← Back to Blog

AiSOC — Self-Host Your Own AI-Powered Security Operations Center (Complete Docker Guide)

2026-05-21

AiSOC — Self-Host Your Own AI-Powered Security Operations Center (Complete Docker Guide)

What is AiSOC?

AiSOC is an open-source, self-hostable AI Security Operations Center that ingests security events from 50+ sources, correlates them in real time, runs autonomous AI-driven investigation via a LangGraph multi-agent system, and surfaces the results in a polished SOC console — all under the MIT license.

GitHub: github.com/beenuar/AiSOC
Stars: ⭐ 1,100+ (trending rapidly since early May 2026)
License: MIT
Live Demo: tryaisoc.com

Why this matters: Traditional SIEM/SOC solutions cost thousands per gigabyte of ingested data and lock your security telemetry in a vendor's cloud. AiSOC gives you the same capabilities — autonomous triage, MITRE ATT&CK mapping, SOAR playbooks, threat intel, compliance dashboards — running entirely on your own infrastructure for $0 in licensing fees.

What Makes AiSOC Different

Unlike closed-source AI SOC vendors, AiSOC publishes three things they don't:

  1. Every agent decision is logged. The Investigation Ledger stores every LLM prompt, response, evidence citation, and tool call for every investigation step. You can replay the full reasoning chain later.
  2. The eval harness is public and CI-gated. Five test suites gate every PR: a 200-incident synthetic dataset across 55 templates drives MITRE-tactic, investigation-completeness, and response-quality gates, plus a 1,000-alert noisy stream for alert-reduction measurement.
  3. It runs entirely on your infrastructure. No callbacks to a vendor cloud, no data exfiltration for "model improvement," no per-GB pricing.

Key Features at a Glance

  • 52 first-party connectors — EDR/XDR (CrowdStrike, SentinelOne, Defender XDR, Cortex XDR), SIEM (Splunk, Sentinel, Elastic, Chronicle, Sumo Logic), cloud (AWS Security Hub, GuardDuty, Azure, GCP SCC, Wiz, Lacework), identity (Okta, Entra ID, Duo), SaaS (M365, Google Workspace, Cloudflare, GitHub), and more
  • LangGraph multi-agent investigation — Orchestrator, recon, forensic, responder, and report-writer agents grounded in MITRE ATT&CK with Qdrant RAG memory
  • Investigation Ledger — Step-by-step replayable record of every AI decision, prompt, tool call, and evidence citation
  • 800+ native detection rules plus 6,000+ imported from SigmaHQ, Splunk Security Content, and Chronicle
  • Real-time alert fusion — Kafka spine, Bloom-filter dedup on 10M+ IOCs, ML scoring (LightGBM + Isolation Forest)
  • Neo4j attack graph — Entity graph with blast-radius gating on automated responses
  • UEBA — Per-user behavioral baselines with Z-score anomaly scoring
  • SOAR playbook engine — 50+ community playbooks with HMAC-signed human-approval gates
  • Threat intelligence — TAXII 2.1, MISP, OTX, CISA KEV with triple storage (search, vector, graph)
  • MCP server — Query alerts, run investigations, and replay agent decisions from Claude, Cursor, or any MCP-compatible IDE
  • Compliance dashboards — SOC 2, ISO 27001, NIST CSF, PCI-DSS, HIPAA, DORA with continuous evidence collection

Architecture Overview

AiSOC Architecture

AiSOC follows a microservice architecture built around a Kafka event spine. Here's how data flows through the system:

  1. Ingestion Layer — 52 connectors push normalized OCSF events into Kafka. Each connector runs as a poller on its own APScheduler schedule. Secrets are encrypted at rest with the Fernet-based CredentialVault.
  2. Fusion & Correlation — The fusion service consumes alerts from Kafka, applies Bloom-filter deduplication, runs ML scoring (LightGBM + Isolation Forest), writes a deterministic correlation narrative, and assigns confidence scores. Data is stored in OpenSearch for search and ClickHouse for analytics.
  3. Entity Graph — A Neo4j graph is built inline with Kafka consumption (17 node labels, 14 edge types). Risk-Based Alerting accumulates time-decayed risk points on users, hosts, IPs, and domains.
  4. Multi-Agent Investigation — Four LangGraph agents (Detect, Triage, Hunt, Respond) orchestrate investigations with Qdrant vector memory, MITRE ATT&CK grounding, and full Investigation Ledger logging.
  5. Storage Layer — Postgres (relational), Redis (session/working memory), OpenSearch (search), ClickHouse (analytics), Neo4j (graph), Qdrant (vector embeddings).
  6. Console & API — Next.js 14 web console surfaces alerts, cases, hunts, investigation timelines, and dashboards. REST API with Swagger docs at /docs. A real-time WebSocket server pushes live alerts.
  7. Response Actions — Playbook engine executes SOAR actions with blast-radius gating. Live Actions dispatcher pushes responses to EDR/IAM surfaces (isolate host, disable user, block IP). ChatOps integration via Slack/Teams with HMAC-signed approval prompts.

