Agentic incident investigation framework that separates what the evidence suggests from what the data can verify.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for willstull from gravatar.com willstull

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Will Stull
  • Tags agentic , incident-response , investigation , llm , mcp , security
  • Requires: Python >=3.12
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

Blindsight

Coverage-aware incident investigation through MCP.

Blindsight helps incident responders answer scope, containment, and impact questions by querying existing telemetry systems in place. It normalizes evidence from multiple domains into a common model, tracks what can and cannot be verified through explicit coverage reports, and produces reproducible case records with analyst-ready reports.

How it works

Blindsight runs bounded investigations across evidence domains (identity, application) through MCP tool interfaces. Each investigation:

  1. Queries domain servers for entities, events, relationships, and coverage
  2. Correlates evidence across domains in a persistent case store
  3. Scores likelihood and confidence separately -- likelihood reflects the evidence pattern, confidence reflects what the available data can verify
  4. Classifies coverage gaps by relevance to the specific hypothesis
  5. Generates a structured incident report from the saved case

The system is read-only against upstream telemetry. It queries systems already in place rather than building a new log platform.

Architecture

Four MCP servers:

Server Role
Identity MCP Evidence domain: account lifecycle, credentials, privilege events
App MCP Evidence domain: user activity, transactions, application events
Investigation MCP Orchestration: runs investigations, generates reports, follow-up queries
Case MCP Persistence: DuckDB-backed case store with correlation queries

Evidence domains are replay-backed, reading from NDJSON fixture files. The same domain contract supports live integrations without changing the investigation pipeline.

Evaluation

Testing uses replay scenarios with known outcomes. Each scenario family includes a baseline and degraded variants (retention gaps, missing fields, missing sources) that verify the system correctly reduces confidence when evidence is incomplete.

Documentation

See docs/index.md for specifications, architecture decisions, and implementation details.

Quick start

# Install dependencies
poetry install

# Run tests
poetry run pytest -q

# Run an investigation via MCP (requires .env with ANTHROPIC_API_KEY for LLM features)
# The investigation MCP server is configured in .mcp.json

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for willstull from gravatar.com willstull

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Will Stull
  • Tags agentic , incident-response , investigation , llm , mcp , security
  • Requires: Python >=3.12
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.1.1

0.1.0

This version

0.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

blindsight-0.0.1.tar.gz (227.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

blindsight-0.0.1-py3-none-any.whl (2.8 kB view details)

Uploaded Python 3

File details

Details for the file blindsight-0.0.1.tar.gz.

File metadata

  • Download URL: blindsight-0.0.1.tar.gz
  • Upload date:
  • Size: 227.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for blindsight-0.0.1.tar.gz
Algorithm Hash digest
SHA256 e836d69881000532335728b213838ea3bf11e6bd470250c39d994cecbaefbed6
MD5 faaceefe531de4354261d647181bd5eb
BLAKE2b-256 34eec1fe71397941873b329095932b1b561b5bc584a39fed8b9396c872c03bf7

See more details on using hashes here.

Provenance

The following attestation bundles were made for blindsight-0.0.1.tar.gz:

Publisher: publish.yml on willstull/blindsight

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file blindsight-0.0.1-py3-none-any.whl.

File metadata

  • Download URL: blindsight-0.0.1-py3-none-any.whl
  • Upload date:
  • Size: 2.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for blindsight-0.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 258688b85a892795e38b9d10ea8c146a9c4dde988d973d3bdf2bd6cce61dd9c4
MD5 bcf66e1f6caee6ed349b4fa93e3ee809
BLAKE2b-256 9fc757d001b364f6f3a4bb8ed93d74b377eb9cef4fa090b2378efa18afd1f901

See more details on using hashes here.

Provenance

The following attestation bundles were made for blindsight-0.0.1-py3-none-any.whl:

Publisher: publish.yml on willstull/blindsight

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page