Exertus Autonomous SOC

The majority of SOC solutions require expensive cloud subscriptions, or the critical security data is sent to third parties, and therefore pose a risk from the moment a security alert is sent off the network. This project tackles both these problems, with an on-premises SOC platform, which uses five specialized local LLMs running on Ollama, without sending any data to a Cloud platform. All data is by design kept locally. Incidents, IOCs, Investigation findings and Agent outputs are stored in a local SQLite database and will NOT be sent to any third party AI provider. LLM inference is performed through the use of Ollama meaning no breach details, threat data ever leave the network to be analyzed. Third-party API keys are encrypted at rest, and are never accessible in the API beyond a boolean flag representing the presence of a key. With JWT based authentication and role based access control, only authorized user can access or update data and each mutation can be tracked by an audit trail, including the user, action, time, and outcome. An incident passed through 5 agents pipeline when ingested. Severity and threat category assigned by the Triage Agent. The Threat Intelligence Agent enhances IOCs from multiple providers (VirusTotal, AbuseIPDB, AlienVault OTX, MISP), adds a risk score and correlates results with MITRE ATT&CK techniques. The Investigation Agent is cross referencing the timeline and IOCs to determine the potential attack chains and impact. The Response Agent generates prioritized containment, eradication and recovery actions which are then approved by a human before being executed. All of this is then presented to the board in the Executive Summary Agent, including severity charts and MTTR metrics. It also includes a Detection Engineering module for SIGMA, YARA, Suricata and Wazuh rules management, a live dashboard of incidents, timelines, agent outputs and approvals, which allows for quick and automated responses without compromising data security.