"Most security tools alert you. A-SOC acts."
A-SOC is a cloud-native, AI-native security operations platform that autonomously detects, investigates, and remediates threats using a coordinated fleet of specialized LLM-powered agents — with human governance built in.
🚀 Quick Start · 🏗️ Architecture · 🎮 Demo · 🚢 Deploy
Traditional Security Operations Centers (SOCs) are drowning in alerts. Analysts face:
- Thousands of low-fidelity alerts daily, leading to alert fatigue
- Static, rule-based SIEMs that miss novel, zero-day attack patterns
- Slow mean-time-to-respond (MTTR) due to manual investigation workflows
- Compliance documentation that is tedious, inconsistent, and error-prone
A-SOC solves all of this with a coordinated fleet of AI agents.
| Feature | Description |
|---|---|
| 🕵️ Multi-Agent Architecture | Specialized agents (Telemetry, Detection, Forensics, Response, Compliance) operate as a coordinated team |
| 🧠 LLM-Powered Analysis | LLMs contextualize alerts, dramatically reducing false positives vs. static rules |
| ⚡ Real-Time Threat Streaming | WebSocket-based live feed pushes events to the dashboard as they happen |
| 🛑 Human-in-the-Loop Governance | High-risk actions (IAM revocation, firewall changes) require explicit human authorization |
| 🕸️ Blast Radius Visualization | Interactive attack graph shows which resources are affected and how far the threat can spread |
| 📜 Immutable Audit Trail | Every action and LLM decision is cryptographically logged for SOC2/ISO 27001 compliance |
| 👮 Policy-as-Code | Open Policy Agent (OPA) enforces corporate policy on every proposed remediation action |
| 🎨 Premium Dashboard | Cinematic, glassmorphism UI built with Next.js 14, providing a state-of-the-art operator experience |
| Layer | Technology | Purpose |
|---|---|---|
| Backend | FastAPI |
High-performance async REST API & WebSocket server |
LangGraph |
Agent state machine & multi-agent orchestration | |
LangChain |
LLM abstraction layer (OpenAI / Anthropic / DeepSeek) | |
Open Policy Agent (OPA) |
Policy-as-Code engine with Rego for governance | |
PostgreSQL + Redis |
Persistent state storage & real-time caching | |
Docker Compose |
Containerized local and production deployment | |
| Frontend | Next.js 14 |
React framework with App Router for the operator dashboard |
Tailwind CSS |
Utility-first styling & glassmorphism design system | |
React Flow / Custom SVG |
Interactive blast radius attack graph visualization | |
WebSockets |
Real-time bidirectional event streaming to the UI |
A-SOC operates on a Hub-and-Spoke multi-agent model, orchestrated by a central Supervisor agent that enforces corporate policy on every decision and routes tasks to the appropriate specialist.
┌─────────────────────────────────────────────────────────────────┐
│ A-SOC Agent Platform │
│ │
│ ┌─────────────┐ ┌────────────────────────────────────────┐ │
│ │ Log Sources │ │ Agent Fleet │ │
│ │─────────────│ │ │ │
│ │ CloudTrail │───▶│ ① TELEMETRY AGENT │ │
│ │ VPC Flow │ │ Ingests & normalizes raw log data │ │
│ │ K8s Audit │ │ │ │ │
│ └─────────────┘ │ ▼ │ │
│ │ ② DETECTION AGENT │ │
│ │ Analyzes anomalies │ │
│ │ Assigns Risk Score (0–100) │ │
│ │ │ │ │
│ │ ▼ │ │
│ │ ③ SUPERVISOR AGENT ◀── OPA Policy │ │
│ │ ┌────────────────────┐ │ │
│ │ │ Risk < 70? │ │ │
│ │ │ YES → Auto-remediate│ │ │
│ │ │ NO → Human Approval│ │ │
│ │ └────────────────────┘ │ │
│ │ │ │ │ │
│ │ ▼ ▼ │ │
│ │ ④ FORENSICS Human Dashboard │ │
│ │ AGENT (Blast Radius + │ │
│ │ (Attack Authorize Modal) │ │
│ │ Graph) │ │ │
│ │ │ │ │ │
│ │ └────┬─────┘ │ │
│ │ ▼ │ │
│ │ ⑤ RESPONSE AGENT │ │
│ │ Executes remediation │ │
│ │ (Block IP, Revoke Keys, etc.) │ │
│ │ │ │ │
│ │ ▼ │ │
│ │ ⑥ COMPLIANCE AGENT │ │
│ │ Maps incident → SOC2 / ISO 27001 │ │
│ │ Logs cryptographic evidence │ │
│ └────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
| Agent | Role |
|---|---|
| ① Telemetry Agent | Ingests and normalizes logs from CloudTrail, VPC Flow Logs, and Kubernetes Audit logs into a unified event schema. |
| ② Detection Agent | Applies LLM-powered reasoning to identify anomalies, correlate events, and assign a continuous Risk Score (0–100). |
| ③ Supervisor Agent | The orchestrator. Evaluates every detection against OPA policies and routes: score < 70 → auto-remediate, score ≥ 70 → escalate to human. |
| ④ Forensics Agent | Constructs the Blast Radius — a real-time graph of which resources have been touched, compromised, or are at risk. |
| ⑤ Response Agent | Executes the approved remediation playbook. Actions include IP blocking, credential revocation, and quarantine. |
| ⑥ Compliance Agent | Automatically maps every incident and action to compliance frameworks (SOC2, ISO 27001) and writes immutable, signed audit records. |
A-SOC is designed with a defense-in-depth philosophy applied to the platform itself:
- Principle of Least Privilege: Each agent only has the tool-access it needs. The Compliance Agent cannot execute remediations.
