Full-stack cybersecurity monitoring platform that helps teams track attack activity, manage incidents, and review threat intelligence from one dashboard.
CAMAS is a full-stack SOC-style web application built to centralize core security operations workflows:
- Monitor attack logs and trends
- Track incident lifecycle and status updates
- Review monitored systems and their security activity
- View threat intelligence and active blacklist data
- Generate shareable PDF security reports
Why it was built:
- To demonstrate practical security-oriented full-stack engineering
- To model common workflows used by analysts and admins in monitoring environments
- To provide a clean starter system for learning API design, role-based access, and data visualization
Where it can be used:
- Security learning projects and portfolio demos
- Internal prototype dashboards for SOC-style operations
- Training environments for incident triage workflows
- JWT authentication and protected routes
- Register and login endpoints are implemented.
- The frontend stores the JWT and attaches it to API requests.
- Protected pages redirect unauthenticated users to login.
- Role-based authorization for write operations
- Backend uses JWT guard plus roles guard.
- Admin-only actions are enforced on sensitive create/update/delete endpoints.
- Attack log management
- List attacks with pagination.
- Search by source IP.
- Filter by severity and attack type.
- Admin users can create, update, and delete attack logs.
- Incident management with history tracking
- List incidents and view incident details.
- Create incidents (admin).
- Update incident status/priority/assignment (admin).
- Delete behavior is implemented as soft-close (status set to CLOSED).
- Incident history entries are recorded during create/update/delete actions.
- Systems management
- List monitored systems with network and event counts.
- View system details with recent attack and system logs.
- Admin users can create, update, and deactivate systems.
- Threat intelligence and blacklist management
- List threat intelligence entries by risk score.
- List active blacklisted IPs.
- Admin users can create, update, and delete threat intel entries.
- Admin users can create, update, and delete blacklist entries.
- Analytics API
- Summary metrics endpoint (total attacks, active incidents, unread alerts, total systems).
- Top attack types endpoint.
- Severity distribution endpoint.
- Attacks per day endpoint (last 30 days).
- Top source IPs endpoint.
- Dashboard and charts
- Dashboard renders summary cards.
- Recharts visualizations for attacks-per-day and severity distribution.
- Recent attack table is displayed.
- Report page with PDF export
- Report page shows security report cards.
- New report cards can be generated from live analytics endpoints.
- PDF export uses jsPDF and opens in a browser tab for saving.
- Seeded database for quick demo
- Prisma seed script inserts realistic demo data (users, systems, attacks, incidents, alerts, reports, threat intel, blacklist).
- Includes default demo credentials.
- TypeScript
- JavaScript
- SQL (PostgreSQL via Prisma)
- Next.js 14 (App Router)
- React 18
- Tailwind CSS
- Recharts
- Axios
- jsPDF
- react-hot-toast
- lucide-react
- NestJS 10
- Prisma ORM 5
- PostgreSQL
- Passport JWT (
passport-jwt) @nestjs/jwt- bcrypt
- class-validator and class-transformer
- npm
- Prisma CLI
- TypeScript compiler
Cyber_Attack_Monitoring/
|- backend/ # NestJS API server
| |- prisma/
| | |- schema.prisma # Full database schema
| | |- seed.ts # Demo data seeding script
| | |- migrations/ # Prisma migration SQL
| |- src/
| | |- main.ts # App bootstrap, CORS, global validation pipe
| | |- app.module.ts # Root module wiring all feature modules
| | |- prisma/ # Prisma service/module for DB access
| | |- auth/ # Register/login/profile, JWT strategy/guards, role guard
| | |- attacks/ # Attack log endpoints + service logic + DTOs
| | |- incidents/ # Incident endpoints, status history logic
| | |- systems/ # Monitored systems endpoints and service logic
| | |- threat-intel/ # Threat intel + blacklist endpoints
| | |- analytics/ # Aggregated analytics endpoints for dashboard/reporting
| |- package.json # Backend scripts and dependencies
|
|- frontend/ # Next.js web client
| |- app/
| | |- (auth)/ # Login and registration pages
| | |- dashboard/ # Main analytics dashboard
| | |- attacks/ # Attack log table with search/filter/pagination
| | |- incidents/ # Incident list/detail and admin actions
| | |- systems/ # Systems overview cards
| | |- threat-intel/ # Threat intel and blacklist tabs
| | |- reports/ # Report cards + PDF generation
| | |- layout.tsx # Root app layout and global metadata
| | |- globals.css # Global styles and animation utilities
| |- components/
| | |- Sidebar.tsx # Main navigation
| | |- Navbar.tsx # Header with alert badge and profile menu
| | |- StatCard.tsx # Dashboard metric card component
| | |- AttackTable.tsx # Shared attack log table
| | |- charts/ # Recharts chart components
| |- lib/
| | |- api.ts # Axios client + JWT interceptors
| | |- auth.ts # Local token/user helper functions
| |- package.json # Frontend scripts and dependencies
|
|- create-dtos.js # Utility script (creates systems DTO files)
|- create-dtos.py # Utility script (Python variant)
|- setup_dto.ps1 # Utility script (PowerShell variant)
|- PROJECT.md / Project_Info.md # Planning and project documentation
- Node.js 18+
- npm
- PostgreSQL running locally or remotely
git clone <your-repo-url>
cd Cyber_Attack_MonitoringThis downloads the project and moves into the root folder.
cd backend
npm installThis installs NestJS, Prisma, JWT, and other backend packages.
