NEXUS
Documentation menu

Docs · SecOps

AI Triage — local, zero token

Nexus ships its own AI — not a cloud copilot. It is a local, explainable engine that triages incidents, summarizes the kill-chain and recommends responses, bundled with nexus-fleet with no API key and no per-query bill.

Best-of
Security Copilot · Charlotte AI (but local & free)
Module
nexus_secops/ai.py
Edition
Free — local, no external API, no token cost
API
/api/v1/ai/triage · /ai/model · /ai/nl

What it does

Honest framing: this is not a large language model. It is a transparent engine — a Naive-Bayes classifier that learns from your analyst dispositions, heuristic priority scoring, template kill-chain summaries, and a natural-language → query translator. It runs entirely on the manager, starts with it, and costs nothing per query.

  • Prioritize — P1/P2/P3 with a transparent score, damped by a false-positive estimate.
  • Summarize — a readable kill-chain narrative for each incident.
  • Recommend — response steps and the SOAR playbook that fits (from a MITRE knowledge base).
  • Translate — plain language → NQL in the Search view.
  • Learn — it improves as you resolve/ack alerts; it honestly reports "collecting" until it has enough data.

How to use it

1
It starts itself
On manager start, the AI trains from existing data and triages open incidents — no setup.
2
Read the triage
The dashboard AI Triage view shows cards: priority, score, false-positive %, confidence, a summary and recommended actions.
bash
GET  /api/v1/ai/triage      # ranked triage results
GET  /api/v1/ai/model       # is it trained yet? how many samples?
POST /api/v1/ai/train       # re-train from current dispositions
3
Ask in plain language
Turn a sentence into a query the SIEM can run.
bash
GET /api/v1/ai/nl?q=failed logins this week from agt_web01
# → event_type:failed_login last:7d agent_id:agt_web01

How priority is decided

The score is explainable, not a black box:

  • Base from incident severity, plus boosts for active-compromise signals (suspicious process, IOC contact, behavior anomaly).
  • A boost for a long kill-chain and for high-impact MITRE techniques.
  • Damped by a false-positive likelihood the classifier learns from what you dismiss.

How it feeds the pipeline

The AI sits on top of XDR: it triages incidents the moment they form, and its recommended playbooks point straight at SOAR. The more you work alerts, the better its false-positive estimates become.

Tips

  • Resolve/ack alerts honestly — that is the signal the classifier learns from.
  • A fresh install shows "collecting"; that is the AI being honest, not broken.
  • No API key, no internet, no token bill — the opposite of metered cloud copilots.
Yours, local, and free. The AI never leaves your network and never bills per query. When it lacks data it says so and falls back to transparent heuristics rather than guessing.
PreviousCloud — CSPMNext Nexus Canary (deception)