- Immutable Audit Log: All LLM reasoning chains and tool invocations are stored with cryptographic signatures, making them tamper-evident.
- Human-in-the-Loop for High-Stakes Actions: No IAM key revocation, firewall rule change, or instance termination can happen without explicit operator authorization. The system is designed to make humans the last line of defense, not the bottleneck.
- Policy-as-Code via OPA: Governance is not hardcoded in Python. It lives in versioned, reviewable Rego policy files, making it auditable and easy to update.
- Zero Trust Agent Communication: Inter-agent communication is mediated by the LangGraph state machine, with no direct side-channel communication between agents.
Ensure the following are installed on your machine:
- Python
3.10+ - Node.js
18+ - Docker & Docker Compose (optional, but recommended)
- An API key for OpenAI or Anthropic
The fastest way to get the full A-SOC stack running locally.
# 1. Clone the repository
git clone https://github.com/Ismail-2001/Autonomous-Secure-AI-Operations-Center.git
cd Autonomous-Secure-AI-Operations-Center/a-soc
# 2. Configure your environment
cp .env.example .env
# Open .env and add your OPENAI_API_KEY (or ANTHROPIC_API_KEY)
# 3. Launch the entire stack (API + Dashboard + PostgreSQL + Redis)
docker-compose up -d
# 4. Verify all services are healthy
docker-compose ps✅ Dashboard is live at http://localhost:3000
✅ API is live at http://localhost:9001/docs
git clone https://github.com/Ismail-2001/Autonomous-Secure-AI-Operations-Center.git
cd Autonomous-Secure-AI-Operations-Center/a-soc# Create and activate a virtual environment
python -m venv venv
source venv/bin/activate # macOS/Linux
# venv\Scripts\activate # Windows
# Install backend dependencies
pip install -r requirements.txt
# Configure environment variables
cp .env.example .env
# Edit .env — at minimum, set OPENAI_API_KEY
# Start the API server on port 9001
python -m uvicorn api:app --host 0.0.0.0 --port 9001 --reload# From the project root, navigate to the dashboard
cd dashboard
# Install frontend dependencies
npm install
# Start the development server (port 3000)
npm run devCopy .env.example to .env and populate the following:
# --- LLM Provider (choose one) ---
OPENAI_API_KEY=sk-...
# ANTHROPIC_API_KEY=sk-ant-...
# --- Database ---
DATABASE_URL=postgresql://user:password@localhost:5432/asoc
REDIS_URL=redis://localhost:6379
# --- Security ---
SECRET_KEY=your-super-secret-key-here
# --- OPA Policy Engine ---
OPA_URL=http://localhost:8181Once both backend and frontend are running:
- Open the Dashboard → Navigate to
http://localhost:3000 - Start a Simulation → Click the "Start Simulation" button in the top right corner
- Watch the Agent Fleet → Observe the real-time log stream as each agent processes incoming threat telemetry
- Review Detections → See risk scores assigned and watch the Blast Radius graph build dynamically
- Authorize a High-Risk Action → When the "High Risk Action Proposed" modal appears, review the full context and Blast Radius, then click "Authorize" to execute the remediation
For production environments, see the detailed DEPLOYMENT.md guide which covers:
- AWS ECS (Fargate): Scalable serverless container deployment
- Kubernetes: Full Helm chart manifests in
k8s/ - Vercel: Frontend-only serverless deployment
- Monitoring: Prometheus + Grafana stack integration
- Security Hardening: TLS, secrets management, WAF configuration
| Platform | Backend | Frontend | Guide |
|---|---|---|---|
| AWS ECS Fargate | ✅ Supported | ✅ S3 + CloudFront | DEPLOYMENT.md#aws |
| Kubernetes | ✅ Any cluster | ✅ Ingress | k8s/ |
| Docker Compose | ✅ Self-hosted | ✅ Included | docker-compose up -d |
| Vercel | ❌ | ✅ Serverless | DEPLOYMENT.md#vercel |
v1.0 — Core Platform (Complete ✅)
- Multi-Agent orchestration via LangGraph
- Real-time WebSocket event streaming
- Human-in-the-Loop approval workflow
- Interactive Blast Radius visualization
- OPA Policy-as-Code integration
- Immutable, cryptographically-signed audit trail
v1.5 — Cloud Integration (In Progress 🔨)
- Live AWS account integration via Boto3 (CloudTrail, GuardDuty, SecurityHub)
- Slack / Microsoft Teams notification integration
- JIRA ticket auto-creation for approved incidents
v2.0 — Advanced Intelligence (Planned 📋)
- Fine-tuned local LLM support (Llama 3) for air-gapped deployments
- Advanced Threat Hunting interface with natural language queries
- MITRE ATT&CK framework automatic tactic/technique mapping
- Multi-cloud support (GCP, Azure)
Contributions are welcome! This project is designed to be extended:
- Fork the repository
- Create your feature branch:
git checkout -b feature/your-amazing-feature
- Commit your changes:
git commit -m 'feat: add amazing feature' - Push to your branch:
git push origin feature/your-amazing-feature
- Open a Pull Request against
main
Please follow Conventional Commits for your commit messages and add tests for any new agent logic.
Distributed under the MIT License. See LICENSE for full details.
Built with obsession for security, AI, and clean architecture.
If A-SOC helped you or inspired your work, consider starring ⭐ the repository.
