GNAT-gui
Analyst-facing graphical interface for the GNAT threat intelligence platform. GNAT-gui pairs a FastAPI backend — importing GNAT as a Python library — with a React SPA to give analysts a full workbench for investigations, detection rules, and evidence graphs without leaving the browser.
Modules
Analysis
Manage investigations with NATO Admiralty Scale hypothesis scoring, TLP markings, notes, timeline visualisation, and AI-assisted gap detection and report drafting via streaming jobs.
- Hypothesis scoring — A–F source reliability × 1–6 credibility
- TLP markings and STIX metadata display
- AI gap detection (streaming progress)
- LLM-powered structured report drafting
Rules Builder
Author detection rules in three languages with Monaco, a 26-predicate palette, a visual YAML form builder, a streaming test runner, and a full promotion workflow with audit trail.
- Three engines: Hy · YAML DSL · Prolog
- 26 STIX helper predicates with click-to-insert
- Fixture-based test runner with streaming results
- Draft → Active promotion (senior analyst+)
Investigations
Seed-driven five-step evidence graph pipeline with a React Flow canvas for navigating 1,000+ node STIX 2.1 graphs, node expansion, edge filtering, and workspace materialisation.
- Pipeline: Seed → Expand → Normalise → Correlate → Materialise
- React Flow canvas with dagre layout
- Per-node expansion jobs with SSE progress
- Materialise to GNAT workspace (senior analyst+)
How a request flows
Long-running operations (investigation build, rule test, gap detection, report drafting) return a job_id immediately. The frontend opens a Server-Sent Event stream at /api/jobs/{id}/stream; the SSE bridge polls gnat.jobs.JobStore every 250 ms and forwards ProgressEvent, ResultEvent, and ErrorEvent objects until the job reaches a terminal state.
Access roles
Read-only access to all investigations, rules, and reports
Create and manage own investigations, rules, and report drafts
+ Materialise investigations · promote rules · publish reports · edit any
All permissions plus user management and audit log access
Permissions are enforced in the facade layer on every state-changing request. The frontend uses usePermission() to gate UI elements, but server-side enforcement is always authoritative. Every permission denial and every state change is recorded in the append-only audit log.
Quick start
# Backend
cd backend
pip install -e ".[dev]" && pip install -e ../GNAT
cp .env.example .env # set GNAT_GUI_SECRET_KEY + GNAT_GUI_DB_URL
alembic upgrade head
python ../scripts/seed.py
uvicorn gnat_gui.main:app --reload
# Frontend (new terminal)
cd frontend && npm install && npm run dev
Open http://localhost:5173 and log in with admin / changeme-please-set-env.
Or with Docker:
docker compose -f docker-compose.dev.yml up
Documentation
📖 Tutorials
Step-by-step, guaranteed-success walkthroughs for newcomers
🔧 How-to guides
Task-oriented recipes — assumes a running system
📚 Reference
Dry, complete, authoritative technical specifications
💡 Explanation
Background reading — the why behind the design
GNAT-o-sphere
GNAT-gui is one component of the GNAT threat intelligence ecosystem:
GNAT
Core headless library — STIX 2.1, three rule engines, analyst services, async job runner, and streaming callbacks
GitHub →GNAT-gui ✦
This project — FastAPI backend + React SPA analyst workbench with full RBAC, audit, and SSE streaming
GitHub →SandGNAT
Automated malware sandbox — Proxmox detonation, trigram-similarity clustering, STIX 2.1 output
Docs →RedGNAT
Continuous automated red teaming — ingest threat intel, emulate adversaries, identify detection gaps
Docs →SenseGNAT
Network profiling and behavioural pattern analysis for the GNAT intelligence pipeline
Docs →Licensed under Apache 2.0 · View on GitHub · GNAT-o-sphere