POST/redteam/inject
Redteam Inject
Operator calls this once per controlled attack injection.
The payload is appended (atomically, threadsafe) to a newline-delimited
JSON log. No de-duplication; if the operator re-injects, send a new POST.
Request body
attack_namestringrequired
short label, e.g. 'mimikatz_lsass_dump'
target_hoststringrequired
hostname or asset id, case-insensitive match
injected_atstringrequired
ISO 8601 timestamp when injection ran
expected_verdictstring | null
benign | suspicious | malicious
expected_severitystring | null
Low | Medium | High | Critical
expected_mitrestring[]
MITRE technique IDs e.g. ['T1003.001']
toolstring | null
attack tool / binary, e.g. 'mimikatz_v2.2'
operatorstring | null
who ran the injection
Responses
200 Successful Response422 Validation Error
object
cURLcurl -X POST https://see.in-bridge.com/redteam/inject \
-H "Content-Type: application/json" \
-d '{"attack_name":"string","target_host":"string","injected_at":"string","expected_verdict":"string","expected_severity":"string","expected_mitre":["string"],"target_user":"string","tool":"string","operator":"string","notes":"string"}'
JavaScriptconst res = await fetch("https://see.in-bridge.com/redteam/inject", {
method: "POST",
headers: {
"Content-Type": "application/json"
},
body: JSON.stringify({
"attack_name": "string",
"target_host": "string",
"injected_at": "string",
"expected_verdict": "string",
"expected_severity": "string",
"expected_mitre": [
"string"
],
"target_user": "string",
"tool": "string",
"operator": "string",
"notes": "string"
})
});
const data = await res.json();
GET/redteam/match
Redteam Match
Lookup: does any RT injection match host `host` near time `ts`?
Query params:
host: required, case-insensitive match against target_host
ts: required, ISO 8601 timestamp to search around
window_minutes: ± window, default 5
The browser / bundle endpoint calls this when assembling an incident to
attach `ground_truth` if a controlled injection lines up.
Responses
200 Successful Response422 Validation Error
object
cURLcurl -X GET https://see.in-bridge.com/redteam/match?host=string&ts=string&window_minutes=0
JavaScriptconst res = await fetch("https://see.in-bridge.com/redteam/match", {
method: "GET"
});
const data = await res.json();
GET/redteam/list
Redteam List
List recent injections (for ops verification + browser sanity).
Responses
200 Successful Response422 Validation Error
object
cURLcurl -X GET https://see.in-bridge.com/redteam/list?limit=0&host=string
JavaScriptconst res = await fetch("https://see.in-bridge.com/redteam/list", {
method: "GET"
});
const data = await res.json();
GET/sxe/metering/usage
AI 토큰 종량 미터링 롤업 (billing 축2, #136) — 기간·(테넌트)·모델별 raw 토큰
AI 토큰 종량 미터링 롤업 (auth 청구 축2, 이슈 #136). 조회전용·측정격리(sxe.analyses 무관).
LiteLLM_SpendLogs(inc: 태그=sxe 분석 콜)를 기간 window 로 model 별 집계. ★tokens=SEE authoritative,
원가/초과 환산=auth 경제 SoT — SEE 는 가격/cost 를 안 낸다(SoT 이중화 방지, #136 확정: raw 토큰만,
파생 cost 미포함. token×price→overage 는 하류 billing 이 auth 가격표로 계산).
tenant 지정 시 request_tags `tenant:<id>` 필터(태깅 전엔 정직 빈=0), 미지정=배포전체(현행 단일고객).
계약: docs/38-to-auth-see-metering-billing-contract-2026-07-05.md
@param since/until 기간(epoch_ms 또는 상대). @param tenant 테넌트 스코프.
@returns {window, tenant, totals, by_model[], note}. side-effect: 없음(read-only).
Query parameters
sincestring | null
시작(epoch_ms 순수숫자 또는 24h/7d/60m 상대). 미지정=24h
untilstring | null
끝(epoch_ms). 미지정=now
tenantstring | null
테넌트 id — request_tags tenant:<id> additive 필터(태깅 전엔 매칭 0). 미지정=배포전체
Responses
200 Successful Response422 Validation Error
object
cURLcurl -X GET https://see.in-bridge.com/sxe/metering/usage?since=string&until=string&tenant=string
JavaScriptconst res = await fetch("https://see.in-bridge.com/sxe/metering/usage", {
method: "GET"
});
const data = await res.json();
GET/sxe/spendlogs
call 단위 LLM SpendLogs trace(비용/지연)
LiteLLM_SpendLogs trace — 두 모드.
