AI-powered security event analysis

The hundred-eyed watchman for your logs.

Argus ingests a live stream of security events, detects threats with a rule-based engine, correlates them into incidents, and explains each one in plain language — all on a real-time console.

argus://console/live
LIVE
128,450
events ingested
41
alerts fired
3
open incidents

    A live simulation — real alerts stream the same way inside the console.

    01 Generate
    02 Stream
    03 Normalize
    04 Detect
    05 Correlate
    06 Summarize

    How it works

    An event-driven pipeline, end to end — every stage is a real module that could stand alone as a service.

    01

    Events stream in

    A scenario-driven generator emits realistic security logs — auth, network, process — onto Kafka. A /simulate API lets you fire attacks on demand.

    02

    Everything is normalized

    The parser validates each event against a Zod schema at the Kafka boundary and maps it into one canonical shape before anything downstream sees it.

    03

    The engine detects

    Stateful rules run over the normalized stream — brute-force bursts, privilege escalation, anomalies — and emit alerts the instant a threshold trips.

    04

    Alerts become incidents

    Correlation groups related alerts into a single incident, and an LLM drafts a plain-language summary so an analyst reads the story, not the noise.

    AI incident summaries

    From a wall of alerts to a paragraph a human can act on.

    Correlation stitches related alerts into one incident, then an LLM writes the summary — attacker, target, technique, and what to do next. No model key configured? Argus falls back to a deterministic template so it always runs.

    INC-2043critical
    • · 61× failed SSH from 10.0.4.12
    • · successful root login on prod-web-01
    • · privilege escalation + outbound :4444
    Generated summary

    A brute-force campaign from 10.0.4.12 succeeded against prod-web-01 after 61 failed attempts, gaining root and opening an outbound channel on port 4444. Likely C2. Isolate the host and rotate credentials.

    Capabilities

    Everything your SOC needs, watching in real time.

    streaming

    Event-driven ingestion

    Millions of raw events stream in and are normalized into one canonical schema before anything downstream ever sees them.

    detection

    Real-time threat detection

    A stateful engine watches the stream and fires the instant a threshold trips — brute-force bursts, privilege escalation, anomalies.

    incidents

    Automatic correlation

    Related alerts collapse into a single incident, so your team sees one coherent attack — not a thousand disconnected lines of noise.

    ai

    AI incident summaries

    Every incident is explained in plain language — attacker, target, technique, and the next action to take. No triage archaeology.

    live

    Real-time console

    Alerts appear the moment they fire over a live connection — no refreshing, no polling, no waiting for a batch job.

    trust

    Reliable by design

    Every event is validated at the boundary and carries a trace id end-to-end, so nothing silently drops and everything is auditable.

    1M+
    events processed / run
    <1s
    event → alert on screen
    24/7
    always-on monitoring
    100%
    events traced end-to-end

    See it detect an attack, live.

    Watch alerts fire, correlate into incidents, and get explained — in real time.