Quick update — over the last few months we focused on making detection engineering more production-ready across RuleEngine, Cluster, Agent, and Frontend.
RuleEngine Rulesets now support hot reload, so updates apply without restarting Projects.
Native CEP is much more complete now, including sequence matching, key-based correlation, and time-window constraints. Practical scenario support is stronger, e.g. detecting “external download -> execution” on the same host/user within a short window.
Iterator support (ANY / ALL) is now available, making list/array detections much easier to express.
Performance has been further optimized in execution path, memory behavior, and caching; in published benchmark scenarios, AgentSmith-HUB reaches ~3.90M messages/sec with sub-ms latency on a 2 vCPU / 4 GB environment (average CPU ~200%, average memory ~85 MB).
Added out-of-the-box intrusion detection and baseline compliance rules for Kubernetes audit logs.
Cluster The synchronization algorithm was almost fully rebuilt. Instruction sync, ordering, compression, consistency handling, heartbeat logic, and failure recovery were all reworked.
After multiple rounds of hardening, the cluster has been running stably for 6+ months in multiple environments.
Agent Agent is now a first-class pipeline component, so LLM-based analysis runs directly in-stream and writes structured outputs per event.
We added full traceability for Agent runs: each event can keep its prompt/tool-call/decision timeline metadata (with filtering in UI), so debugging and review are no longer black-box.
We also implemented a comment-driven memory loop: reviewers can leave comments on Agent traces, and those comments can be converted into durable memory_notes (with controlled update flow) for the same Agent.
This creates a practical closed loop: trace evidence -> human comment -> memory update -> improved behavior on subsequent runs.
Skills/tools are split into knowledge and action layers, so Agents can both reference context and execute scoped operations (including ruleset read/verify/write workflows), hub ruleset expert skill are already built in.
This is a real production use case for us: we use an Agent to assign confidence scores to alerts, and alerts scored below 0.2 are automatically handled through whitelisting by the Agent, which has significantly improved our operational efficiency.
Frontend A large number of bugs were fixed across editor completion, testing flows, status/log/history views, cache consistency, refresh behavior, and layout edge cases.
Overall UX and stability are significantly improved versus early versions.
If you need an open-source security rules engine that can process, enrich, correlate, and respond to massive event streams in real time—with native CEP, rich plugins, cluster scalability, and built-in LLM Agent workflows—AgentSmith-HUB is built for exactly that: https://github.com/EBWi11/AgentSmith-HUB