# Calseta

> Calseta is an open-source, self-hostable data layer for security AI agents. It handles alert ingestion, normalization, enrichment (threat intel + identity), and context delivery — so agents spend tokens on reasoning and response, not data plumbing.

Calseta is a FastAPI backend with a plugin-based architecture. Security teams run it with `docker compose up`, point their SIEM at the ingest endpoint, and register agent webhooks. Every incoming alert is normalized to a consistent, agent-ready schema, enriched in parallel against threat intel and identity providers, matched with detection rule documentation and runbooks, then dispatched to agents via webhook or MCP.

Licensed Apache 2.0. Self-hostable. No telemetry.

## Docs

- [Quickstart](https://docs.calseta.com/quickstart): Get Calseta running in under 10 minutes with a single Docker Compose command.
- [API Reference](https://docs.calseta.com/api): Full REST API — alert ingestion, enrichment, agents, workflows, metrics, and API key management.
- [MCP Server](https://docs.calseta.com/mcp): Connect Claude Code, Cursor, or any MCP-compatible agent directly to your Calseta instance. Exposes tools for querying alerts, reading context documents, and executing workflows.
- [Alert Sources](https://docs.calseta.com/sources): Ingest from Microsoft Sentinel, Elastic Security, Splunk, or any webhook source. Add new sources with a single Python class.
- [Enrichment Providers](https://docs.calseta.com/enrichment): Async, cached enrichment via VirusTotal, AbuseIPDB, Okta, and Microsoft Entra. Add providers with one file.
- [Detection Rules](https://docs.calseta.com/detection-rules): Auto-created on alert arrival. Document each rule with MITRE ATT&CK mappings, detection query, false positive guidance, and response steps. Surfaced to agents in every alert payload.
- [Context Documents](https://docs.calseta.com/context-docs): Upload runbooks, IR plans, and SOPs. Target them to specific alert types, severities, or detection rules. Agents receive the right docs automatically.
- [Workflow Engine](https://docs.calseta.com/workflows): Register HTTP automations as AI-readable, documented workflows. The FastAPI infrastructure and documentation patterns are pre-built — describe a new automation and an LLM can implement it in minutes using the existing framework.
- [Contributing](https://docs.calseta.com/contributing): Add alert sources or enrichment providers. Community integrations welcome.

## Product

- [Homepage](https://calseta.com): Architecture overview, pipeline diagram, feature list, and quickstart.
- [About](https://calseta.com/about): The team and mission behind Calseta.
- [GitHub](https://github.com/calseta/calseta): Source code, issues, and contributions (Apache 2.0).

## Architecture

**Alert pipeline (5 steps):**
1. **Ingest** — Alerts arrive via webhook (`POST /v1/ingest`) from Elastic, Sentinel, Splunk, or any source.
2. **Normalize** — Every alert is mapped to a consistent, agent-ready schema. Raw payload preserved. Indicators extracted.
3. **Enrich** — Indicators hit VirusTotal, AbuseIPDB, Okta, and Entra concurrently. Results cached per provider TTL.
4. **Contextualize** — Detection rule docs, runbooks, IR plans, and available workflows matched to the alert and attached.
5. **Dispatch** — Enriched payload delivered to your agent via webhook or MCP. Agent reasons, acts, writes back.

**Agent payload shape:**
```json
{
  "event": "alert.enriched",
  "alert": { "uuid": "...", "title": "...", "severity": "High", "source": "sentinel" },
  "indicators": [{ "type": "ip", "value": "...", "virustotal": { "malicious": 14 }, "abuseipdb": { "score": 97 } }],
  "detection_rule": { "name": "...", "mitre_tactics": ["TA0001"], "documentation": "..." },
  "context_documents": [{ "title": "Identity IR Runbook", "type": "runbook" }],
  "workflows": [{ "name": "Revoke User Session", "endpoint": "..." }]
}
```

**MCP server:** Native Model Context Protocol server (port 8001). Tools: `get_alerts`, `get_alert_detail`, `list_context_documents`, `get_context_document`, `list_workflows`, `execute_workflow`, `get_metrics`.

**Self-hosting:** `git clone` → `cp .env.example .env` → `docker compose up`. PostgreSQL + FastAPI + MCP server running in under 2 minutes.

**Workflow engine:** HTTP automation scripts that call external APIs on behalf of your SOC. Python is the glue layer for constructing requests, calling endpoints, and parsing responses. Ships with 9 pre-built Okta/Entra identity workflows. Custom workflows follow the same pattern — call any REST API, webhook, Lambda, or Logic App via `ctx.http`. Agents discover workflows via MCP and execute based on alert context. Code generation via `POST /v1/workflows/generate` lets security engineers describe what they need in plain English.

## Integrations

**Alert sources:** Microsoft Sentinel, Elastic Security, Splunk, Generic Webhook
**Enrichment:** VirusTotal, AbuseIPDB, Okta, Microsoft Entra
**Agent frameworks:** Claude API, LangChain, LangGraph, any HTTP webhook consumer
**MCP clients:** Claude Code, Cursor, any MCP-compatible agent
**Notifications:** Slack SOC Bot

## Key Terms

- **Agent-ready schema** — Calseta's normalized alert format. Designed for AI consumption: clean field names, enrichment-first, no SIEM overhead. Every source maps to the same structure.
- **MCP** — Model Context Protocol. Calseta runs a native MCP server for direct agent integration.
- **Enrichment** — Automatic threat intel lookups per alert indicator. Results cached and bundled into the agent payload.
- **Detection rule** — A named alert type with associated documentation (query, MITRE mappings, response guidance).
- **Context document** — Org-specific runbook, IR plan, or SOP that Calseta surfaces to agents alongside matching alerts.
- **Workflow** — An HTTP automation script that calls external APIs on behalf of your SOC. Discoverable by agents via MCP.