Architecture overview

This page describes how data flows through Jutsu — from a raw event to a closed incident — and the technology that runs each stage. Read it to understand where your data lives and which component does what.

The pipeline

Jutsu processes security data as a stage-by-stage pipeline. Each stage is a worker that reads its input, does one job, and hands off to the next. Every stage is scoped to a single organization.

  1. Raw events arrive from your sources — Wazuh, Google Workspace logs, syslog forwarders, or custom webhooks.
  2. Ingest API validates and accepts the events.
  3. Normalizer reshapes raw records into a common event schema.
  4. OpenSearch stores the normalized events in a per-organization, weekly index.
  5. Triage agent scores each detection and decides what matters.
  6. Enrichment agent adds context (asset, identity, threat intelligence).
  7. Incident correlation groups related alerts into an incident — an attack chain.
  8. Response agent decides on action and dispatches it.
  9. AgentSOAR executes the response playbook against your connected providers.
  10. Incident report is generated to summarize what happened and what was done.
Sources (Wazuh / Workspace / syslog / custom)
        |
        v
   Ingest API  -->  Normalizer  -->  OpenSearch (per-org weekly index)
                                          |
                                          v
                Triage agent  -->  Enrichment agent  -->  Incident correlation
                                                                |
                                                                v
                                              Incidents  -->  Response agent
                                                                    |
                                                                    v
                                              AgentSOAR executions  -->  Incident report

Ingestion

Events enter through the Ingest API, a server-side endpoint that webhook callers (Wazuh, syslog forwarders, the Google Workspace poller, custom connectors) post to. Ingestion is connector-driven: Wazuh sends alert batches, syslog connectors send journald or system logs, and the Google Workspace email-logs poller forwards activity from your tenant.

The Normalizer then converts each raw record into Jutsu's common event shape and writes it to OpenSearch. Events are stored in per-organization weekly indices following the pattern org-{organizationId}-{year}-w{week}-events (for example, org-acme-2026-w24-events). A shared index template applies consistent mappings and settings to every new weekly index.

Index names, mappings, and the exact set of enabled connectors depend on your deployment. Confirm against your environment.

AI agents

The AI agents are independent workers, each responsible for one stage. They run continuously, pull work from the queue, and operate strictly within an organization's boundary.

AgentResponsibility
NormalizerConvert raw events into the common schema and index them.
TriageScore detections and prioritize what needs attention.
EnrichmentAttach asset, identity, and threat-intelligence context.
Incident correlationGroup related alerts into incidents and attack chains.
ResponseDecide on and dispatch response actions.
Incident reportProduce a written report for each incident.

Agents call large language models for the reasoning-heavy steps, using both OpenAI and Anthropic models through a provider-agnostic AI SDK layer.

Incidents & cases

An incident is a correlated group of related alerts — an attack chain — created by the incident-correlation agent. Each incident carries a business key (such as INC-XXXX), a severity, a confidence score, a correlation reason, and structured artifacts like the attack chain and correlation evidence. Incidents can be related to one another by shared alerts, a common attack chain, or the same campaign.

A case is an analyst-driven investigation. When an alert or incident is escalated, a case is opened with a case number, severity, priority, status, an escalation reason, evidence (files, alerts, or events), and a comment thread. Cases move through a lifecycle from open to resolved and closed, and can be assigned to an analyst.

Automated response

When the response agent decides to act, it dispatches the action to AgentSOAR, which runs the matching response playbook against your connected cloud, email, or identity providers and records the execution. Each organization configures its response provider; when no automated provider is configured, qualifying alerts auto-escalate to a human analyst instead of running automatically.

Technology stack

Jutsu runs on a modern, fully containerized stack.

LayerTechnology
RuntimeBun
DashboardReact 19 + Vite
APIsHono
Relational databasePostgreSQL via Drizzle ORM
Event & alert storeOpenSearch
Worker queueRabbitMQ
Cache / coordinationRedis
LLM agentsOpenAI and Anthropic (via AI SDK)
OrchestrationKubernetes (GKE)

Multi-tenant organization scoping runs through every layer: relational rows are organization-keyed, OpenSearch uses per-org indices, and queue work and API requests are evaluated within an organization boundary.