How AiSOC compares
AiSOC is open-source and self-hostable, and every agent decision is recorded in the investigation ledger. Closed-source AI SOCs run on vendor infrastructure and do not expose the agent loop, which makes them harder to review under SOC 2, ISO 27001, or DORA controls.
| Capability | AiSOC | Wazuh | Splunk Enterprise Security | Closed-source AI SOC |
|---|---|---|---|---|
| Open-source (MIT) and self-hostable | Yes — MIT | Yes — GPLv2 | No | Cloud-only |
| Agent decisions are auditable line-by-line | Yes — full ledger + replay | No agent layer | Black-box ML | Black-box agent |
| Substrate has a public regression-gate harness | 200-case suite, CI-gated | Not published | Not published | Vendor-claimed only |
| Native AI investigation agent | LangGraph multi-agent | No | Splunk AI Assistant add-on | Closed-source |
| MITRE ATT&CK heatmap + purple-team emulation | Built-in | Partial | Premium add-on | Limited |
| Plugin SDK (Python + Go) + community marketplace | Both SDKs, MIT | Wodles only | Splunkbase | Vendor-only |
| Compliance evidence (SOC2 / ISO / NIST / DORA) | Built-in dashboards | No | Premium add-on | Reporting only |
Capability claims for other vendors are sourced from their public documentation as of 2026. AiSOC's claims map directly to code in this repository — see the docs.
What ships in the box
The first three rows describe the properties most relevant to a regulated buyer. The remainder enumerate the SOC substrate.
Auditable agent decisions
Every prompt, tool call, and rationale the agent emits is persisted to the investigation ledger and replayable step-by-step in the case workspace.
Public eval harness
200-incident, CI-gated regression harness over the AiSOC substrate (extractors, fusion, templates, judges). Reproducible on a laptop in seconds. The page describes what each metric measures and what it does not.
MIT-licensed, self-hostable
The code, prompts, and templates are in the repo. No CLA, no telemetry, no calls home.
LangGraph multi-agent investigation
Recon, forensic, responder, and reporter agents wired through a LangGraph orchestrator for triage and case enrichment.
Playbook engine
Visual React Flow editor with 12 starter templates for automated, human-gated response actions.
UEBA
Per-user Welford online baselines, Z-score anomaly scoring, and Kafka-integrated anomaly publishing.
Honeytokens
HMAC-SHA256 signed deceptive credentials (URL, file, AWS key, email) with first-touch webhook alerting.
Purple Team
Atomic Red Team YAML parser, Caldera executor, ATT&CK coverage heatmap, and tabletop sessions.
Real-time fusion
Kafka spine with sub-second alert ingestion, Bloom-filter dedup on 10M+ IOCs, ML scoring (LightGBM + Isolation Forest).
Attack graph
Neo4j entity graph with attack-path reconstruction and blast-radius gating on automated actions.
Detection engineering
Sigma over OpenSearch and ClickHouse, YARA, KQL/EQL — community catalog with one-click install.
Enterprise governance
SAML 2.0 and OIDC SSO, multi-tenant Postgres RLS, granular RBAC, and immutable audit log.
Compliance dashboards
SOC 2, ISO 27001, NIST CSF, PCI-DSS, HIPAA, and DORA evidence with MTTD/MTTR/MTTC SLA tracking.
Plugin ecosystem
Python and TypeScript SDKs, Ed25519-signed publishing, and a community marketplace.
Deployment
Helm charts, Docker Compose, OpenTelemetry traces/metrics/logs, and PostgreSQL backup with KMS encryption.