MCPcopy Index your code
hub / github.com/beenuar/AiSOC

github.com/beenuar/AiSOC @v7.5.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v7.5.0 ↗ · + Follow
16,204 symbols 65,984 edges 1,727 files 5,845 documented · 36%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

AiSOC

AiSOC

An open-source, self-hostable AI SOC. The agent's prompts, tool calls, and rationale are logged step-by-step and replayable. MIT-licensed.

License: MIT Public eval harness: CI-gated PRs welcome Version Live demo on Fly.io (v7.5 live) Render demo (one-click)

Live demo · How AiSOC compares · Public eval harness · Deploy in 60 seconds · Deployment options · Architecture · Docs

The demo at tryaisoc.com is a self-hosted instance fronted by a Cloudflare Tunnel — when it's reachable, the stack is running locally on a maintainer's box. It can therefore go offline at any time. To run your own (in 3.5 min, with seeded data), see One-shot demo; to expose your own instance on your own domain via Cloudflare Tunnel, see Public demo on your own domain. The Fly.io demo at tryaisoc.com is the canonical AiSOC instance — the badge above links there.

GitHub topics


What AiSOC is

AiSOC is a single self-hostable stack that ingests security events, correlates them, runs AI-driven investigation, and surfaces the result in a SOC console. The agent and the substrate are MIT-licensed, so you can read, fork, or replace either of them.

Three properties distinguish it from closed-source AI SOC vendors:

  1. Agent decisions are logged. The Investigation Ledger stores the LLM prompt, the response, the evidence cited, and the downstream tool calls for every step of every run. Replays are available later.
  2. The substrate has a public eval harness in CI. Five suites gate every PR targeting main / develop: a 200-incident synthetic dataset drawn from 55 distinct templates drives the MITRE-tactic, investigation-completeness, and response-quality gates (each reporting both a per-case mean and a per-template macro so a single broken template can't hide behind 199 working duplicates); a separately generated 1,000-alert noisy stream drives the alert-reduction gate; and a schema/coverage gate validates synthetic_telemetry.jsonl — the companion corpus of ~360 backing events across 14 log sources (Sysmon, Windows Security, M365 audit, Azure sign-in, CloudTrail, Linux auditd, journald, EDR, DNS, web access, Kubernetes audit, GitHub audit, VPN, DB audit) that connector and Sigma PRs can wire against. Alert reduction is a real measurement against the fixed alert stream; the three rubric-based suites are substrate self-consistency gates over deterministic templates. The benchmark page explains exactly which is which.
  3. It runs entirely on your infrastructure. No callbacks to a vendor cloud and no data exfiltration for "model improvement."

The orchestrator is a ~600-line LangGraph in services/agents/. It is small enough to read end-to-end, swap models in, and patch.


What's new

VERSION is 7.5.0. The v7.5.0 release (2026-06-29) is a v8.0-milestone and trust-readiness release. It tags the AiSOC missing pieces — Phases 1–5 rollup (PR #337; 25 commits, 188 files, +23 743 / -907), the four named v8.0 milestones (T3.7 NL→playbook, T3.8 design system v2 + Storybook, T4 wave-3 marketplace + 6 hardened connectors, T5.3 fidelity loaders), the marketing-shell unification on tryaisoc.com, the threat-actor attribution RBAC + port fix, the realtime short-lived-ticket auth, the boundary-aware KB chunker, the Terraform CI workflow + the three missing reusable infra modules (rds, elasticache, kafka), and a large Dependabot + security sweep — every change that landed on main since 7.4.0. The full inventory lives under [7.5.0] in CHANGELOG.md.

