โโโโโโโโโโโโโโโโ โโโโโโโ โโโโโโโ โโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโ โโโ โโโ โโโโโโโโโโโ
โโโโโโโโโโโโโโ โโโ โโโ โโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโ โโโโโโโ โโโโโโโ โโโโโโโโ
An enterprise-grade, self-contained SOC platform powered by 8 autonomous detection agents and an AI triage engine โ deployable on a single Linux machine.
This project is in active early development. It is functional and deployable today, but represents the foundation of a much larger 2-year vision.
SecOS v6.0 is a working autonomous SOC platform โ all 8 agents run continuously, the AI triage engine is live, and endpoints can be connected from anywhere. However, many enterprise features are still being built.
What works today:
- โ 8 autonomous detection agents running 24/7
- โ AEGIS AI triage via Groq LLaMA 3.3-70b
- โ Windows + Linux endpoint agents with one-line installers
- โ 16-module React SOC dashboard with live WebSocket streaming
- โ Full MITRE ATT&CK mapping across 11 tactics
- โ Role-based access control (admin / analyst / soc_lead)
- โ SOAR suggest mode with 6 response playbooks
- โ ngrok support for remote endpoint connectivity
What is being built (see Roadmap):
- ๐จ Docker Compose single-command deployment
- ๐จ AEGIS agentic investigation chains
- ๐จ TheHive + MISP + Cortex integration
- ๐จ Multi-tenant MSSP support
- ๐จ Cloud workload monitoring (AWS/Azure/GCP)
- ๐จ Full autonomous SOAR response mode
- ๐จ Custom correlation rules engine
Estimated timeline to full feature parity: ~2 years of active development.
Contributions, feedback, and ideas are welcome โ see CONTRIBUTING.md.
SecOS is a fully autonomous Security Operating System that replaces a traditional multi-vendor SOC stack with a single deployable platform. It collects telemetry from Windows and Linux endpoints, correlates events across 8 specialized detection engines, triages every alert using a Groq-powered LLM, and orchestrates response actions โ without requiring cloud infrastructure, expensive licensing, or a large team.
Built by a SOC analyst, for SOC analysts. Every design decision reflects real operational experience.
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ENDPOINTS โ
โ Windows Agent (PS) ยท Linux Agent ยท Log Sources โ
โโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ HTTP POST /api/ingest
โโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ INGESTION LAYER โ
โ FastAPI Gateway ยท PostgreSQL ยท Redis โ
โโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ secos:alerts (pub/sub)
โโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ DETECTION LAYER โ
โ SIEM ยท EDR ยท NDR ยท IAM ยท UEBA ยท SOAR ยท AEGIS AI ยท TIP โ
โโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ AEGIS AI ENGINE โ
โ Groq ยท llama-3.3-70b-versatile ยท Suggest Mode โ
โ Triage ยท Priority ยท Attack Stage ยท Recommendations โ
โโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ WebSocket live stream
โโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 16-MODULE REACT DASHBOARD โ
โ http://localhost:8080 ยท Real-time alerts + AI decisions โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
- Ubuntu 20.04+ / Debian / WSL2
- Python 3.10+, PostgreSQL 13+, Redis 6+
- 4GB RAM minimum
# 1. Clone
git clone https://github.com/subhankarbhndr211/SecOS.git
cd SecOS
# 2. Configure
cp .env.example .env
nano .env # Add GROQ_API_KEY (free at console.groq.com)
# 3. Start
sudo bash start.sh- Dashboard โ
http://localhost:8080 - API โ
http://localhost:8000/api/health
Default credentials (change in production):
admin / Admin1234
analyst / Analyst123
soc / SOCteam123
curl -s http://YOUR_SECOS_IP:8000/install.sh | sudo bash -s -- --server YOUR_SECOS_IPInvoke-WebRequest http://YOUR_SECOS_IP:8000/install-agent-windows.ps1 -OutFile install.ps1
.\install.ps1 -Server YOUR_SECOS_IP# On SecOS server โ expose via ngrok
ngrok http 8000
# โ https://abc123.ngrok-free.app
# On remote endpoint
curl -s https://abc123.ngrok-free.app/install.sh | sudo bash -s -- --server https://abc123.ngrok-free.app๐ Full integration guide โ docs/AGENT-INTEGRATION.md
| Agent | Function | Key Detections | Status |
|---|---|---|---|
| SIEM | Log correlation | SSH brute force, privilege escalation, account changes | โ Live |
| EDR | Endpoint detection | Malicious processes, FIM, network anomalies | โ Live |
| NDR | Network detection | C2 beaconing, port scans, malicious IPs | โ Live |
| IAM | Identity monitoring | Account creation, privilege changes, lockouts | โ Live |
| UEBA | Behavioral analytics | Off-hours activity, lateral movement, velocity spikes | โ Live |
| SOAR | Response orchestration | 6 playbooks, suggest/auto mode | โ Live |
| AEGIS | AI triage engine | LLM-powered P1โP4 prioritization | โ Live |
| TIP | Threat intelligence | IOC management, indicator enrichment | โ Live |
Every HIGH/CRITICAL alert is analyzed by llama-3.3-70b-versatile:
{
"decision": "ESCALATE",
"priority": "P1",
"confidence": 0.94,
"attack_stage": "Credential Access",
"mitre_technique": "T1110.001",
"recommended_actions": [
"Block source IP immediately",
"Reset compromised account credentials",
"Review auth logs for successful logins from same IP"
]
}Rule-based fallback activates automatically when API is unavailable.