- incident_uid 지정: 이 인시던트의 trace (request_tags 의 'inc:UID' 매칭, 시간순).
- since 지정 (예: '24h','7d','60m'): 최근 구간 전체 sxe trace 집계 (dashboard big-kpi 24h 비용).
(2026-05-31 fix: dashboard big-kpi 가 since=24h 로 호출하는데 incident_uid 필수라 422 나던
계약 불일치 해소 + total_cost 집계 추가.)
Query parameters
incident_uidstring | null
Responses
200 Successful Response422 Validation Error
object
cURLcurl -X GET https://see.in-bridge.com/sxe/spendlogs?incident_uid=string&since=string&limit=0
JavaScriptconst res = await fetch("https://see.in-bridge.com/sxe/spendlogs", {
method: "GET"
});
const data = await res.json();
GET/sxe/syskind_latency
phase별 LLM 지연 p50/p95/p99 (LiteLLM SpendLogs)
sys_kind 별 latency p50/p95/p99 — LiteLLM_SpendLogs 의 sxe 호출만.
measurements.html 의 §sys_kind latency 표 채우기 용도.
Responses
200 Successful Response
itemsSyskindLatencyItem[]required
notestring | null
SpendLogs DB 미가용 시 사유
cURLcurl -X GET https://see.in-bridge.com/sxe/syskind_latency
JavaScriptconst res = await fetch("https://see.in-bridge.com/sxe/syskind_latency", {
method: "GET"
});
const data = await res.json();
Response 200{
"items": [
{
"sys_kind": "string",
"n": 0,
"p50_s": 0,
"p95_s": 0,
"p99_s": 0,
"max_s": 0,
"avg_tokens": 0,
"total_cost": 0
}
],
"note": "string"
}
GET/sxe/tenant_vendor_scope
테넌트 OCSF 벤더 스코프 (auth tenant_vendors → data_vendor_name, #135)
auth 테넌트→OCSF 벤더 스코프 resolver 결과 노출 (이슈 #135 A안, 데이터필터 파운데이션).
tenant_id 있으면 그 테넌트가 등록한 벤더의 OCSF metadata.product.vendor_name 목록,
없으면 vendor_names=null(=필터 미적용). catalog_size=라이브 auth /catalog/vendors 매핑 크기.
★ 조회 전용(측정/동결경로 무관). /opensearch_* 자동주입은 아직 안 함 — 전제(tenant_vendors 시드 +
세션 tenant 결선)는 이슈 #135 블로커. require_see_session 미적용(read route 관례).
@param tenant_id auth tenants.id
@returns {tenant_id, vendor_names: list|null, catalog_size, resolved}
Query parameters
tenant_idstring | null
auth tenants.id (없으면 vendor_names=null=필터 미적용)
Responses
200 Successful Response422 Validation Error
object
cURLcurl -X GET https://see.in-bridge.com/sxe/tenant_vendor_scope?tenant_id=string
JavaScriptconst res = await fetch("https://see.in-bridge.com/sxe/tenant_vendor_scope", {
method: "GET"
});
const data = await res.json();
GET/sxe/stats
per-source 분석 통계 (건수·비용·지연)
전체 sxe 통계 (per-source).
NOTE (cost-null bug fix): the legacy v_source_stats view defined
measured_analyses = COUNT FILTER (measurement_enabled) but
avg_cost_usd = AVG(total_cost_usd). For a vendor whose rows are all
measurement-enabled yet cost-less (e.g. the ocsf pending block: 54 rows,
every total_cost_usd NULL) this produced the contradictory
"measured_analyses=54 / avg_cost_usd=null". We now derive BOTH fields from
the SAME `total_cost_usd IS NOT NULL` filter so measured_analyses counts
only actually-costed runs and avg_cost_usd is null IFF measured_analyses==0.
enabled_analyses keeps the old measurement_enabled count for reference.