Prerequisites

  • A Linux server (or macOS) with Docker 24+ and Docker Compose v2 (the docker compose plugin, not docker-compose)
  • At least 6 GB of RAM allocated to Docker (8 GB+ recommended for production use)
  • 20 GB of free disk space for images, containers, and data volumes
  • Node.js 20+ and pnpm 8+ (only required for the one-shot demo path or development)
  • An Anthropic API key or OpenAI API key for AI investigation features (optional for deterministic/demo mode)

Setup Guide

AiSOC offers multiple deployment paths. We'll cover the most practical ones.

Path 1: One-Click Demo — 60 Seconds to a Running SOC

This is the fastest way to see AiSOC in action. It pulls prebuilt images and seeds demo data automatically.

# One-liner — requires nothing but curl and bash
curl -fsSL https://raw.githubusercontent.com/beenuar/AiSOC/main/install.sh | bash

This installer detects your OS, installs Docker, Node, pnpm, and Python idempotently, clones the repo, and launches the demo. It works on Ubuntu/Debian, Fedora/RHEL, Arch, openSUSE, Alpine, macOS, and Windows (via WSL2).

Alternative — Docker Compose demo:

git clone https://github.com/beenuar/AiSOC.git
cd AiSOC
pnpm aisoc:demo

This pulls prebuilt ghcr.io/beenuar/* images, brings up the slim demo profile (Postgres, Redis, Kafka, API, agents, realtime, web), runs the seeder as a one-shot container, and opens your browser at /cases/INC-RT-001?tab=ledger with demo@tryaisoc.com already logged in. Clone-to-investigation takes about 3.5 minutes on a warm Docker daemon.

Stop with:

pnpm aisoc:demo:down

Path 2: Full Production Stack with Docker Compose

For a self-hosted production instance, you'll build the full stack from source.

Step 1 — Clone and configure

git clone https://github.com/beenuar/AiSOC.git
cd AiSOC
cp .env.example .env

Step 2 — Set your environment variables

Edit .env and add at least one AI provider key:

# AI providers (one required for full AI features)
ANTHROPIC_API_KEY=sk-ant-...
OPENAI_API_KEY=sk-...

# Optional enrichment APIs
VIRUSTOTAL_API_KEY=...
ABUSEIPDB_API_KEY=...
SHODAN_API_KEY=...

# Optional SSO (SAML 2.0 or OIDC)
SAML_IDP_METADATA_URL=...
OIDC_DISCOVERY_URL=...

Step 3 — Run the pre-flight check

pnpm aisoc:doctor

This sanity-checks Docker, Compose v2, allocated RAM, and port availability before you invest time in a build.

Step 4 — Build and start

docker compose up -d --build

The first build compiles 22 services from source (Python, Go, Node, Next.js) and pulls ~5 GB of base images. On a typical laptop, plan for 10–20 minutes for the cold build. Subsequent starts reuse cached layers and take roughly 90 seconds.

Step 5 — Seed demo data (optional)

pnpm seed:demo

This generates cases, alerts, IOCs, attack paths, and UEBA anomalies so you can explore the console immediately.