Create backend/.env:
DATABASE_URL="postgresql://<db_user>:<db_password>@localhost:5432/<db_name>"
JWT_SECRET="your_super_secret_key"
JWT_EXPIRES_IN="1d"
PORT=5000This connects the API to PostgreSQL and configures JWT settings.
npx prisma generate
npx prisma migrate dev
npm run prisma:seedprisma generatebuilds Prisma client code.prisma migrate devcreates/applies DB tables.prisma:seedinserts demo data and sample users.
npm run start:devBackend runs at http://localhost:5000.
Open a new terminal:
cd frontend
npm installThis installs Next.js, Tailwind, Recharts, Axios, and UI libraries.
Create frontend/.env.local:
NEXT_PUBLIC_API_URL="http://localhost:5000"This points frontend API requests to the backend server.
npm run devFrontend runs at http://localhost:3000.
- Admin:
admin@camas.io/admin123 - Analyst:
analyst@camas.io/analyst123
# Terminal 1
cd backend
npm run start:dev
# Terminal 2
cd frontend
npm run devcd backend
npm run prisma:seedcurl -X POST http://localhost:5000/auth/login \
-H "Content-Type: application/json" \
-d '{"email":"admin@camas.io","password":"admin123"}'curl "http://localhost:5000/attacks?page=1&limit=5" \
-H "Authorization: Bearer <JWT_TOKEN>"curl "http://localhost:5000/attacks/filter?severity=CRITICAL&type=SQL%20Injection" \
-H "Authorization: Bearer <JWT_TOKEN>"curl -X POST http://localhost:5000/incidents \
-H "Authorization: Bearer <ADMIN_JWT_TOKEN>" \
-H "Content-Type: application/json" \
-d '{"title":"Suspicious SSH Brute Force","description":"Repeated failed SSH logins detected","priority":"HIGH"}'CAMAS Backend running on http://localhost:5000
{
"accessToken": "<JWT_TOKEN>",
"user": {
"id": 1,
"username": "admin",
"email": "admin@camas.io",
"role": "ADMIN"
}
}{
"totalAttacks": 165,
"activeIncidents": 4,
"unreadAlerts": 9,
"totalSystems": 10
}{
"data": [
{
"id": 123,
"sourceIp": "185.220.101.1",
"destinationIp": "10.0.1.10",
"isBlocked": true,
"attackType": { "name": "SQL Injection" },
"severity": { "level": "CRITICAL" },
"system": { "name": "Web Server Alpha" }
}
],
"total": 165,
"page": 1,
"limit": 5,
"totalPages": 33
}Input -> Processing -> Output
- Input
- Users interact with frontend pages (login, dashboard, attacks, incidents, systems, threat intel, reports).
- Frontend sends HTTP requests to NestJS API using Axios.
- Processing
- Backend validates input with global validation pipe and DTO rules (where DTO classes are used).
- JWT guard authenticates requests.
- Roles guard checks admin-only routes.
- Services query/update PostgreSQL through Prisma.
- Analytics endpoints aggregate data (group-by/count patterns).
- Output
- API returns JSON data to frontend.
- Frontend renders tables, cards, and charts.
- Reports page can generate a downloadable PDF from analytics values.
- No automated test suite is included yet.
- Report cards and generated reports are managed in frontend state; there is no dedicated reports API module in the backend.
- Two chart components exist (
AttackTypes,TopIPs) but are not currently rendered on pages. - JWT tokens are stored in localStorage on the client.
- Systems and threat-intel create/update payloads currently use TypeScript interfaces instead of class-validator DTO classes.
- CORS is currently configured for localhost frontend origins (
http://localhost:3000,http://localhost:3001). - Some find-by-id endpoints may return
nullfor missing records instead of a standardized 404 response. - The platform is request/response based; there is no WebSocket real-time push channel yet.
This project demonstrates practical skills in:
- Full-stack architecture with separate frontend and backend apps
- Secure API design with JWT authentication and role-based authorization
- Relational data modeling with Prisma and PostgreSQL
- Building analytics endpoints using aggregation/grouping
- Creating dashboard UIs with charts, tables, and protected routes
- Client-side report generation (PDF) from live API data
- Add automated unit/integration tests for API and frontend.
- Add a dedicated reports backend module for persistent report storage and retrieval.
- Surface all analytics charts (
top-attacks,top-ips) directly in dashboard UI. - Improve auth with refresh tokens and httpOnly cookie strategy.
- Add WebSocket/SSE for live event updates.
This project is for educational and defensive cybersecurity purposes. Do not use it to monitor or test systems without proper authorization.