The hundred-eyed watchman for your logs.
Argus ingests a live stream of security events, detects threats with a rule-based engine, correlates them into incidents, and explains each one in plain language — all on a real-time console.
A live simulation — real alerts stream the same way inside the console.
How it works
An event-driven pipeline, end to end — every stage is a real module that could stand alone as a service.
Events stream in
A scenario-driven generator emits realistic security logs — auth, network, process — onto Kafka. A /simulate API lets you fire attacks on demand.
Everything is normalized
The parser validates each event against a Zod schema at the Kafka boundary and maps it into one canonical shape before anything downstream sees it.
The engine detects
Stateful rules run over the normalized stream — brute-force bursts, privilege escalation, anomalies — and emit alerts the instant a threshold trips.
Alerts become incidents
Correlation groups related alerts into a single incident, and an LLM drafts a plain-language summary so an analyst reads the story, not the noise.
From a wall of alerts to a paragraph a human can act on.
Correlation stitches related alerts into one incident, then an LLM writes the summary — attacker, target, technique, and what to do next. No model key configured? Argus falls back to a deterministic template so it always runs.
- · 61× failed SSH from 10.0.4.12
- · successful root login on prod-web-01
- · privilege escalation + outbound :4444
A brute-force campaign from 10.0.4.12 succeeded against prod-web-01 after 61 failed attempts, gaining root and opening an outbound channel on port 4444. Likely C2. Isolate the host and rotate credentials.
Everything your SOC needs, watching in real time.
Event-driven ingestion
Millions of raw events stream in and are normalized into one canonical schema before anything downstream ever sees them.
Real-time threat detection
A stateful engine watches the stream and fires the instant a threshold trips — brute-force bursts, privilege escalation, anomalies.
Automatic correlation
Related alerts collapse into a single incident, so your team sees one coherent attack — not a thousand disconnected lines of noise.
AI incident summaries
Every incident is explained in plain language — attacker, target, technique, and the next action to take. No triage archaeology.
Real-time console
Alerts appear the moment they fire over a live connection — no refreshing, no polling, no waiting for a batch job.
Reliable by design
Every event is validated at the boundary and carries a trace id end-to-end, so nothing silently drops and everything is auditable.
See it detect an attack, live.
Watch alerts fire, correlate into incidents, and get explained — in real time.