Blog

Introducing Vigil - Your AI SOC, Open Source

Eric Zietlow
|
March 23, 2026
  git clone --recurse-submodules https://github.com/vigil-soc/vigil.git
  cd vigil && ./start_daemon.sh

You can find the project here.

What Is Vigil?

Vigil is the first fully open-source AI-native security operations platform. It adds a team of up to 13 specialized AI agents - and more are being added as needed -  to your SOC each purpose-built for a specific part of the investigation lifecycle. The scope of Vigil is broad - starting with core AI SOC workflows it is already expanding to include agentic red teaming and related capabilities.  

Built on the Claude Agent SDK and the Model Context Protocol (MCP), Vigil is designed around a simple principle: AI agents should do the work, not just answer questions. Say “Run incident response on finding f-20260215-abc123” and four agents execute in sequence: triage scores the alert, the investigator traces root cause, the responder submits containment actions, and the reporter generates audit-ready documentation. No hand-offs required.

Vigil is also amongst the first open source projects to embrace the power of the true upstream today - Anthropic’s Claude and OpenAI’s ChatGPT.  We seek to embrace as opposed to obscure their advancements in a few ways including:
- Surfacing the work they do:  via Skills, a standard way of coaching a reasoning model on how to behave and what persona to emulate and so on
- Coaching them to contribute to Vigil productively: via Auto-Contributor, a sub project within Vigil that shows the future of open source contributions in a world in which most code is written by software agents; for example, Auto-Contributor includes the scaffolding your agent will need to advance Vigi; if your Claude uses the Auto-Contributor skill you can point it at an interesting looking at web site filled with great vendor claims and Auto-Contributor will learn it, compare it to Vigil and to listed open source projects, compare them via a nice chart, and the propose to fill any gaps.  

Vigil is already expanding, with the help of the Auto-Contributor and related projects such as Artemis, to add red teaming as a source of information into building better workflows and reporting and even detections.  Watch this space and pitch in as you would like!

Vigil is Apache 2.0 licensed. Your data never leaves your machine. Every agent’s reasoning is inspectable. Every workflow is a text file you can read, modify, and share.

Why Open Source?

The cybersecurity market has a well-documented structural problem. The economist Ian Grigg calls it the “Market for Silver Bullets”: neither buyers nor sellers have enough information to make rational decisions about security products. The result is herding toward “best practices” that reduce blame rather than selecting for superior solutions that actually reduce cyber risk. Organizations spend more every year and get worse outcomes. The zero-day exploitation rate has climbed from 16% in 2018 to 67% in 2026. 82% of 2025 intrusions were malware-free.

Closed-source AI SOC platforms deepen this problem. Their agent logic is opaque. Their integrations are proprietary. Their pricing starts at $36K/year and scales with your alert volume. You can’t inspect why an agent made a decision, you can’t extend the platform for your specific environment, and you can’t share improvements with peers.

Vigil takes the opposite approach. Open source breaks the silver bullet cycle through transparency. When agent reasoning is inspectable, detection quality becomes more measurable. When integrations are built on an open standard (MCP) and Claude skills as markdown files, the ecosystem grows the platform and the community’s collective operational knowledge compounds.

Security operations shouldn’t be a black box you buy. It should be a capability you build, together with a broader community.

Try It in 60 Seconds

After starting Vigil, open the web UI and try this:

  1. Paste a finding or alert ID from your SIEM (or use one of the included sample findings)
  2. Type: Run incident response on finding f-20260215-abc123
  3. Watch four agents execute in sequence: Triage → Investigate → Respond → Report
  4. Review the complete incident report with MITRE ATT&CK mapping, timeline, and recommended actions

The entire sequence runs locally. Your data stays on your machine. The agent reasoning is visible at every step.

How Vigil Works

The architecture of Vigil is by design easy to understand.

There are agents, which are combined into workflows, and then there are integrations.

13 Agents, Each Built for a Job

Vigil fields a team of specialists, each with a defined role, a tuned reasoning mode, and access to 23 backend tools via the Agent SDK plus 100+ extended tools via MCP. These agents include

  • Triage Agent: Rapidly scores incoming alerts and filters noise. Tuned for speed—fast reasoning mode.
  • Investigator: Reconstructs timelines and correlates evidence across sources. Deep reasoning mode.
  • MITRE Analyst: Maps findings to ATT&CK techniques and surfaces coverage gaps.
  • Correlator: Links signals across campaigns and builds attack chains.
  • Responder: Assesses blast radius and submits containment actions with confidence scores. Auto-approves at 0.90+, routes below that threshold to a human reviewer.
  • Reporter: Produces executive summaries, technical write-ups, compliance documentation.
  • Detection Engineer: Evaluates existing rules, identifies coverage gaps, generates new detections.

Plus six additional specialized agents for enrichment, identity analysis, network forensics, malware analysis, compliance mapping, and case management.

Workflows:  Addressing Multi Step Jobs in a Single Command

The heart of Vigil are the workflows. A workflow chains specialized agents into a complete, end-to-end playbook. Each workflow produces outputs—from MITRE ATT&CK-tagged case timelines to chain-of-custody forensic reports suitable for legal proceedings.

