Modern cybersecurity case management for security teams. Track incidents, manage alerts, and collaborate on investigations—all in one place.
Stack: FastAPI • React • TypeScript • PostgreSQL
curl -O https://raw.githubusercontent.com/tidemark-security/intercept/main/docs/quickstart/docker-compose.yml
docker compose up -dOpen http://localhost and log in with admin / admin.
# Clone and set up environment
git clone https://github.com/tidemark-security/intercept.git
cd intercept
conda env create -f environment.yml
conda activate intercept
# Install frontend dependencies
cd frontend && npm install && cd ..
# Configure environment
cp backend/.env.example backend/.env
# Edit backend/.env with your settings (SESSION_SECRET_KEY is required)
# Start database and run migrations
cd dev && docker compose up -d && cd ..
cd backend && alembic upgrade head && cd ..# Terminal 1: Backend
cd backend && uvicorn app.main:app --reload
# Terminal 2: Frontend
cd frontend && npm run devOpen http://localhost:5173 and you're in.
intercept/
├── backend/ # FastAPI API server
├── frontend/ # React TypeScript app
├── scripts/ # Dev utilities
├── langflow/ # Example AI agent configurations
└── docs/ # Additional documentation
Install the tracked Git hooks for this clone:
./scripts/install-git-hooks.shThe pre-commit hook runs frontend lint when staged changes affect the frontend or lint hook setup. This is intended as a fast local check before CI.
The pre-push hook runs ./scripts/fast-ci-local.sh, which mirrors the Fast CI test jobs locally with targeted backend pytest selection by default, plus frontend typecheck and frontend tests. Docker image builds run when relevant build inputs changed. To force the complete backend suite and all image builds, run FAST_CI_LOCAL_FULL=1 git push or ./scripts/fast-ci-local.sh --full. To skip image builds during a manual run, use ./scripts/fast-ci-local.sh --skip-images.
Regenerate TypeScript types to keep frontend in sync:
./scripts/generate-types.shUses bump-my-version to update VERSION, frontend/package.json, create a commit, and tag.
# Bump patch (0.0.3 → 0.0.4)
bump-my-version bump patch
# Bump minor (0.0.3 → 0.1.0)
bump-my-version bump minor
# Bump major (0.0.3 → 1.0.0)
bump-my-version bump major
# Push the commit and tag to trigger the release workflow
git push origin main --tagsThe v*.*.* tag triggers the Release workflow, which builds and pushes Docker images to GHCR and creates a GitHub Release.
- MCP Integration Guide — Connect AI tools to Intercept
- Search Architecture — How search works
- Task Queue — Background job processing, in-worker retry/backoff, and terminal failure handling
Operator note: background retries now happen inside the worker with backoff. Alert triage is only marked FAILED after retries are exhausted, and timeline enrichment clears stuck pending state on terminal failure.
- Case Management — Create, assign, and track security incidents
- Alert Triage — Ingest and prioritize alerts from multiple sources
- Timeline Views — Visualize incident progression
- AI Chat Assistant — LangFlow-powered investigation helper
- MITRE ATT&CK Mapping — Tag cases with tactics and techniques
- Role-Based Access — Admin, Analyst, and Viewer roles
- Audit Logging — Full activity trail for compliance