The all-in-one cybersecurity command center for German SMEs
SPIR monitors your infrastructure 24/7, detects threats with AI-powered rules, automates incident response through pre-built playbooks, and tracks compliance against the frameworks that matter in Germany and the EU β all from a single platform.
| Feature | Description | |
|---|---|---|
| π‘οΈ | Security Score | Real-time health score (0β100) across 5 weighted dimensions with letter grades |
| π‘ | Log Collection | Syslog (UDP/TCP), iptables/pfSense/Fortinet/Sophos, Windows Event Log, AWS CloudTrail, Azure Activity Log, endpoint agents |
| π¨ | Smart Alerts | 16+ SIGMA-compatible detection rules, sliding-window correlation, ML anomaly detection (Isolation Forest), false-positive filter with analyst feedback loop |
| π₯ | Incident Response | 6 pre-built playbooks (ransomware, phishing, data breach, DDoS, insider threat, brute force) with automated account actions |
| β | Compliance Tracker | NIS2, BSI IT-Grundschutz, ISO 27001, GDPR β gap analysis, effort estimation, text/JSON/HTML reports |
| π€ | Identity & Access | MFA coverage analysis, dormant account detection, over-privilege review, service account audit |
| π | Integrations | VAPT scanner import, Jira ticket creation, SIEM export (CEF/LEEF), Slack, Teams, email, webhooks |
- Python 3.11+
- Docker & Docker Compose (optional, for full-stack deployment)
git clone https://github.com/aryanajit24/SPIR.git
cd SPIR
python -m venv venv && source venv/bin/activate
pip install -r requirements.txtcp .env.example .env
# Edit .env with your database, SMTP, Slack/Teams webhooks, etc.No external services needed β everything runs in-memory:
python scripts/demo.pyThis walks through log collection, alert detection, playbook execution, compliance tracking, identity auditing, and security score calculation with rich terminal output.
python -m api.app- API: http://localhost:8000
- Swagger Docs: http://localhost:8000/api/docs
- ReDoc: http://localhost:8000/api/redoc
docker-compose up -d| Service | Port | Description |
|---|---|---|
spir-api |
8000 | FastAPI backend |
spir-dashboard |
3000 | React frontend |
postgres |
5432 | PostgreSQL 16 database |
opensearch |
9200 | OpenSearch 2.12 log storage |
redis |
6379 | Cache & pub/sub |
pytest tests/ -v # All 124+ tests
pytest tests/test_alert_engine.py -v # Specific module
pytest tests/ --cov=. --cov-report=html # With coverage reportSPIR/
βββ api/ # FastAPI REST API
β βββ app.py # Application entry point & lifespan
β βββ middleware/ # API key authentication
β βββ routes/ # dashboard, alerts, incidents, compliance, identity, vapt, settings
βββ alert_engine/ # Threat detection engine
β βββ engine.py # Core rule evaluator with 12 operators & correlation
β βββ models.py # DetectionRule & Alert dataclasses
β βββ rules/ # 16 pre-built rules + SIGMA format loader
β βββ ml/ # Isolation Forest anomaly detector, FP filter
β βββ dispatchers/ # Email (HTML), Slack, Teams, generic webhook
βββ collector/ # Log collectors
β βββ collector_manager.py# Event queue (10K buffer) & handler dispatch
β βββ syslog_collector.py # RFC 3164 / 5424 UDP listener
β βββ firewall_collector.py# iptables, pfSense, Fortinet, Sophos parser
β βββ windows_event_collector.py # WEF polling (25+ Event IDs)
β βββ cloud_collector.py # AWS CloudTrail & Azure Activity Log
β βββ endpoint_collector.py# HTTP receiver for endpoint agents
βββ incident_response/ # Automated incident response
β βββ engine.py # Playbook executor & ticket manager
β βββ actions/ # disable_account, force_password_reset, revoke_sessions, etc.