Responses
200 Successful Response
total_analysesintegerrequired
measured_analysesintegerrequired
by_sourceStatsBySource[]required
unique_incidentsinteger | null
total_analysesinteger | null
enabled_analysesinteger | null
measured_analysesinteger | null
avg_elapsed_sstring | null
avg_cost_usdstring | null
cURLcurl -X GET https://see.in-bridge.com/sxe/stats
JavaScriptconst res = await fetch("https://see.in-bridge.com/sxe/stats", {
method: "GET"
});
const data = await res.json();
Response 200{
"total_analyses": 0,
"measured_analyses": 0,
"by_source": [
{
"source": "string",
"unique_incidents": 0,
"total_analyses": 0,
"enabled_analyses": 0,
"measured_analyses": 0,
"avg_elapsed_s": "string",
"avg_cost_usd": "string"
}
]
}
GET/sxe/measurement_stats
측정 집계 롤업(논문 §5 보조)
P5-C5 (2026-05-30) — 측정/논문 단일 진실 소스.
7 단계 진단 출력 — 어떤 컬럼이 채워지고 안 채워지는지를 한 번에 본다:
1) 전체 분석 수 / 측정모드 분포
2) config_hash 분포 (paper §5 ablation 대상)
3) status 분포 (done/running/error 등)
4) phase_reached 분포
5) 정규화 테이블 row 분포 (findings/debate/dialogue/itsm/spawned)
6) cross_ref_round=1 채움 비율 (F-5 fix 검증)
7) 0007 컬럼 채움 비율 (vendor_label / disposition / correlation_keys / bundle_vendor_eval)
측정 batch 끝나고 한 번 호출 → 모든 컬럼 sanity check.
paper §5 export 도 이 값을 인용 — UI 와 export 가 서로 다른 숫자로 빠지는 것을 방지.
Query parameters
backend_runnerboolean | null
measurementboolean | null
Responses
200 Successful Response422 Validation Error
object
cURLcurl -X GET https://see.in-bridge.com/sxe/measurement_stats?source=string&backend_runner=true&measurement=true
JavaScriptconst res = await fetch("https://see.in-bridge.com/sxe/measurement_stats", {
method: "GET"
});
const data = await res.json();
GET/sxe/measure/candidates
Sxe Measure Candidates
측정 선정용 후보 — 벤더별 richness 정렬. kumho(cortex_xdr) 는 sxe_richness(alert/hash/file/net),
그 외 벤더는 incident.count(detection 수) 로 정렬.
source 미지정은 기본 OCSF 데이터스트림(ocsf_ds)을 사용한다. source=vendor_default 일 때만
기존 벤더별 측정 소스(ocsf/crowdstrike/...)를 사용한다.
source=ocsf|ocsf_ds 지정 시 해당 OCSF 인덱스 패턴에서 후보를 뽑고, 측정 실행 source도 그 값으로 태깅한다.
Responses
200 Successful Response422 Validation Error
object
cURLcurl -X GET https://see.in-bridge.com/sxe/measure/candidates?vendor=string&source=string&min_alert=0
JavaScriptconst res = await fetch("https://see.in-bridge.com/sxe/measure/candidates", {
method: "GET"
});
const data = await res.json();
POST/sxe/measure/run
Sxe Measure Run
선정 incident 들을 벤더별 SOURCE 로 measure.mjs 실행 (백그라운드, 동시성 cap).
body: { incidents: [{uid, source}] } (source 미지정시 ocsf_ds)
Responses
200 Successful Response
object
cURLcurl -X POST https://see.in-bridge.com/sxe/measure/run
JavaScriptconst res = await fetch("https://see.in-bridge.com/sxe/measure/run", {
method: "POST"
});
const data = await res.json();
GET/sxe/measure/runs
측정 실행 상태 타임라인 (active/max_concurrent)
측정 실행 상태 (measure-lab 타임라인용). 최신순.
Responses
200 Successful Response
runsany[]
measure 실행 상태(최신순)
max_concurrentintegerrequired
cURLcurl -X GET https://see.in-bridge.com/sxe/measure/runs
JavaScriptconst res = await fetch("https://see.in-bridge.com/sxe/measure/runs", {
method: "GET"
});
const data = await res.json();
Response 200{
"runs": [
null
],
"active": 0,
"max_concurrent": 0
}
POST/sxe/measure/clear
Sxe Measure Clear
완료/에러 run 정리 (running/queued 는 보존).
Responses
200 Successful Response
object
cURLcurl -X POST https://see.in-bridge.com/sxe/measure/clear
JavaScriptconst res = await fetch("https://see.in-bridge.com/sxe/measure/clear", {
method: "POST"
});
const data = await res.json();