Step 6 — Access the console

  • SOC Consolehttp://localhost:3000/dashboard (login: admin@aisoc.local / changeme)
  • API (Swagger)http://localhost:8000/docs
  • Agents APIhttp://localhost:8001/docs
  • UEBAhttp://localhost:8007/docs
  • Neo4j Browserhttp://localhost:7474 (neo4j / neo4j_dev_secret)
  • Kafka UIhttp://localhost:8090
  • Grafanahttp://localhost:3001 (admin / admin)

Path 3: One-Click Cloud Deploy

AiSOC can deploy to several platforms with a single click:

  • Render: Deploy to Render button in the repo — hobby tier with sleep-on-idle, ~$14/mo
  • Fly.io: ./infra/fly/fly-demo-deploy.sh --provision — 4 apps, managed Postgres + Upstash Redis, ~$14/mo at idle
  • Railway: Uses infra/railway/railway.toml — pay-as-you-go PaaS deployment
  • Coolify: Point your Coolify instance to the docker-compose.yml in the repo
  • Kubernetes: helm install aisoc ./infra/helm/aisoc — full HPA, PDB, Ingress setup
  • AWS: cd infra/terraform && terraform apply — VPC, EKS, RDS, ElastiCache, MSK

Connecting Data Sources

AiSOC's connector catalog covers 52 sources. Each connector presents a schema-driven form in the console:

  1. Navigate to Settings → Connectors
  2. Choose your source (e.g., CrowdStrike, Splunk, AWS Security Hub, Okta)
  3. Fill in the API endpoint, credentials, and polling interval
  4. Click Test connection for a live authentication round-trip
  5. Click Save & enable

Secrets are encrypted with the application-layer CredentialVault (Fernet AES-128-CBC + HMAC-SHA256) before they reach Postgres. Each connector polls on its own APScheduler schedule and pushes normalized OCSF events to the Kafka ingest spine.

Key Connectors

  • EDR/XDR: CrowdStrike Falcon, SentinelOne, Microsoft Defender XDR, Palo Alto Cortex XDR / XSIAM, VMware Carbon Black, Trellix Helix
  • SIEM: Splunk, Microsoft Sentinel, Elastic, Google Chronicle, Sumo Logic, Rapid7 InsightIDR, Wazuh Indexer
  • Cloud: AWS Security Hub, GuardDuty, CloudTrail, VPC Flow Logs, Azure Activity, Azure Defender, GCP Cloud Audit, GCP SCC
  • CNAPP: Wiz, Lacework, Prisma Cloud, Orca, Tenable
  • Identity: Okta, Microsoft Entra ID, Duo Security, Auth0, 1Password
  • SaaS: Microsoft 365, Google Workspace, Cloudflare, GitHub, Slack audit, Jira, ServiceNow
  • Network: Tailscale, Zscaler, Cisco Umbrella
  • Container: Kubernetes audit logs (apiserver webhook or file_tail), Falco

Using the MCP Server

AiSOC ships a Model Context Protocol server so you can query alerts and run investigations from your IDE:

npx -y @aisoc/mcp install --host claude \
  --aisoc-url https://aisoc.your-company.com \
  --api-key aisoc_pat_xxxxxxxxxxxx

This exposes 13 tools including alert list/detail queries, case investigation, detection rule lookup, lake query (aisoc_lake_query for governed warm-tier SELECTs), and the full Investigation Ledger replay suite (aisoc_run_investigation, aisoc_replay_decision, aisoc_explain_step).

Verification Checklist

After deployment, run through these checks:

  • Console accessible at http://localhost:3000/dashboard — login with admin@aisoc.local / changeme
  • API docs load at http://localhost:8000/docs — all endpoint groups visible
  • Demo data seeded: navigate to /alerts and /cases — you should see pre-populated entries including INC-RT-001 (LockBit 3.0 ransomware)
  • Investigation Ledger replayable: open a case — click the Ledger tab — verify you can step through the AI agent's reasoning chain
  • Connector test: go to Settings → Connectors — pick any source — Test connection returns success
  • AI investigation works: open an alert — click Investigate — the LangGraph agent should execute and produce findings
  • Health check: pnpm aisoc:doctor passes all checks
  • Public eval harness runs: python scripts/run_evals.py --out eval_report.json completes without errors

Resources

  • GitHub: github.com/beenuar/AiSOC
  • Live Demo: tryaisoc.com
  • Documentation: GitHub Docs
  • Docker Images: ghcr.io/beenuar
  • MCP Package: @aisoc/mcp on npm
  • Python SDK: aisoc-sdk on PyPI
  • CLI Tool: aisoc-cli on PyPI — scaffold plugins, validate detections, publish to marketplace
  • License: MIT — free to use, modify, and distribute