Vigil ships with four workflow  out of the box:

  • Incident Response: Triage → Investigate → Respond → Report. End-to-end from alert to audit-ready documentation.
  • Full Investigation: Deep-dive reconstruction of an incident with timeline correlation across all connected data sources.
  • Threat Hunt: Proactive hypothesis-driven search across your environment using MITRE ATT&CK as the framework.
  • Forensic Analysis: Evidence collection, chain-of-custody documentation, and analysis suitable for legal proceedings.

Worfklows can be defined via a SKILL.md file that defines the agent sequence, the tools each phase uses, and the instructions for each step. If your team has a workflow, Vigil can run it. If your workflow works well, share it with the community. You can of course use Claude to write these workflows and there will be a set of Skills within the Contributor repository to enable this and other tasks as will be explained more below.  

MCP: Connect to your Context

Vigil uses the Model Context Protocol to give agents access to your existing tools. As of launch, Vigil includes 30+ integrations spanning SIEM, EDR, threat intel, sandbox, ticketing, and communications—including Splunk, CrowdStrike, VirusTotal, Shodan, Hybrid Analysis, Jira, Slack, and more.

Because MCP is an open standard, adding a new integration is lightweight by design. If a tool has an MCP server, Vigil can connect to it. As the MCP ecosystem grows, so does Vigil’s reach—with minimal engineering on your end.

Data sources work the same way. Vigil currently connects to Splunk and DeepTempo, with more on the way. The architecture treats any MCP-speaking data source as a first-class citizen.  

Built to help Security Operations Scale and Learn

  • 7,200+ detection rules. Spanning Sigma, Splunk, Elastic, and KQL formats, with AI-assisted coverage analysis, gap identification, and template generation.  Many more on the way.  
  • Chat-driven case management. Build and update cases through natural language. Tell the system a finding is part of the lateral movement kill chain and it handles the MITRE tagging, timeline updates, and case linkage automatically.
  • Headless autonomous mode. Run Vigil as a daemon for 24/7 monitoring without touching the UI, or use the full React + FastAPI frontend for interactive investigations.
    • Please note that Vigil is undergoing benchmarking for performance now; we will be adding an extremely scalable message bus layer to the system.  Contributors welcome!
    • Headless mode is also used when Vigil is run to deliver federated detections across a complex deployment.
  • Local-first architecture. Your data never leaves your environment. No cloud dependency for core functionality. MCP connections are under your control.

Vigil vs. Commercial AI SOCs

Vigil is the first fully featured 100% open source AI SOC project.  All AI SOC platforms on the market today are closed source. Here’s how Vigil compares:

Vigil Commercial AI SOCs
License Apache 2.0, free forever Proprietary, $36K–$200K+/yr
Source code Fully inspectable Closed / opaque
Agent logic Transparent, modifiable Black box or patented
Integrations MCP (open standard), 30+ Proprietary APIs, 50–100+
Extensibility Write a SKILL.md file Vendor roadmap or professional services
Data residency 100% local, your machine Cloud APIs, data leaves your environment
Time to try git clone, 3 minutes Sales call, 30-day POC, procurement
Community Open contributions welcome; not vendor specific, although DeepTempo is starting the project. Feature requests into a backlog
Detection rules 7,200+ included, community-maintained Proprietary or third-party subscription
LLM backend Claude (default), extensible architecture Vendor-locked to one provider

The commercial platforms listed for comparison include Dropzone AI, Conifers CognitiveSOC, Radiant Security, Prophet Security, Exaforce, and Torq HyperSOC. None are open source. None make it easy to nspect or modify agent reasoning.

Contributing

Vigil is built to be extended. Here’s what you can build:

Write a New Skill

Skills are markdown files that Anthropic defined as a common building block for software and services built upon Claude.  Skills have become a defacto standard.  Rather than hide them, Vigil exposes them.  Fun fact - Claude is very good at writing skills for itself.

Vigil skills are used to define agents and to define workflows. They are also used as the backbone of the Auto Contributor agent - which you can use to create an open source clone of proprietary AI SOC and agentic red team and similar companies.  

If your team has a playbook—phishing triage, cloud incident response, insider threat investigation, compliance audit—you can encode it as a Vigil skill and share it with the community. A SKILL.md file defines which agents to use, the tools each phase uses, and the natural-language instructions for each step. No code required.

Build an MCP Integration

If your security tool has an API, you can wrap it in an MCP server and Vigil can connect to it. The MCP ecosystem is growing fast—every new server is a potential Vigil integration. We especially welcome integrations for data sources (SIEMs, data lakes, EDR), enrichment services (threat intel, sandbox, WHOIS), and action targets (firewalls, identity providers, ticketing).

Add Detection Rules

Vigil ships with 7,200+ detection rules. You can contribute new rules in Sigma, Splunk SPL, Elastic KQL, or any format. The Detection Engineer agent uses these rules for coverage analysis and gap identification, so every new rule improves the platform for everyone.

