The evidence gate
Every verdict must cite a source that resolves — a live MCP tool-call, a URL, an artifact, an in-repo doc. Prose like “the logs showed it” is rejected at the contract boundary. No source, no verdict.
USAP turns any LLM into an auditable security workflow runtime. Every verdict must cite a source that resolves. Every mutating action waits for a human. Every step is signed into a tamper-evident log.
The loop
Every USAP workflow runs the same path. The agent reasons; the evidence gate and the human approval step decide what is allowed to pass; MCP executes; the audit log remembers. Watch the signal flow through.
Why USAP
Six guarantees separate a security agent you can trust in production from a confident autocomplete.
Every verdict must cite a source that resolves — a live MCP tool-call, a URL, an artifact, an in-repo doc. Prose like “the logs showed it” is rejected at the contract boundary. No source, no verdict.
Agents declare logical capabilities like mcp:siem:search. The registry resolves them to whatever you actually connected — Splunk, Elastic, Sentinel — with graceful degradation when a connector is absent. Portable to your stack, not one vendor's.
CVSS is computed from the vector. EPSS is pulled from the FIRST feed. Confidence follows a written rubric. If a number can be computed from a canonical source, USAP computes it — and never fabricates one.
Read paths run autonomously. The moment an action mutates the world — isolate a host, block an IP, rotate a key — the payload sets human_approval_required and the runtime halts for a person.
Every step — verdict, approval, dispatch — is appended to a SHA-256 hash chain and signed with HMAC. The trail is verifiable and recoverable, so an incident review can trust exactly what happened.
Each skill is a complete system prompt plus a stdlib-only Python tool — zero pip installs. Paste into Claude, ChatGPT, Gemini, Ollama, or AnythingLLM, or run the bundled MCP server. Apache-2.0, no SaaS, no lock-in.
Use cases
Three of the flows USAP runs end to end. Each is a chain of typed steps — read paths flow freely, decisions gate, and every outcome is recorded.
The analyst persona classifies the alert, pulls the triggering signal and repo context over MCP, and emits a typed verdict where every finding cites the exact tool-call that produced it.
Classification declares a SEV-1 and starts the regulatory clock. Containment is recommended but blocked on human approval; forensics runs in parallel so volatile evidence is never lost.
Scan findings are classified by component — base-image OS package, application dependency, or an unexpected layer. A CVSS gate blocks the deploy, and an implanted layer escalates straight to incident command.
Coverage
Skills are grouped into domains. The cs-* agents compose them into reproducible workflows — one named persona per corner of the SOC.
Proof, not vibes
Scored on a hand-labeled corpus of real public incidents — Log4Shell, xz, Capital One, Okta, MOVEit, Midnight Blizzard — plus benign false-positive traps. Precision, recall, F1, FPR, and MTTD, graded on cases USAP didn't write.
Listed and released on the Glama MCP registry with a permissive-license A and an author-verified badge — the container builds and answers introspection on every check.
git clone, then run the tools — stdlib only, no pip install. The numbers are computed, the evidence is fetched, and the accuracy is measured. Every claim on this page traces to a command you can run.
$ git clone https://github.com/jaskaranhundal/usap-skills$ python3 tools/mcp_router.py --resolve mcp:siem:search$ python3 shared/scripts/epss_scorer.py --cve CVE-2021-44228$ python3 tests/holdout_runner.py --responder synthetic \$ --predictions tests/holdout/example_predictions.json# → precision 0.857 · recall 0.857 · FPR 0.20 · MTTD 17.5m# stdlib only — zero pip installs
Open source · Apache-2.0 · no SaaS
No waitlist, no per-seat pricing, no telemetry. Drop the skills into any LLM, or connect the MCP server to whatever you already run.