v7.5.0 highlights (June 29, 2026) - AiSOC missing pieces — Phases 1–5 rollup (PR #337): trust-critical honesty fixes on /sovereign + Features + README, CI matrix expanded to 7 previously-untested Python services (~971 new test signals), coverage gates, real SOAR executors for SentinelOne EDR / PAN-OS / FortiGate / Cloudflare WAF + DNS / Splunk ES / Elastic / MDE / Entra ID / Google Workspace, real CreateTicketExecutor wired to Jira / ServiceNow / PagerDuty, Azure/GCP/Okta/GWS effective-permissions resolvers, managed-mode auto-provision pipeline (infra/fly/managed/), CI-built white-paper PDFs + 90 s Playwright screencast, the deterministic NL → ES|QL / KQL / SPL translator (81-case eval at 100 % syntactic + 100 % semantic), real-browser visual regression, a buyer-journey E2E, and four immutable ADRs (docs/decisions/00010004). - v8.0 milestones — T3.7 NL → playbook generator (#330); T3.8 design system v2 + Storybook (#331, restored DraftFromPromptDialog story in #335, Storybook publicDir fix in #336); T4 wave-3 marketplace + 6 hardened connectors (#333, wave-1 parity hardening in #328); T5.3 AIT-LDS + MITRE Engenuity fidelity loaders (#332). - Threat-actor attribution — port fix + optional RBAC. The investigation agent's default AISOC_THREATINTEL_URL was http://threatintel:8083; the service binds 8005 — every POST /api/v1/actors/attribute therefore hit a port nothing listens on and silently degraded. Default corrected, docs + AISOC_ATTRIBUTION_TIMEOUT_SECONDS aligned, regression test added (#327). Same release ships an opt-in shared-secret gate on /api/v1/actors/* (#329): when AISOC_THREATINTEL_SERVICE_TOKEN is set, callers must present Authorization: Bearer <token> (constant-time compared, 401 on mismatch); when unset, the legacy unauthenticated behaviour is preserved and a startup warning is logged. - Marketing-shell unification on tryaisoc.com. Every /(marketing) page plus the standalone /not-found, /why-open-source, and /benchmark routes now renders the same StickyNav + sections/Footer shell; the older simpler LandingNav.tsx and landing/Footer.tsx were deleted, eleven marketing pages had their per-page nav/footer JSX + imports removed, (marketing)/layout.tsx centrally injects the shell, and StickyNav's anchors were absolutised so they resolve identically from the landing page and from any subpage. - Knowledge-base ingest — boundary-aware chunking with overlap (#321, closes #277). KB ingestion no longer splits mid-sentence or mid-code-fence; the new chunker prefers paragraph / sentence / code-block boundaries and applies a configurable overlap so retrieval doesn't lose context across chunks. - Realtime — WS/SSE authenticated via short-lived tickets (#246, closes #239). The realtime service's WebSocket and SSE endpoints now require a short-lived signed ticket that the API mints for the authenticated session, closing the unauthenticated fan-out surface that lived between services/realtime and apps/web. - Infrastructure — Terraform CI + missing core modules. A Terraform workflow gates every change to infra/terraform/** with init/validate/fmt -check (#251). The three reusable modules the AWS and BYOC references were already importing — rds, elasticache, kafka — are now actually present in infra/terraform/modules/ (#252) so a fresh terraform init against the multi-cloud skeletons no longer errors on missing sources. - Dependency & CI maintenance. ~15 Dependabot landings including next 16.2.7 → 16.2.9, framer-motion 11 → 12.40.0, cryptography updates across services, FastAPI updates in services/{api,actions,agents}, actions/checkout v6 → v7; aiohttp 3.14.1 clears CVE-2026-34993 + CVE-2026-47265 (#295); pnpm audit high/critical findings cleared (#322) so the dep-bump queue could merge; a duplicate @mdx-js/react key that was breaking pnpm install on fresh clones removed (#296).

Previously, in v7.4.0 (May 29, 2026) — security-hardening and platform release that tagged the May 27–29 hardening wave, multi-agent routing, and the multi-cloud infrastructure skeletons that had accumulated on main since 7.3.1. The full inventory lives under [7.4.0] in CHANGELOG.md. - Security hardening — prompt-injection sanitizer wired into the classification agents; cross-tenant isolation enforced on detection-loop suggestions and the compliance / phishing / knowledge-base endpoints; a nightly cross-tenant RBAC regression gate; cryptography CVEs cleared and CodeQL quality notes resolved. - Multi-agent routingDetectAgent.process wired to the FusionEngine over cross-service HTTP; /investigate routed through the RouterOrchestrator behind the ROUTER_INVESTIGATE flag; a Redis-backed scheduler singleton guard for in-process workers. - Multi-cloud infrastructure — serverless-container Terraform skeletons for GCP (Cloud Run + Cloud SQL + Memorystore) and Azure (Container Apps + PostgreSQL Flexible Server + Cache for Redis), mirroring the AWS/EKS reference file-for-file. - Live dashboard & landing — real /metrics data restored on tryaisoc.com/dashboard, API/agents machines kept warm so the dashboard no longer 500s, seed timestamps re-anchored so it never goes empty, and the landing CTAs pointed at the live dashboard. - Dependency & CI maintenance — a large Dependabot sweep across the Python, JS, and Go services plus CI stabilization (Ruff cleanup, OpenAPI export permissions, lockfile dedupe).