Add Open Source Projects

Vigil includes an Auto Contributor skill that can be used to quickly add capabilities to Vigil based on no more than vendor claims from a web site or a PDF.  As a part of this Auto Contributor skill, Vigil will look at and add to a list of interesting looking open source projects in the open source security arena.  Note that we request that only open source licenses should be added; Detect Flow for example is not governed by an open source license as defined by OSI and others and cannot be added (note that Kafka on the other hand, can as the core of Kafka is Apache 2.0).  You can directly add to the list of useful open source projects here:  data/registry/open-source-projects.yaml

Improve an Agent

Each agent’s behavior is defined by its prompt, its tool access, and its reasoning mode. If you find an agent that could be better at a specific task—better MITRE mapping, better forensic chain-of-custody formatting, better triage scoring—open a PR. The agent definitions are readable Python.All agents will be defined as Skills over time for extensibility across reasoning models and improved collaboration.  

Report What’s Broken

Security tools fail in specific, context-dependent ways. If Vigil makes a bad call on a particular alert type, or misses something your team would have caught, that’s exactly the kind of feedback that makes the platform better. Please file an issue with as much context as you can share.

See CONTRIBUTING.md in the repo for coding conventions, PR guidelines, and the community code of conduct.

Other Details:

Vigil’s frontend is React + FastAPI. The backend runs in Docker. State persists in a local SQLite database (or Postgres for team deployments). The headless daemon mode uses the same agent and skill infrastructure without the frontend.

How Vigil Relates to DeepTempo

Vigil is an open-source project sponsored by DeepTempo and other organizations and contributors. DeepTempo’s LogLM is one of the data sources Vigil can connect to via MCP—it provides high-fidelity behavioral detections that the Vigil agents can triage, investigate, and act on. But Vigil is not limited to DeepTempo. It works with any MCP-connected data source, including Splunk.

Think of it this way: Vigil is the operations layer that coordinates investigation and response. DeepTempo’s LogLM is the detection layer that finds the threats. They work together, but each is valuable independently. Vigil with Splunk alone is a fully functional AI SOC. Adding DeepTempo gives you AI-native behavioral detection to catch attacks that rules based detections typically miss.  

Getting Started

Requirements

  • Python 3.11+
  • Node.js 18+
  • Docker Desktop
  • Claude API key (optional for initial testing with sample data)

Installation

git clone --recurse-submodules https://github.com/vigil-soc/vigil.git
cd vigil
./start_daemon.sh

The startup script installs dependencies, builds the frontend, starts the backend services in Docker, and opens the web UI. First run takes 2–3 minutes. Subsequent starts are under 30 seconds.

Frontend: http://localhost:6988

API docs: http://localhost:6987/docs

Headless daemon: ./start_daemon.sh (for 24/7 autonomous monitoring)

Roadmap

Vigil is in active development. Here’s what’s coming:

  • Evaluations:  In today’s world of software and intelligence development, evaluations are all important.  Today Vigil uses in house DeepTempo evaluations to progress.  Versions of these will be open sourced and additional contributions are welcome.
  • Datasets:  Curated datasets are of course also enormously important in software and intelligence development.  Vigil ships with a number of datasets however more are needed.  This work can include documentation and research, for example finding often useful competitive cyber competition results with tagged datasets and making those visible to Vigil and to the Vigil community.  
  • MCP integrations: Priority targets: Microsoft Sentinel, Elastic, Palo Alto Cortex, Google Chronicle, AWS Security Hub.
  • Community skills catalog: A curated library of community-contributed skills, searchable by use case, alert type, and tool stack. Think npm for SOC agent definitions and workflows.
  • Additional LLM backends: While Claude is the default (and recommended), the architecture is designed to support alternative backends. We are particularly interested in whether open source LLMs built for security may work well
  • Deeper data source support: Beyond Splunk and DeepTempo—native support for Elasticsearch, Snowflake, Cribl Lake, and S3-based data lakes should be relatively easy projects to knock out - and enormously valuable.  
  • Federated deployment: Run Vigil agents across multiple environments with coordinated investigation and shared skill libraries, while keeping data local to each environment. This can already be done by sharing the Skills and other artifacts via your Github and running Vigil in a headless manner at the edge.  This can be polished for scaled usage.  
  • Detection-as-code improvements: Vigil is built around detections at code.  There is more that can be done to make the Detection Engineer agent more inteligent.  

Join the Community

Vigil is promising.  Countless end users and partners and even universities have said that the market needs a vibrant community supporting an OpenSource AI SOC.  Vigil has already shown via Auto Contributor the ability to progress quickly to add more capabilities.

The architecture is solid,the agents work well, and the skills framework is production-tested. What we need now is the community—people who run SOCs, build integrations, write detections, and know what’s broken in their security operations today. 

This isn’t a project that asks you to wait for a vendor roadmap. If something is missing, build it. If something is wrong, fix it. If something works well, share it. The agents are transparent. The skills are just files. The integrations are open standard. Everything is designed for you to make it yours.

Table of contents
Sample H2
Sample H3

See the threats your tools can’t.

DeepTempo’s LogLM works with your existing stack to uncover evolving threats that traditional systems overlook — without adding complexity or replacing what already works.

Request a demo