An open-source, self-hostable AI Security Operations Center (SOC) designed for alert fusion, agent-assisted triage, and MITRE ATT&CK investigations. It targets security engineers and researchers seeking transparency and control, offering an auditable Investigation Ledger and a public evaluation harness as key benefits over proprietary solutions.

How It Works

AiSOC processes security events via a Kafka spine, correlating and enriching them before AI agents, orchestrated by LangGraph, perform investigations. Key differentiators include the Investigation Ledger, which logs every agent decision step for replayability and transparency, and a public, CI-gated evaluation harness validating the core substrate against synthetic data on every PR.

Quick Start & Requirements

A local demo launches in under 5 minutes via pnpm aisoc:demo (Docker Compose). Hosted deployments are available (Render, Fly.io). Full development requires Docker 24+, Node.js 20+, pnpm 8+, Go 1.21+, Python 3.11+. API keys for optional AI providers may be needed. Live demo: https://tryaisoc.com.

Highlighted Details

• AI-Powered Security Operations: LangGraph agents with persistent memory and RAG over MITRE ATT&CK enable natural-language threat hunting and traceable investigations.
• Real-time Data Fusion & Detection: A Kafka spine supports sub-second ingestion, ML scoring, and Risk-Based Alerting (RBA) targeting a ≥ 50:1 alert-to-incident ratio. Detection-as-Code (DAC) facilitates rule management across Sigma, YARA, and multiple query languages.
• Integrated Security Capabilities: Features include federated search across SIEMs, Neo4j knowledge graph for attack path analysis, UEBA, honeytokens, purple team emulation (ART/Caldera), and External Attack Surface Management (EASM).
• Enterprise Governance: Supports SAML/OIDC SSO, granular RBAC, immutable audit logs, compliance evidence dashboards (SOC 2, ISO 27001), and SLA tracking.

Maintenance & Community

A public roadmap outlines future development, with recent additions including autonomous triage agents and EASM. The project welcomes contributions via pull requests, with specific areas like new connector integrations and detection rules highlighted as good starting points.

Licensing & Compatibility

The project is released under the permissive MIT license, allowing for unrestricted use, modification, and distribution, including in commercial and closed-source environments.

Limitations & Caveats

Deploying and managing the full stack, with its diverse datastores (Kafka, ClickHouse, Neo4j, etc.), requires significant operational expertise. While deterministic modes exist, full AI capabilities may necessitate API keys for external LLM providers, incurring associated costs.