// the find
beenuar/AiSOC
Open-source AI-powered Security Operations Center — alert fusion, purple-team drills, agent-assisted triage, MITRE ATT&CK investigation. MIT-licensed, self-hostable.
AiSOC is a self-hostable AI Security Operations Center that ingests security events, correlates them, and runs LLM-driven investigation via a LangGraph orchestrator. Every prompt, tool call, and rationale the agent produces is stored in a replayable Investigation Ledger — the key differentiator over closed-source AI SOC products. It's aimed at security teams who need full data residency and want to read or modify the agent logic themselves.
The Investigation Ledger is the right answer to the 'why did the AI do that?' problem: every LLM call is stored with its prompt, response, evidence cited, and downstream tool calls, replayable in the UI later. The aisoc-sandbox package deserves credit — a zero-dependency, offline agent simulator that runs a full Detect→Triage→Hunt→Respond walkthrough in under 5 seconds is a much better first-touch than 'spin up Docker'. The orchestrator is reportedly ~600 lines of LangGraph, which is small enough to actually read end-to-end, patch, or swap models in without needing to reverse-engineer a black box. CI-gated benchmarks against a fixed 1,000-alert stream and a 200-incident synthetic dataset are real measurements, not marketing claims — and they block PRs.
The storage tier is the biggest adoption killer: PostgreSQL, ClickHouse, OpenSearch, Qdrant, Neo4j, Redis, and Kafka. Six storage systems plus a message bus. A small security team self-hosting this will spend more time on infrastructure than on investigations. The README screenshots are explicitly marked as SVG placeholders that 'ship with v8.0' — you cannot see the actual UI without running the stack, which is a bad sign for a product selling on its console experience. The benchmark dataset is synthetic and self-controlled ('55 templates with per-template macros'), and 'substrate self-consistency gates' is just checking that the model agrees with itself — these numbers say nothing about accuracy on real incidents. The claimed 69 connectors are plausible but unverifiable from the outside; the connector docs exist but there's no public test coverage report showing which connectors are actually exercised in CI.