What it does AiSOC ingests security events from 14 log sources (Sysmon, CloudTrail, Kubernetes audit, etc.), correlates them through a Neo4j graph, and runs AI-driven triage through four agents: Detect, Triage, Hunt, and Respond. The stack includes a Next.js console with workbench-style views for alerts, investigation queues, and rule tuning. Everything ships under MIT license and deploys via Docker Compose or Terraform for AWS, GCP, and Azure.

The interesting bit The ~600-line LangGraph orchestrator is deliberately small enough to read in one sitting. More importantly, the “Investigation Ledger” captures every LLM prompt, response, evidence citation, and tool call with full replayability — a direct counter to closed-source AI SOC vendors that exfiltrate data and hide reasoning. The CI-gated eval harness is equally unusual: five test suites (200 synthetic incidents, 1,000-alert noise streams, schema coverage) block merges to main, with per-template macro scores so one broken template can’t hide behind 199 passing duplicates.

Key highlights

• No vendor callbacks — runs entirely on your infrastructure; no data shipped for “model improvement”
• Graph at ingest — Neo4j entity graph with 17 node labels and 14 edge types written inline with Kafka consumption
• Natural-language hunting — type a hypothesis in English, get back ES|QL / SPL / KQL templates (HuntAgent never writes raw queries)
• Multi-tenant console — global time-window selector, tenant switcher for MSSPs, role badges to prevent viewer/admin confusion
• Zero-prerequisite installer — install.sh bootstraps Docker, Node, pnpm, and Python from a clean machine

Caveats

• The live demo at tryaisoc.com runs on a maintainer’s box via Cloudflare Tunnel and “can go offline at any time”
• v7.4.0 (May 2026) is explicitly a security-hardening and platform release, not a feature drop — much of the work is CVE clearance, dependency sweeps, and Terraform skeletons
• The benchmark scoreboard visually separates “substrate” (deterministic self-consistency) from “wet-eval” (live agent) scores to prevent misleading performance claims

Verdict Worth a look if you run a SOC, build security tools, or simply want to audit how an AI makes incident-response decisions. Skip it if you need a managed SaaS with an SLA — this is explicitly self-hosted, self-maintained infrastructure.