β βββ playbooks/ # ransomware, phishing, data_breach, ddos, insider_threat, brute_force
βββ compliance/ # Regulatory compliance tracking
β βββ tracker.py # Framework registry, scoring, reporting
β βββ gap_analyzer.py # Gap analysis & effort estimation
β βββ report_generator.py # Text / JSON / HTML report output
β βββ frameworks/ # NIS2, BSI Grundschutz, ISO 27001, GDPR definitions
βββ identity/ # Identity & access management auditing
β βββ auditor.py # Main audit orchestrator
β βββ mfa_checker.py # MFA coverage & risk scoring
β βββ dormant_detector.py # 30/60/90-day inactivity detection
β βββ privilege_reviewer.py# Over-privileged & service account review
βββ security_score/ # Security health score (0-100)
β βββ calculator.py # Weighted 5-dimension aggregator
β βββ dimensions.py # Vuln mgmt, access control, monitoring, compliance, IR readiness
βββ integrations/ # External tool connectors
β βββ vapt_connector.py # VAPT scan import & remediation tracking
β βββ jira_connector.py # Auto-create Jira tickets from alerts
β βββ siem_exporter.py # CEF & LEEF format export
βββ dashboard/ # React 18 frontend (dark theme)
βββ config/ # Settings (pydantic-settings) & logging
βββ scripts/ # demo.py, generate_test_data.py, setup.sh
βββ tests/ # 124+ pytest tests across all modules
βββ docs/ # 8 detailed guides (setup, API, architecture, compliance, β¦)
βββ docker-compose.yml # Full-stack orchestration (5 services)
βββ Dockerfile # Python 3.11 production image
βββ requirements.txt # 30+ pinned dependencies
All settings are loaded from environment variables or a .env file via pydantic-settings:
| Variable | Default | Description |
|---|---|---|
SPIR_ENV |
development |
development / staging / production |
SPIR_API_KEY |
change-me |
API authentication key (X-API-Key header) |
SPIR_SECRET_KEY |
change-me |
Application secret key |
POSTGRES_HOST |
localhost |
PostgreSQL host |
OPENSEARCH_HOST |
localhost |
OpenSearch host |
REDIS_HOST |
localhost |
Redis host |
SMTP_HOST / SMTP_PORT |
localhost / 587 |
Email alert delivery |
SLACK_WEBHOOK_URL |
β | Slack incoming webhook |
TEAMS_WEBHOOK_URL |
β | Microsoft Teams webhook |
VAPT_API_URL |
http://localhost:8001 |
VAPT scanner API |
AWS_REGION |
eu-central-1 |
AWS region for CloudTrail |
See .env.example for the full list including LDAP, Jira, and Azure settings.
| Method | Endpoint | Description |
|---|---|---|
GET |
/health |
Health check |
GET |
/api/dashboard |
Consolidated security overview |
GET |
/api/alerts |
List alerts (filter by status/severity) |
PUT |
/api/alerts/{id}/acknowledge |
Acknowledge an alert |
PUT |
/api/alerts/{id}/resolve |
Resolve an alert |
GET |
/api/incidents |
List incident tickets |
POST |
/api/incidents/trigger |
Trigger a playbook |
GET |
/api/compliance/frameworks |
All compliance frameworks with scores |
GET |
/api/compliance/frameworks/{id}/gaps |
Gap analysis for a framework |
GET |
/api/identity |
Identity & access audit report |
POST |
/api/vapt/import |
Import VAPT scan results |
GET |
/api/collectors/status |
Collector health status |
GET |
/api/settings |
Platform configuration |
Interactive API documentation is available at /api/docs (Swagger UI) and /api/redoc.
