gitmyhub

AiSOC

Python ★ 1.5k updated 1d ago

Open-source AI-powered Security Operations Center — alert fusion, purple-team drills, agent-assisted triage, MITRE ATT&CK investigation. MIT-licensed, self-hostable.

AiSOC is a self-hosted AI-powered security operations center that ingests security alerts from your existing tools, correlates and investigates them using AI, and tells your team what actually needs attention.

PythonLangGraphsetup: hardcomplexity 4/5

AiSOC is an open-source security operations center powered by AI. It takes incoming security alerts from your existing tools, correlates them, and uses an AI agent to investigate whether they represent a real threat. The core benefit is that it helps security teams cut through alert noise and figure out what actually needs attention, all running on your own infrastructure rather than a vendor's cloud.

At a high level, the system ingests security events from dozens of common sources like endpoint protection, cloud providers, and identity systems. Those events flow through a pipeline that normalizes and enriches them with threat intelligence. Then an AI agent built on a framework called LangGraph takes over, reasoning through the alerts, pulling evidence, and producing a narrative investigation you can read in a web console. What stands out is that every step the AI takes — its prompts, tool calls, and reasoning — gets logged in what the project calls an Investigation Ledger, so you can replay exactly how it reached its conclusions.

The people who would use this are security analysts and SOC teams, especially at organizations that want to self-host their security tooling rather than send data to a third-party SaaS. For example, if your team is drowning in thousands of alerts a day from various tools, this could help triage and prioritize them. It also includes a natural-language hunt feature where an analyst can type a hypothesis in plain English and get back query code to search their data.

A few things make this project notable. It is fully MIT-licensed, meaning you can read, modify, or replace any part of it. The project runs a public benchmark harness on every code change to measure whether alert accuracy is improving or regressing, which is unusual transparency for a security tool. It also ships with a zero-dependency simulator you can run in seconds to see how the AI investigation funnel works without setting up any infrastructure. Finally, it integrates with AI coding assistants like Claude and Cursor, so analysts can query alerts and replay investigations directly from their development environment.

Where it fits