SOCC

Security operations copiloto for threat intelligence, suspicious artifact triage, investigation support, and incident response.

Documentation | Quick Start | Advanced Setup | Security | Contributing

SOCC keeps the terminal-first, agentic runtime from the current codebase and repackages it for security operations workflows. The core product stays focused on analyst support: one CLI for provider setup, tool-driven investigation, MCP integrations, streaming output, and automation-friendly execution.

What SOCC Includes

| Area | Description | | --- | --- | | Analyst Copilot | Investigate alerts, logs, payloads, URLs, and suspicious artifacts from a terminal-first workflow | | Multi-provider Runtime | OpenAI-compatible providers, Gemini, GitHub Models, Codex, Ollama, Atomic Chat, and other supported backends | | Agentic Tooling | Prompts, tools, agents, slash commands, MCP, and streaming output for guided investigation workflows | | Headless Automation | gRPC server mode for external clients, custom UIs, and pipeline integration | | Local + Remote Models | Cloud APIs, local inference, and profile-based routing for latency or cost tradeoffs | | Developer Surfaces | Source build, runtime diagnostics, provider bootstrap scripts, and a VS Code extension package |

Quick Start

Install the CLI:

npm install -g @vantagesec/socc

Start SOCC:

socc

Inside SOCC:

• run /provider for guided provider setup and saved profiles
• run /onboard-github for GitHub Models onboarding
• start with a payload, alert, URL, log excerpt, or investigative question

If you want a source build, provider-specific examples, or runtime diagnostics, go straight to the documentation hub.

Documentation

• Installation: requirements, quick start, Windows setup, advanced setup
• Configuration: provider setup, LiteLLM proxy
• Operations: runtime hardening, headless gRPC
• Architecture: system overview, runtime map
• Contribution: contributor guide

Security Notes

• Treat SOCC as analyst support, not as an autonomous authority.
• Validate IOCs, findings, and conclusions before escalation, blocking, containment, or external reporting.
• Separate observed evidence from model inference, especially in incident response and threat intelligence workflows.
• Smaller or cheaper models may degrade investigation quality; verify important outputs against source evidence.

For vulnerability reporting and disclosure expectations, see SECURITY.md.

Development

bun install
bun run build
node dist/cli.mjs

Common validation commands:

• bun run smoke
• bun test
• bun run test:coverage
• bun run doctor:runtime
• bun run verify:privacy

Community

• GitHub Discussions for Q&A, ideas, and community conversation
• GitHub Issues for confirmed bugs and actionable feature work

License

SOCC is released under the terms described in LICENSE.