Open-source · MIT · community-maintained

An auditable AI SOC.

Agent prompts, tool calls, and decisions are recorded in an investigation ledger and replayable per case. The substrate underneath is gated by a 200-incident eval harness that runs on every PR targeting main / develop. MIT-licensed and self-hostable.

Open the demo Open console GitHub

Demo opens on a pre-seeded investigation. No signup. Resets daily.

Agent decisions: Ledger
Eval harness: 200 cases
License: MIT

aisoc · attack graph (preview)Preview

T1078 · Valid Accts

T1021 · Remote Svcs

T1110 · Brute Force

T1486 · Impact

AAiSOC Copilot⌘K

Detected lateral movement on SRV-FIN-04 → DC-01. Linked to T1021.002. Recommend isolating host and revoking session tokens.

Platform

What is in the box

Ingest, detection, analysis and response are separate services that can be inspected, extended and run in your own environment.

Streaming correlation

Events flow through Kafka into rule- and ML-based detectors. Latency depends on deployment size; on the demo stack alerts typically surface in well under a second.

Agent-assisted triage

The copilot enriches alerts with threat intel, identity context and host telemetry, and records the prompts and rationale behind each decision.

MITRE ATT&CK mapping

Detection rules, alerts and the coverage heatmap reference ATT&CK techniques, so coverage gaps show up alongside live activity.

Attack graph

A graph view links identities, hosts and assets, with pivots into the hunter and case views.

Detection-as-code

Sigma, KQL, EQL and YAML rules can be authored in the inline editor, tested against historical data and version-controlled in Git.

Pluggable connectors

A connector framework handles ingest, schema mapping and rate limits for cloud trails, EDR, identity, network and SaaS sources.

How it works

Pipeline overview

Each stage is a separate service with its own container image and interface, so individual components can be swapped or replaced.

Stage 1

Sources

Cloud trails
EDR
Identity
Network
SaaS APIs
Custom

Stage 2

Ingest

Kafka topics
Connector framework
Schema normalisation

Stage 3

Detect & enrich

Sigma / KQL / EQL
ML correlator
Threat intel
Identity graph

Stage 4

Reason

Agentic copilot
Attack graph
MITRE mapper
Case builder

Stage 5

Respond

Playbooks
Connector actions
Webhooks
Audit trail

Storage tier

Different stores are used for different workloads.

All open source, all containerised

PostgreSQL·metadataClickHouse·eventsOpenSearch·searchNeo4j·graphQdrant·embeddingsRedis·cache

MITRE ATT&CK

Coverage by tactic

Detection rules and alerts reference ATT&CK techniques, and the console renders a live heatmap from the deployed rule set. The tiles below are illustrative; numbers depend on which detection packs you enable.

≥ 85% covered65-84%45-64%< 45%

TA0001

Initial Access

9/ 11

TA0002

Execution

12/ 14

TA0003

Persistence

14/ 19

TA0004

Priv. Escalation

11/ 13

TA0005

Defense Evasion

27/ 42

TA0006

Credential Access

14/ 17

TA0007

Discovery

19/ 30

TA0008

Lateral Movement

8/ 9

TA0009

Collection

10/ 17

TA0011

C&C

12/ 16

TA0010

Exfiltration

7/ 9

TA0040

Impact

10/ 13

Open source · MIT

Built in the open.

AiSOC is a single-edition open-source project. There are no separate “community” and “enterprise” builds, no runtime fees and no per-seat licensing.

github.com/beenuar/AiSOC Quickstart Why open source

terminal

$ git clone https://github.com/beenuar/AiSOC
$ cd aisoc && make up
$ pnpm seed:demo
› Console ready at http://localhost:3000

MIT licensed

Use it, fork it, build services around it. No CLA, no telemetry, no calls home.

Self-hosted by default

docker compose up runs the full stack on your own hardware. Managed hosting is optional.

Auditable end to end

Detections, agent decisions and connector actions are logged with inputs, prompts and rationale.

Community-maintained

Maintained in the open by SOC analysts, detection engineers and contributors. Security disclosures are handled via SECURITY.md.