SecurityClaw  by SecurityClaw

Autonomous SOC agent for real-time threat detection

Created 4 months ago
251 stars

Top 99.8% on SourcePulse

GitHubView on GitHub
Project Summary

SecurityClaw is an autonomous Security Operations Center (SOC) agent designed to automate threat detection, investigation, and response. It addresses the challenge of real-time security data analysis by leveraging a modular, skill-based architecture, RAG-powered memory, and LLM-driven anomaly validation, providing security teams with an intelligent, agentic framework for proactive defense.

How It Works

SecurityClaw employs a modular, skill-based design where capabilities are isolated folders containing Python logic and LLM instructions. It utilizes a RAG-based approach, storing vector embeddings of network behavior in OpenSearch/Elasticsearch to build a contextual memory. Orchestration is handled by LangGraph, implementing a DECIDE→EXECUTE→EVALUATE loop, while manifest-grounded planning ensures supervisor actions align with declared skill contracts, enhancing reliability and maintainability. A heartbeat scheduler manages background tasks like anomaly watching and memory building.

Quick Start & Requirements

  • Prerequisites: Python 3.11+, Git, OpenSearch 2.x or Elasticsearch 8.x (or mock), Ollama for LLM hosting, 4GB+ RAM, ~2GB disk space.
  • Ollama Setup: Install Ollama, start the server, and pull required models (qwen2.5:7b-instruct-q4_K_M, nomic-embed-text:latest).
  • Installation: Clone the repository, create and activate a Python virtual environment, and install dependencies via pip install -r requirements.txt.
  • Onboarding: Run .venv/bin/python main.py onboard to configure database, LLM, and API settings.
  • Running: Use .venv/bin/python main.py service to launch the web UI, API, and scheduler, or .venv/bin/python main.py run for CLI/background operation.
  • Documentation: Detailed setup guidance is available in ONBOARDING.md.

Highlighted Details

  • Skill Modularity: Capabilities are self-contained directories (logic.py, instruction.md) for easy management and extension.
  • RAG-Based Behavioral Memory: Leverages vector embeddings in OpenSearch for context-aware threat analysis and decision-making.
  • LangGraph Orchestration: Implements a robust multi-step agentic loop (DECIDE→EXECUTE→EVALUATE) with state checkpointing.
  • Manifest-Grounded Planning: Ensures agent planning and retries are validated against skill manifest contracts.
  • Web Interface: A React-based UI provides chat interaction, memory visualization, and skill dispatch capabilities.

Maintenance & Community

The README does not detail specific contributors, sponsorships, or community channels (e.g., Discord, Slack). Areas for enhancement are listed under "Contributing," suggesting active development focus.

Licensing & Compatibility

The provided README does not specify a software license. This omission presents a significant adoption blocker, as the terms for use, modification, and distribution are unclear. Compatibility with commercial or closed-source applications is undetermined without a license.

Limitations & Caveats

Several skills are marked as "In-Progress" and require active validation or refactoring, including anomaly_triage, forensic_examiner, and baseline_querier. Enhancements such as advanced MITRE ATT&CK mapping, improved RAG context parsing, and multi-tenant support are noted as future development areas. The absence of a defined software license is a critical limitation for adoption.

Health Check
Last Commit

3 weeks ago

Responsiveness

Inactive

Pull Requests (30d)
2
Issues (30d)
0
Star History
5 stars in the last 30 days

Explore Similar Projects

Starred by Dan Guido Dan Guido(Cofounder of Trail of Bits), Chip Huyen Chip Huyen(Author of "AI Engineering", "Designing Machine Learning Systems"), and
1 more.

cai by aliasrobotics

0.6%
9k
Cybersecurity AI (CAI) is an open framework for building AI-driven cybersecurity tools
Created 1 year ago
Updated 1 month ago
Feedback? Help us improve.