Skip to content

Automatic-Case-Investigator/ACI

Repository files navigation

ACI — Autonomous Case Investigator

ACI is a SOC (Security Operations Center) agent platform that automates alert triage and multi-step incident investigation using agentic AI. Built on Django 5, LangGraph, MCP, and WebSocket-driven real-time streaming, ACI transforms raw SIEM/SOAR alerts into structured, evidence-backed incident reports.

Most AI SOC tools optimize for speed across the full alert-to-response lifecycle — triage, enrichment, risk scoring, containment. ACI's focus is different: deeper investigation before conclusion. It breaks a case into discrete investigation tasks, runs iterative SIEM queries, preserves intermediate evidence, and anchors every finding to retrieved log events rather than case narrative. The result is a traceable investigation record — what happened, which evidence supports it, which claims are still unconfirmed, and what follow-up is needed — that analysts, responders, and auditors can independently verify.

Features

  • Live reasoning stream: Real-time visibility into agent intent, tool calls, and results via WebSocket dashboard
  • Task-driven investigation: Cases are decomposed into discrete, prioritized tasks worked one at a time, keeping investigation focused and progress auditable
  • Evidence-anchored findings: Confirmed facts, working hypotheses, and extracted artifacts are tracked across tasks and tied to specific retrieved log events
  • MCP tool ecosystem: Pluggable integrations with SIEM, SOAR, workspace, and memory providers via Model Context Protocol
  • Durable analyst session state: Orchestrator conversations, specialist handoffs, resumes, and restarts are persisted back into the analyst-visible session state

Getting Started

To install, configure, and run ACI (dashboard, CLI, or REST API), see Getting Started. For the system diagram, repository layout, and design philosophy, see the Architecture Overview.

Documentation

Full documentation lives in docs/, organized by subsystem.

Guides

  • Getting Started — prerequisites, installation, configuration, running.
  • Operations — testing, development, troubleshooting.

Architecture

Reference

  • Configuration — all environment variables and settings.
  • API — REST endpoints.

Project

Contributing & configuration

License

(License information to be added)

About

An on-premise AI SOC analyst platform

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors