UUSAP
Signal Architecture · Open Source

Security agents that
cite their evidence.

USAP turns any LLM into an auditable security workflow runtime. Every verdict must cite a source that resolves. Every mutating action waits for a human. Every step is signed into a tamper-evident log.

Agents reasonHumans approveMCP executes
Alert TriageThreat HuntingIncident ResponseCompromise AssessmentCloud PostureSupply-Chain DefenseContainer ScanningDetection EngineeringRed / Purple Teaming
Alert TriageThreat HuntingIncident ResponseCompromise AssessmentCloud PostureSupply-Chain DefenseContainer ScanningDetection EngineeringRed / Purple Teaming
79
Standalone skills
12
cs-* orchestrator agents
12
Security domains
11
Field output contract

The loop

One pipeline, from raw signal to signed verdict

Every USAP workflow runs the same path. The agent reasons; the evidence gate and the human approval step decide what is allowed to pass; MCP executes; the audit log remembers. Watch the signal flow through.

01
Signal
Alert · PR · finding
02
Reason
cs-* agent classifies intent
03
Fetch evidence
resolve MCP · pull artifacts
04
Typed verdict
11-field JSON payload
decision
Evidence gate
resolvable source or reject
decision
Human approval
gates every mutating action
07
Dispatch
router → physical MCP
08
Signed audit
hash-chained · HMAC
Read · autonomousDecision · gatedRecorded · signed

Why USAP

Not a prompt library. A contract.

Six guarantees separate a security agent you can trust in production from a confident autocomplete.

The evidence gate

Every verdict must cite a source that resolves — a live MCP tool-call, a URL, an artifact, an in-repo doc. Prose like “the logs showed it” is rejected at the contract boundary. No source, no verdict.

mcp:https:s3:local:

Connector-agnostic

Agents declare logical capabilities like mcp:siem:search. The registry resolves them to whatever you actually connected — Splunk, Elastic, Sentinel — with graceful degradation when a connector is absent. Portable to your stack, not one vendor's.

SplunkElasticSentinel

Reproducible scoring

CVSS is computed from the vector. EPSS is pulled from the FIRST feed. Confidence follows a written rubric. If a number can be computed from a canonical source, USAP computes it — and never fabricates one.

CVSSEPSSconfidence rubric

Human-in-the-loop

Read paths run autonomously. The moment an action mutates the world — isolate a host, block an IP, rotate a key — the payload sets human_approval_required and the runtime halts for a person.

read: automutate: approve

Tamper-evident audit

Every step — verdict, approval, dispatch — is appended to a SHA-256 hash chain and signed with HMAC. The trail is verifiable and recoverable, so an incident review can trust exactly what happened.

SHA-256 chainHMAC-signed

Runs in any LLM

Each skill is a complete system prompt plus a stdlib-only Python tool — zero pip installs. Paste into Claude, ChatGPT, Gemini, Ollama, or AnythingLLM, or run the bundled MCP server. Apache-2.0, no SaaS, no lock-in.

ClaudeChatGPTGeminiOllama

Use cases

The same discipline, across real workflows

Three of the flows USAP runs end to end. Each is a chain of typed steps — read paths flow freely, decisions gate, and every outcome is recorded.

AT · Alert Triage

A SIEM alert becomes an evidence-backed verdict

The analyst persona classifies the alert, pulls the triggering signal and repo context over MCP, and emits a typed verdict where every finding cites the exact tool-call that produced it.

cs-security-analyst
01
SIEM alert
triggering signal
02
Classify
intent · SEV
03
mcp:siem:search
pull the signal
04
mcp:code:list_repos
repo context
05
11-field verdict
evidence cites call-id
06
finding-triage
hand off downstream
IR · SEV-1 Incident

Ransomware declared, contained, and preserved

Classification declares a SEV-1 and starts the regulatory clock. Containment is recommended but blocked on human approval; forensics runs in parallel so volatile evidence is never lost.

cs-incident-responder
01
Detection
EDR / SIEM
02
Classify incident
type · severity
03
Declare SEV-1
regulatory clock starts
decision
Human approval
before any containment
05
Contain + forensics
isolate · preserve (parallel)
06
Signed audit
chain of custody
CI/CD · Container Scan

A malicious layer is caught before the image ships

Scan findings are classified by component — base-image OS package, application dependency, or an unexpected layer. A CVSS gate blocks the deploy, and an implanted layer escalates straight to incident command.

cs-cloud-investigator
01
Image build
Trivy / Grype / Snyk
02
Classify findings
base · app · implant
decision
CVSS gate
block · fix · track
decision
Implant? (T1525)
unprovenanced layer
05
Block deploy
escalate to IR
06
Signed audit
verdict recorded

Coverage

12 domains, 12 orchestrator agents

Skills are grouped into domains. The cs-* agents compose them into reproducible workflows — one named persona per corner of the SOC.

Detection
Threat hunting · detection engineering · behavioral analytics
Response
Incident command · containment · forensics · zero-day
Cloud & Infra
CSPM · IaC · container scan · workload protection
AppSec / DevSecOps
SAST/DAST · supply chain · pipeline security
Identity & Access
IAM risk · key management · access review
Red Team
Offensive ops · adversary emulation
Web App Security
OWASP Top 10 · API posture · risk triage
Pentest
Scoped testing · exploitation · reporting
System Security
Host hardening · OS baselines
Governance
Compliance mapping · internal audit assurance
Risk & Compliance
Findings lifecycle · vuln management
Platform / AI
LLM & agent security · MCP tooling
The cs-* agent roster
cs-security-analystUniversal SOC entry point — Alex
cs-incident-responderActive incident command
cs-blue-team-analystDetection / DFIR orchestrator
cs-red-teamerOffensive security coordinator
cs-cloud-investigatorCloud incident investigation
cs-supply-chain-defenderSoftware supply-chain defense
cs-threat-intel-leadIntelligence-driven SOC
cs-purple-team-leadDetection validation / gap analysis
cs-appsec-engineerRuntime + build-time AppSec
cs-devsecops-engineerSecurity-in-pipeline engineering
cs-ciso-advisorExecutive board advisor
cs-security-program-managerPassive lifecycle orchestrator

Proof, not vibes

Every claim traces to a command you can run

Independently evaluated

Scored on a hand-labeled corpus of real public incidents — Log4Shell, xz, Capital One, Okta, MOVEit, Midnight Blizzard — plus benign false-positive traps. Precision, recall, F1, FPR, and MTTD, graded on cases USAP didn't write.

Registry-verified

Listed and released on the Glama MCP registry with a permissive-license A and an author-verified badge — the container builds and answers introspection on every check.

Reproducible by anyone

git clone, then run the tools — stdlib only, no pip install. The numbers are computed, the evidence is fetched, and the accuracy is measured. Every claim on this page traces to a command you can run.

reproduce.sh
$ git clone https://github.com/jaskaranhundal/usap-skills
$ python3 tools/mcp_router.py --resolve mcp:siem:search
$ python3 shared/scripts/epss_scorer.py --cve CVE-2021-44228
$ python3 tests/holdout_runner.py --responder synthetic \
$ --predictions tests/holdout/example_predictions.json
# → precision 0.857 · recall 0.857 · FPR 0.20 · MTTD 17.5m
# stdlib only — zero pip installs
Glama registry · verified releaselicense A · maintenance B

Open source · Apache-2.0 · no SaaS

Clone it. Read it.
Run it against your stack.

No waitlist, no per-seat pricing, no telemetry. Drop the skills into any LLM, or connect the MCP server to whatever you already run.