The platform calculates a real-time security health score (0β100) from 5 weighted dimensions:
Overall Score = Ξ£ (dimension_score Γ weight)
ββββββββββββββββββββββββββββββββ¬βββββββββ¬ββββββββββββββββββββββββββββββββββββββ
β Dimension β Weight β What it measures β
ββββββββββββββββββββββββββββββββΌβββββββββΌββββββββββββββββββββββββββββββββββββββ€
β Vulnerability Management β 25% β Open vulns, patch velocity, scan β
β β β freshness β
β Access Control β 25% β MFA coverage, dormant accounts, β
β β β privilege hygiene β
β Monitoring & Detection β 20% β Collector coverage, alert response β
β β β time, event flow β
β Compliance β 20% β NIS2/BSI/ISO/GDPR completion % β
β Incident Readiness β 10% β Playbook coverage, drill recency β
ββββββββββββββββββββββββββββββββ΄βββββββββ΄ββββββββββββββββββββββββββββββββββββββ
Grades: π’ A (81-100) Β· π‘ B (61-80) Β· π C (41-60) Β· π΄ D/F (0-40)
| Framework | Standard | Coverage |
|---|---|---|
| NIS2 | EU Directive 2022/2555 | All 10 Article 21(2) risk management measures |
| BSI IT-Grundschutz | German federal standard | 10 key Bausteine (DER.1, DER.2.1, CON.3, β¦) |
| ISO/IEC 27001:2022 | International ISMS | 18 Annex A controls (5.x β 8.x) |
| GDPR Article 32 | EU data protection | 10 technical & organisational measures |
Each framework includes: control tracking, gap analysis, effort estimation (days/weeks), quick-win identification, and exportable reports (text/JSON/HTML).
16 pre-built rules covering key MITRE ATT&CK tactics:
| Rule | Tactic | Technique |
|---|---|---|
| SSH Brute Force | Credential Access | T1110.001 |
| Windows Failed Login Burst | Credential Access | T1110 |
| Ransomware Indicators | Impact | T1486 |
| Port Scan | Discovery | T1046 |
| Data Exfiltration (100MB+) | Exfiltration | T1041 |
| Off-Hours Login | Initial Access | T1078 |
| Admin Account Created | Persistence | T1136 |
| Malware (mimikatz, cobalt strike) | Execution | T1059 |
| DNS Tunneling | Command & Control | T1071.004 |
| Privilege Escalation (sudo/su) | Privilege Escalation | T1548.003 |
| VAPT Unpatched Critical | Initial Access | T1190 |
| Firewall Rule Modification | Defense Evasion | T1562.004 |
| Malicious IP Connection | Command & Control | T1571 |
| Audit Log Cleared | Defense Evasion | T1070.001 |
| AWS Root Console Login | Privilege Escalation | T1078.004 |
| Insider Threat β Bulk Download | Collection | T1213 |
Additional rules can be loaded from SIGMA YAML files.
| Guide | Description |
|---|---|
| Setup Guide | Step-by-step installation for dev and production |
| Architecture | System design, data flow, component interactions |
| API Reference | Full endpoint documentation with curl examples |
| User Guide | How to use every feature in the platform |
| Testing Guide | Running unit tests, integration tests, and the demo |
| Deployment | Production deployment guide (Hetzner Cloud) |
| Compliance Guide | Preparing for NIS2/BSI/ISO audits with SPIR |
| Layer | Technology |
|---|---|
| Backend | Python 3.11, FastAPI, Pydantic v2, SQLAlchemy 2.0, Celery |
| Frontend | React 18, Recharts |
| Database | PostgreSQL 16 |
| Search / Logs | OpenSearch 2.12 |
| Cache | Redis 7 |
| ML | scikit-learn (Isolation Forest) |
| Container | Docker, Docker Compose |
| Auth | API key (X-API-Key) + JWT (extensible) |
Contributions are welcome! Here's how:
- Fork the repository
- Create your feature branch:
git checkout -b feature/your-feature - Commit your changes:
git commit -m 'Add your feature' - Push to the branch:
git push origin feature/your-feature - Open a Pull Request
Please make sure all tests pass (pytest tests/ -v) before submitting.
This project is licensed under the MIT License β see the LICENSE file for details.
SPIR β SchΓΌtzen Sie Ihr Unternehmen. Heute.
Protect your business. Today.