HackTUI-Hermes-Jido：基于 Elixir/BEAM 的终端原生安全运营平台

HackTUI-Hermes-Jido is a terminal-native security operations platform designed for telemetry data collection, alert management, incident investigation, and bounded agent workflows. It leverages Elixir/BEAM's concurrency advantages and integrates the MCP protocol to address SOC pain points—balancing the efficiency of command-line tools with the structured collaboration of web interfaces.

Terminal-native platforms offer key benefits for SOC analysts:

• Efficiency: Keyboard-driven navigation and batch operations outperform mouse-based interfaces.
• Resource Friendly: Ideal for bandwidth-constrained remote access (SSH) and low-resource environments.
• Scriptable: Supports automation and knowledge standardization via custom scripts.
• Focus: Minimal visual distractions enhance immersion during complex incident handling.

The choice of Elixir/BEAM is rooted in their strengths:

• Concurrency: Actor model with millions of lightweight processes for multi-source telemetry collection, real-time alert processing, and multi-user collaboration.
• Fault Tolerance: Supervision trees enable automatic recovery from component failures, critical for 7×24 SOC operations.
• Hot Code Upgrade: Allows service updates without downtime, a major运维 advantage for security tools.
• Pattern Matching: Simplifies structured data (logs, alerts) handling with declarative rules.

The platform is built around four core security operations环节:

1. Telemetry: Scalable collection from logs (Syslog/JSON/CEF), APIs (EDR/SIEM/cloud), and streaming data with normalization.
2. Alerts: Aggregation of related alerts, dynamic priority sorting (asset importance/threat intel), and automated routing to analysts.
3. Investigations: Timeline reconstruction, entity关联 analysis, and evidence collection in a space-efficient terminal interface.
4. Bounded Agent Workflows: Autonomous sub-task execution (tool calls, data query) within strict boundaries, with transparent human oversight.

Integration with Anthropic's MCP (Model Context Protocol) provides:

• Tool Ecosystem Reuse: Leverage existing MCP-compatible tools without re-development.
• Model Agnostic: Supports Claude, GPT, and local models.
• Security Compliance: Built-in permission and audit mechanisms for safe AI-tool interactions.

The UI prioritizes efficiency and flexibility:

• Keyboard-Driven: All core functions accessible via shortcuts.
• Split Screens & Tabs: Simultaneous viewing of multiple data sources/investigation threads (like tmux).
• Customizable Dashboards: Analyst-tailored layouts for key metrics.
• Hybrid CLI-Interactive: Combines command-line flexibility with interactive components (tables, forms, trees).

A typical workflow example:

1. Alert Reception: EDR detects a suspicious PowerShell script.
2. Auto Enrichment: Threat intel confirms the script hash is malicious.
3. Priority Upgrade: Alert priority rises based on intel.
4. Analyst介入: High-priority alert is reviewed in the terminal.
5. Agent Assistance: Restricted agent is launched to query 24h network/file activity.
6. Agent Execution: Agent identifies suspicious C2 communication.
7. Human Confirmation: Analyst validates the threat.
8. Response: EDR isolation is triggered directly via the platform.

Open Source Value: Transparent code for audit, community contributions (data connectors, investigation templates), and knowledge sharing. Conclusion: HackTUI-Hermes-Jido complements existing SIEM/SOAR tools, offering a terminal-native option for efficient human-AI collaborative security operations. As threats grow, such scalable, user-centric platforms will become increasingly critical.