XDRagon Monitor runs a fully local AI stack — no cloud dependency, no SaaS lock-in. Every model, every detection algorithm, and every data pipeline runs in your environment. Here's exactly how it works under the hood.
From raw packet to AI-generated alert — the full flow from network capture to analyst dashboard, with latency targets at each stage.
XDRagon Monitor runs as a Docker Compose stack. Services are grouped into data collection, AI processing, and user interface layers — each independently scalable and replaceable.
suricata.service — EVE-JSON output, custom rules, Sigma rule engine, pfBlockerNG integrationtimescaledb — time-series hypertables for alert logs and metrics with auto-compressionpostgres — relational data, agent configs, compliance evidence store, pgvector extensionredis — Celery broker, task queues, short-lived alert buffers, session statebackend — REST + WebSocket API, Pydantic v2 schemas, async SQLAlchemy ORMworker — 7 autonomous background jobs, queue-based task dispatch, retry logicollama — local LLM runtime, 6 custom Modelfiles, GPU/CPU inference, context streamingml-engine — ML detectors loaded at startup, inference <15ms per eventfrontend — TypeScript, Tailwind CSS, Recharts, WebSocket live feedfirewall-connector — read-only rule sync, pfBlockerNG log ingestion, UniFi client trackingdownloader-outside — URLhaus, ThreatFox, AbuseIPDB, VirusTotal, AlienVault OTX, GreyNoise, urlscan.io, Shodan, CISA KEV, MalwareBazaar, CINS Army, Blocklist.dexdr-agent — Windows + Linux, Go binary, eBPF on Linux, WMI on WindowsIsolation Forest, XGBoost triage, HDBSCAN clustering, DGA classification, DNS-over-HTTPS detection, JA3/TLS fingerprinting, graph-based lateral movement, semantic alert deduplication, statistical C2 beaconing, and retrospective IOC hunting — every detector runs entirely on-premises. No external inference API, no data leaving your environment.
Each model is a task-tuned, system-prompted specialisation of qwen2.5:7b-instruct-q4_K_M (~4.7 GB). Embeddings for the pgvector RAG store are handled by nomic-embed-text. Everything runs fully locally via the Ollama runtime — no API keys, no internet required.
# Modelfile: soc-alert-classifier FROM qwen2.5:7b-instruct-q4_K_M PARAMETER temperature 0.1 PARAMETER num_ctx 2048 SYSTEM """ You are a classification engine. Given a security alert, output ONLY valid JSON with severity, category, confidence, and MITRE ATT&CK technique. No prose. No explanation. """
# Modelfile: soc-alert-explainer FROM qwen2.5:7b-instruct-q4_K_M PARAMETER temperature 0.3 PARAMETER num_ctx 4096 SYSTEM """ You are a senior SOC analyst. Explain what an alert means, why it fired, and what to check next — with MITRE ATT&CK context and concrete, actionable recommendations. """
# Modelfile: soc-correlation-engine FROM qwen2.5:7b-instruct-q4_K_M PARAMETER temperature 0.2 PARAMETER num_ctx 8192 SYSTEM """ You correlate multiple security alerts into unified incidents. Map observed indicators to MITRE ATT&CK, identify source IP, affected assets, and estimated attack stage. Output structured JSON only. """
# Modelfile: soc-customer-summary FROM qwen2.5:7b-instruct-q4_K_M PARAMETER temperature 0.5 PARAMETER num_ctx 2048 SYSTEM """ You translate technical security incidents into plain language for non-technical readers. No jargon. State what happened, the impact, and what is being done about it. """
# Modelfile: soc-nl-filter FROM qwen2.5:7b-instruct-q4_K_M PARAMETER temperature 0.1 PARAMETER num_ctx 1024 SYSTEM """ You convert natural-language search requests into structured JSON filter objects. Output ONLY the JSON filter — never raw SQL, never free text. """
# Modelfile: soc-daily-briefing FROM qwen2.5:7b-instruct-q4_K_M PARAMETER temperature 0.4 PARAMETER num_ctx 4096 SYSTEM """ You write concise daily security briefings for SMB security teams. Given 24h alert summaries, produce: executive summary, top events with context, and recommended actions ranked by priority. Plain English. """
Step-by-step data flow with latency targets at each stage and the services responsible.
XDRagon Monitor is designed to handle sensitive network telemetry — and is built like the target it will inevitably become. These are the architectural decisions that govern how data is handled, transported, and protected.
admin and analyst — with offline TOTP multi-factor authentication, bcrypt password hashing, and JWT-based sessions with configurable expiry. Every user action lands in the audit log. Integration API keys are stored as SHA-256 hashes; the raw key is shown exactly once.The FastAPI backend exposes a full REST API with OpenAPI docs at /docs. WebSocket endpoints power real-time alert streaming. All endpoints accept JWT bearer tokens or API keys.
# Analyze alert ID 12345 curl -X POST https://your-xdragon.local/api/v1/ai/analyze \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '{"alert_id": 12345, "model": "analyst"}' # Response { "severity": "high", "summary": "Suspected C2 beaconing to 185.220.101.x", "mitre": "T1071.001", "confidence": 0.87, "actions": ["block_ip", "isolate_host"] }
Docker Compose deployment on Ubuntu, ARM64, or NVIDIA GPU. Full step-by-step guide with hardware requirements, configuration, and first-run verification.