li> </ul> <h2> Tech Stack </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Technology</th> </tr> </thead> <tbody> <tr> <td>Agent framework</td> <td>LangGraph</td> </tr> <tr> <td>LLM</td> <td>Groq — Llama 3.3 70B (free tier)</td> </tr> <tr> <td>Tool layer</td> <td>MCP — Model Context Protocol</td> </tr> <tr> <td>Threat intel</td> <td>VirusTotal API (free tier)</td> </tr> <tr> <td>ATT&amp;CK mapping</td> <td>Local MITRE database</td> </tr> <tr> <td>Notifications</td> <td>Slack Webhooks</td> </tr> <tr> <td>API</td> <td>FastAPI</td> </tr> </tbody> </table></div> <p><strong>Total cost for MVP: $0</strong></p> <h2> Key Lessons </h2> <ol> <li> <strong>MCP separates tools from agents</strong> — your agent becomes a thin client, tools become reusable services</li> <li> <strong>Enrich before you analyze</strong> — LLM without real threat intel is just guessing</li> <li> <strong>LangGraph over simple chains</strong> — conditional routing requires a proper state machine</li> <li> <strong>Human-in-the-Loop is not optional</strong> — never automate critical security decisions</li> <li> <strong>Start with the data</strong> — understanding real alerts before coding saved hours</li> </ol> <p>Currently looking for MSP and SOC teams for a <strong>free 2-week pilot</strong>.</p> <p>If your team deals with alert fatigue — comment below or DM me.</p> <p><em>GitHub: [alert-triage-mvp] | Built with LangGraph + MCP + Groq</em></p> agents ai automation cybersecurity