Full autonomous SOC vision โ estimated ~2 years to complete all phases. This is an honest, long-term commitment to building something genuinely useful for the security community.
- Core ingestion pipeline (FastAPI + PostgreSQL + Redis pub/sub)
- 8 autonomous detection agents running continuously
- AEGIS AI triage engine (Groq LLaMA 3.3-70b-versatile)
- Windows PowerShell endpoint agent
- Linux Python endpoint agent
- One-line installers for both platforms
- 16-module React 18 dashboard with WebSocket live streaming
- MITRE ATT&CK mapping across 11 tactics
- Role-based access control
- SOAR suggest mode with 6 playbooks
- ngrok remote endpoint support
- GitHub CI pipeline with secret scanning
- Docker Compose single-command deployment
- TLS/HTTPS for dashboard and API (Let's Encrypt)
- JWT-based API authentication
- TheHive integration (case management)
- MISP integration (threat intelligence feeds)
- Cortex integration (automated alert enrichment)
- Alert deduplication and suppression engine
- Agent heartbeat monitoring (offline alerts)
- Structured JSON logging with ELK/Grafana support
- Sigma rule import and execution
- YARA rule scanning on endpoints
- AEGIS agentic investigation chains (multi-step autonomous analysis)
- SOAR auto-mode (fully automated containment and response)
- Threat hunting query engine
- Attack simulation framework (validate detection coverage)
- Custom correlation rules builder (no-code UI)
- Forensics timeline reconstruction
- Automated IOC extraction and threat actor profiling
- ML-based anomaly detection (self-learning baselines)
- False positive feedback loop (AEGIS learns from analyst decisions)
- Multi-tenant MSSP support
- Cloud workload monitoring (AWS CloudTrail, Azure Sentinel, GCP)
- Kubernetes / container workload agents
- Active Directory / LDAP / SSO integration
- SLA tracking and management reporting
- Compliance reporting (ISO 27001, SOC 2, NIST CSF)
- Full REST API for external integrations
- High availability / clustered deployment
- Mobile dashboard (React Native)
- Marketplace for community detection packs
SecOS/
โโโ agents/
โ โโโ api.py # FastAPI gateway + WebSocket
โ โโโ agent_siem.py # Log correlation
โ โโโ agent_edr.py # Endpoint detection
โ โโโ agent_ndr.py # Network detection
โ โโโ agent_iam.py # Identity monitoring
โ โโโ agent_ueba.py # Behavioral analytics
โ โโโ agent_soar.py # Response orchestration
โ โโโ agent_aegis.py # AI triage engine
โ โโโ agent_tip.py # Threat intelligence
โ โโโ windows/
โ โโโ SecOS-Agent.ps1 # Windows endpoint agent
โ โโโ install-agent-windows.ps1 # Windows installer
โโโ frontend/
โ โโโ index.html # React 18 dashboard
โโโ docs/
โ โโโ AGENT-INTEGRATION.md # Endpoint integration guide
โ โโโ SecOS-v6-Documentation.docx # Full technical docs
โโโ .github/
โ โโโ workflows/ci.yml # GitHub Actions CI
โ โโโ ISSUE_TEMPLATE/
โโโ install-agent-linux.sh # Linux one-line installer
โโโ start.sh # Full stack startup
โโโ .env.example # Environment template
โโโ CONTRIBUTING.md
โโโ SECURITY.md
โโโ CHANGELOG.md
Subhankar Bhandari SOC Analyst ยท Security Engineer ยท Builder
8 years in IT ยท 4+ years in SOC operations
All contributions welcome โ detection rules, new agents, bug fixes, documentation improvements. See CONTRIBUTING.md.
MIT โ see LICENSE.
"Enterprise security without the enterprise budget."
SecOS โ Built by a SOC analyst. For SOC analysts.
Early phase ยท Active development ยท ~2 years to full vision
โญ Star this repo if you find it useful โ it helps more people discover it.