ACI is a SOC (Security Operations Center) agent platform that automates alert triage and multi-step incident investigation using agentic AI. Built on Django 5, LangGraph, MCP, and WebSocket-driven real-time streaming, ACI transforms raw SIEM/SOAR alerts into structured, evidence-backed incident reports.
Most AI SOC tools optimize for speed across the full alert-to-response lifecycle — triage, enrichment, risk scoring, containment. ACI's focus is different: deeper investigation before conclusion. It breaks a case into discrete investigation tasks, runs iterative SIEM queries, preserves intermediate evidence, and anchors every finding to retrieved log events rather than case narrative. The result is a traceable investigation record — what happened, which evidence supports it, which claims are still unconfirmed, and what follow-up is needed — that analysts, responders, and auditors can independently verify.
- Live reasoning stream: Real-time visibility into agent intent, tool calls, and results via WebSocket dashboard
- Task-driven investigation: Cases are decomposed into discrete, prioritized tasks worked one at a time, keeping investigation focused and progress auditable
- Evidence-anchored findings: Confirmed facts, working hypotheses, and extracted artifacts are tracked across tasks and tied to specific retrieved log events
- MCP tool ecosystem: Pluggable integrations with SIEM, SOAR, workspace, and memory providers via Model Context Protocol
- Durable analyst session state: Orchestrator conversations, specialist handoffs, resumes, and restarts are persisted back into the analyst-visible session state
To install, configure, and run ACI (dashboard, CLI, or REST API), see Getting Started. For the system diagram, repository layout, and design philosophy, see the Architecture Overview.
Full documentation lives in docs/, organized by subsystem.
Guides
- Getting Started — prerequisites, installation, configuration, running.
- Operations — testing, development, troubleshooting.
Architecture
- Overview — system diagram, repository layout, and design philosophy.
- Runtime & Agent Graph — the queue-driven node loop.
- Prompt Composition — layered prompts and the role ladder.
- Queue & Model Streaming
- Orchestrator
- MCP & Tool Policy
- Findings Board
- AVFS Workspace
- Workflows & Webhooks
Reference
- Configuration — all environment variables and settings.
- API — REST endpoints.
Project
- Current State — current runtime shape, built-in providers, and workflows.
- SOC Agent Rubric — the investigation quality rubric.
Contributing & configuration
- Contribution Guide — development philosophy and conventions.
- Agent Prompts — triage, investigation, and orchestrator instructions.
- Sample Configuration — environment variable template.
(License information to be added)