Skip to content

Bernstein Integration

This integration keeps secopsai as the detection, correlation, and findings source of truth, while using Bernstein as the orchestration dashboard and task runner for remediation work.

Do not replace the secopsai SOC store or findings pipeline with Bernstein.

Use:

  • secopsai for:
  • detection
  • correlation
  • IOC/supply-chain findings
  • triage state

  • Slack / operational security alerts

  • Bernstein for:

  • remediation task execution
  • live terminal/web dashboard
  • parallel coding agents
  • worktree isolation
  • quality gates

Install Bernstein

Pick one:

pipx install bernstein

or

uv tool install bernstein

Then initialize Bernstein in this repo:

cd ~/secopsai
bernstein init

Copy the example configuration:

cp bernstein.yaml.example bernstein.yaml

The example configuration already enables Bernstein's agency catalog so it can route work to specialist agents when that catalog is available in your Bernstein installation.

Export SecOpsAI findings into a Bernstein plan

Generate a Bernstein-compatible remediation plan from the current SOC store:

cd ~/secopsai
source .venv/bin/activate
python scripts/secopsai_to_bernstein.py --severity high --limit 10

This writes:

  • .sdd/plans/secopsai-remediation.yaml
  • .sdd/secopsai/findings/*.md

The markdown files contain finding-specific context and the plan file maps those findings into Bernstein steps.

Wrapper script:

bash scripts/secopsai_bernstein_sync.sh

Run Bernstein against the exported plan

cd ~/secopsai
bernstein run .sdd/plans/secopsai-remediation.yaml

Watch progress:

bernstein live

Open the browser dashboard:

bernstein dashboard

If you want to confirm the catalog-backed routing behavior, inspect bernstein.yaml and ensure it contains:

catalogs:
  - name: agency
    type: agency
    enabled: true

Operator workflow

  1. Refresh SecOpsAI findings:
secopsai refresh
secopsai supply-chain once --top 1000 --slack
  1. Export actionable findings into Bernstein:
bash scripts/secopsai_bernstein_sync.sh
  1. Run the generated Bernstein plan:
bernstein run .sdd/plans/secopsai-remediation.yaml
  1. Use Bernstein to:
  2. investigate findings
  3. propose remediations
  4. generate code changes/tests/docs

  5. work in isolated branches/worktrees

  6. Use secopsai to finalize security state:

secopsai show <FINDING_ID>
secopsai triage <FINDING_ID> --status closed --disposition remediated

What this replaces

If your current "dashboard setup" need is:

  • work queue
  • progress dashboard
  • multi-agent remediation
  • cost/status tracking

then Bernstein can replace that orchestration/dashboard layer.

What this does not replace

Bernstein does not replace:

  • secopsai findings DB
  • correlation engine
  • threat intel matching
  • supply-chain verdict store
  • security finding schema

Those stay in secopsai.

Suggested next step

Start with a side-by-side setup:

secopsai refresh
bash scripts/secopsai_bernstein_sync.sh
bernstein run .sdd/plans/secopsai-remediation.yaml
bernstein live

That gives you a real Bernstein remediation dashboard on top of the existing secopsai backend without throwing away the SOC pipeline.