Hardening detail folded into v7.4.0 (May 27–28, 2026) - Security Audit greencryptography floor raised to 44.0.1 to clear CVE-2024-12797 and later 42.x advisories across services/connectors and services/osquery-tls; advisories without an upstream fix are time-boxed (90-day expiry) in scripts/security_audit_ignores.txt (#229). - Tenant-isolation fix — detection-loop suggestion lookups are now scoped to the caller's tenant, closing a cross-tenant read path (#221). - Full stack boots clean — the reserved window column is now quoted and pydantic[email] ships in the image, so docker compose comes up end-to-end without manual patching (#227). - OpenAPI auto-export unblocked — the spec-export CI job now has contents: write, so the committed OpenAPI document re-syncs on every merge (#228). - CodeQL quality notes cleared — remaining low-severity CodeQL findings resolved on main (#224). - Dependency refreshzod 3 → 4.4.3 (#225), recharts 2 → 3.8.1 (#209), plus a Dependabot sweep across fastapi, uvicorn, pydantic, structlog, openai, weasyprint, strawberry-graphql, prometheus-client, go-chi, turbo, and @types/react. - Credits — new Credits section thanking contributors and security researchers (#223).

Console workbenches (v1.5 PR-1 → PR-6) — the SOC operator surface is now a workbench, not a list. - Global time-window selector + topbar context — one selector at the top of the console drives every page (Alerts, Cases, Hunts, Funnel KPIs, Pipeline Health). Persists across reloads, deep-linkable as a URL param. - Tenant switcher + role badge — MSSP operators flip tenants from the topbar; the role badge makes it impossible to confuse a viewer session with an admin session. New endpoint: GET /api/v1/tenants/me/identity. - Critical severity tier — the severity ladder is now info | low | medium | high | critical. Vendor-native criticals (Azure 5-tier, GCP SCC, GitHub critical, ServiceNow priority 1, GuardDuty ≥ 8.0, AuditD identity-destruction, K8s cluster-admin, Tailscale tailnet lockdown) map straight through instead of being collapsed into high. Confidence (alert.confidence, 0–100, band low|medium|high)

Extension points exported contracts — how you extend this code

Connector (Interface)
Connector is implemented by plugins that ingest events from external data sources. [7 implementers]
packages/plugin-sdk-go/aisoc/connector.go
Provider (Interface)
Provider fetches a resource's configuration at event time. Implementations MUST honor ``ctx`` deadlines aggressively: t [5 …
services/ingest/internal/config_snapshot/snapshotter.go
Connector (Interface)
(no doc) [7 implementers]
packages/types/src/connector.ts
Connector (Interface)
(no doc) [7 implementers]
packages/sdk-ts/src/types.ts
Connector (Interface)
(no doc) [7 implementers]
apps/web/src/lib/api.ts
LakeQueryServerResponse (Interface)
Server response for ``POST /api/v1/lake/sql``.
services/mcp/src/tools/lake.ts
RawAlertInput (Interface)
(no doc)
packages/ocsf/src/normalize.ts
Column (Interface)
(no doc)
packages/ui/src/components/DataTable.tsx

Core symbols most depended-on inside this repo

get
called by 7008
plans/cyble-aisoc/platform/sdk/connector-ts/src/index.ts
append
called by 2026
plans/cyble-aisoc/platform/backend/app/memory/scratchpad.py
S
called by 616
scripts/detection_specs_part3_helpers.py
post
called by 456
plans/cyble-aisoc/platform/sdk/connector-ts/src/index.ts
replace
called by 359
services/api/app/services/business_context/engine.py
add
called by 218
plans/cyble-aisoc/platform/backend/app/detections/pack.py
render
called by 213
scripts/render_white_paper.py
resolve
called by 195
services/api/app/services/effective_permissions/base.py

Shape

Function 8,345
Method 4,282
Class 1,993
Route 727
Interface 661
Struct 179
TypeAlias 10
Enum 7

Languages

Python82%
TypeScript13%
Go5%

Modules by API surface

apps/web/src/lib/api.ts240 symbols
services/api/tests/test_plugin_manager.py90 symbols
services/api/tests/test_misp_push.py85 symbols
services/api/tests/test_alert_explain.py81 symbols
services/connectors/tests/test_auditd_connector.py73 symbols
services/api/app/api/v1/endpoints/cases.py69 symbols
plans/cyble-aisoc/platform/backend/app/api/routes.py69 symbols
services/api/app/api/v1/endpoints/mssp.py68 symbols
plans/cyble-aisoc/platform/backend/app/connectors/sdk/mocks.py65 symbols
services/api/tests/test_tenant_provision.py60 symbols
scripts/tests/test_security_audit.py58 symbols
services/api/tests/test_alert_queue.py57 symbols

Datastores touched

aisocDatabase · 1 repos
dbnameDatabase · 1 repos
dbDatabase · 1 repos

For agents

$ claude mcp add AiSOC \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact