An intelligent, self-learning SOC agent that uses parallel LLM analysis (GPT-4 + DeepSeek), Talos zero-day intelligence, and Docker-based sandbox execution to detect and respond to security threats automatically.
- Parallel LLM Analysis: Runs GPT-4 Turbo and DeepSeek simultaneously for dual-model validation
- Zero-Day Detection: Integrates Cisco Talos intelligence to catch threats before they're widely known
- Universal Sandbox: Docker-based isolated execution environment for suspicious artifacts
- Adaptive Learning: Continuously improves detection through JSON-based memory system
- Multi-modal Analysis: Analyzes logs, network traffic, screenshots, and file behavior
- Consensus-Based Decisions: Higher confidence when both models agree
- n8n Integration: Seamlessly integrates with existing n8n workflows
IMPORTANT: The system uses Docker-in-Docker for complete isolation:
- ✅ Fresh container for EACH execution - Zero contamination risk
- ✅ Auto-cleanup - Containers destroyed after analysis
- ✅ Parallel execution - Run multiple analyses simultaneously
- ✅ Resource limits - Per-execution memory/CPU/process limits
- ✅ Production-ready - True isolation with security hardening
See DOCKER_IN_DOCKER.md for details.
Enriched Logs (AbuseIPDB/VT/IPQualityScore)
↓
AI Agent n8n Node
↓
Parallel LLM Analysis (GPT-4 + DeepSeek)
↓
Talos Zero-Day Gap Detection
↓
Sandbox Execution (Docker Container)
↓
Learning & Adaptation (JSON Memory)
↓
Report Generation (TP/FP Classification)
Production-grade isolation - Creates a fresh, disposable container for each execution:
- URL Execution: Headless Chrome with network traffic capture
- File Execution: Binary/script execution with process monitoring
- Script Execution: Python, Node.js, PowerShell, Bash interpreters
- Instrumentation: Network capture, file monitoring, screenshots
- Complete Isolation: Each execution in its own container
- Auto-Cleanup: Containers destroyed immediately after analysis
- Security: Resource limits, capability dropping, network isolation
Recommended Approach: Use SandboxClientDinD for production (see DOCKER_IN_DOCKER.md)
Fetches and parses Cisco Talos zero-day reports:
- RSS feed parsing for latest vulnerability disclosures
- IoC extraction (IPs, domains, file hashes)
- MITRE ATT&CK technique mapping
- Automated daily updates
Runs GPT-4 Turbo and DeepSeek in parallel:
- Dual-model analysis for higher accuracy
- Consensus-based decision making
- Confidence scoring
- Conflict resolution logic
JSON-based learning and adaptation:
- Attack pattern recognition
- False positive tracking
- Model performance metrics
- Historical incident correlation
Integrates all components into n8n workflow:
- Easy configuration
- API credential management
- Real-time analysis
- Detailed reporting
- Docker and Docker Compose
- n8n (self-hosted or cloud)
- Node.js 18+ and npm
- Python 3.9+
- OpenAI API key
- DeepSeek API key
cd ~/
git clone <your-repo-url> soc-ai-agent
cd soc-ai-agentFor Production (Recommended):
cd sandbox
# Build the Docker-in-Docker image
chmod +x build-dind.sh
./build-dind.sh
# Test the image
docker run --rm soc-sandbox:latest python3 /app/executors/url_executor.py --url https://example.com --timeout 30For Development/Testing Only:
# Alternative: Persistent container (NOT recommended for production)
docker-compose up -d --build
curl http://localhost:8000/healthSandboxClientDinD) for complete isolation. See DOCKER_IN_DOCKER.md for details.
cd ../talos-intelligence
# Install Python dependencies
pip3 install feedparser beautifulsoup4 requests
# Test the parser
python3 parser.py
# Run initial update (fetch last 30 days)
python3 updater.py 30
# Verify memory was updated
cat ../memory/knowledge.json | grep -A 5 "talos_intelligence"cd ../n8n-node
# Install dependencies
npm install
# Build the node
npm run build
# Link node to n8n (if self-hosted)
# Option 1: Copy to n8n custom nodes directory
cp -r dist/* ~/.n8n/custom/
# Option 2: npm link (for development)
npm link
cd ~/.n8n/nodes
npm link n8n-nodes-soc-ai-agent
# Restart n8n
pm2 restart n8n
# OR
docker restart n8n # if running in Docker-
Open n8n UI
-
Go to Credentials → Add Credential
-
Add OpenAI API credential:
- Name:
OpenAI API - API Key: Your OpenAI API key from https://platform.openai.com/api-keys
- Name:
-
Add DeepSeek API credential:
- Name:
DeepSeek API - API Key: Your DeepSeek API key from https://platform.deepseek.com
- Name:
Create a cron job or n8n workflow to update Talos intelligence daily:
Option 1: Cron Job
crontab -e
# Add this line (runs daily at 2 AM)
0 2 * * * cd ~/soc-ai-agent/talos-intelligence && python3 updater.py 7 >> /var/log/talos-updater.log 2>&1Option 2: n8n Scheduled Workflow Create a workflow with:
- Trigger: Schedule (daily)
- Node: Execute Command
- Command:
cd ~/soc-ai-agent/talos-intelligence && python3 updater.py 7
- Command:
-
Open your existing n8n workflow
-
Add a new node after your log enrichment step
-
Search for "AI SOC Agent"
-
Configure:
- OpenAI Credentials: Select your OpenAI credential
- DeepSeek Credentials: Select your DeepSeek credential
- Sandbox URL:
http://localhost:8000 - Memory Path:
/path/to/soc-ai-agent/memory/knowledge.json - Auto Sandbox: Enable/disable automatic sandbox execution
- Talos Check: Enable/disable zero-day detection
-
Map input fields:
log_entry: Your log dataenriched_data: Data from AbuseIPDB/VT/IPQualityScore
1. Read CSV (your logs)
↓
2. Enrich with AbuseIPDB
↓
3. Enrich with VirusTotal
↓
4. Enrich with IPQualityScore
↓
5. Normalize Data
↓
6. AI SOC Agent ← NEW
↓
7. Route based on verdict:
- If malicious → Alert/Block
- If suspicious → Queue for review
- If benign → Log only
The AI SOC Agent node outputs:
{
"verdict": "true_positive" | "false_positive",
"classification": "benign" | "suspicious" | "malicious",
"confidence": "low" | "medium" | "high",
"priority": "low" | "medium" | "high" | "critical",
"analysis": {
"gpt4": {
"classification": "malicious",
"confidence": 0.92,
"severity": 85,
"reasoning": "...",
"indicators": ["..."]
},
"deepseek": {
"classification": "malicious",
"confidence": 0.88,
"severity": 82,
"reasoning": "...",
"indicators": ["..."]
},
"consensus": true
},
"talos": {
"zero_day_detected": true,
"cves": ["CVE-2024-12345"],
"severity": "critical",
"exploited_in_wild": true,
"match_confidence": 0.85
},
"sandbox": {
"executed": true,
"verdict": "malicious",
"network_connections": 3,
"spawned_processes": 2,
"suspicious_indicators": ["..."]
},
"recommendations": [
"Immediate investigation required",
"Block source IP",
"Isolate affected system"
],
"report": "Detailed analysis report..."
}Edit sandbox/docker-compose.yml:
environment:
- SANDBOX_TIMEOUT=300 # Max execution time (seconds)
- MAX_FILE_SIZE=104857600 # Max file size (bytes)In the n8n node configuration:
- Temperature: 0.3 (default) - Lower = more deterministic
- Timeout: 60s - Max time for LLM response
- Retry: 3 - Number of retries on failure
Edit memory/knowledge.json manually or via API:
- Max Incidents: Automatic pruning after 10,000
- Pattern Threshold: Confidence > 0.7 to store
- Zero-Day Age: Prune after 90 days
curl http://localhost:8000/healthcat memory/knowledge.json | jq '.statistics'Output:
{
"total_incidents": 1543,
"true_positives": 421,
"false_positives": 89,
"model_agreement_rate": 0.87
}cat memory/knowledge.json | jq '.model_performance'cat memory/knowledge.json | jq '.talos_intelligence | {total: (.zero_days | length), last_update}'curl -X DELETE http://localhost:8000/cleanup# Backup first
cp memory/knowledge.json memory/knowledge.json.backup
# Reset
echo '{"version":"1.0.0","last_updated":"'$(date -u +%Y-%m-%dT%H:%M:%SZ)'","statistics":{"total_incidents":0},...}' > memory/knowledge.jsoncd talos-intelligence
python3 updater.py 7 # Fetch last 7 days# Sandbox logs
docker logs soc-sandbox
# n8n logs
pm2 logs n8n
# OR
docker logs n8n# Check if running
docker ps | grep soc-sandbox
# Restart
cd sandbox
docker-compose restart
# View logs
docker logs soc-sandbox- Rate Limit: Wait or upgrade API plan
- Invalid Key: Check credentials in n8n
- Timeout: Increase timeout in node settings
# Validate JSON
cat memory/knowledge.json | jq .
# Restore from backup
cp memory/knowledge.json.backup memory/knowledge.json# Check internet connection
ping blog.talosintelligence.com
# Check Python dependencies
pip3 list | grep -E "feedparser|beautifulsoup4|requests"
# Run manually with debug
python3 -u talos-intelligence/parser.py-
Sandbox Isolation: The sandbox runs in an isolated Docker container but can still make network connections. Use firewall rules if needed.
-
API Keys: Store API keys securely. Never commit them to git.
-
Memory File: Contains incident data. Ensure proper file permissions:
chmod 600 memory/knowledge.json
-
Network Access: Sandbox needs internet access for URL execution. Consider using a separate network segment.
-
Resource Limits: Set Docker resource limits to prevent DoS:
deploy: resources: limits: cpus: '2.0' memory: 4G
- Parallel Execution: Run multiple sandbox containers
- LLM Caching: Cache similar analyses
- Memory Pruning: Reduce retention period
- Async Sandbox: Use async execution for non-critical items
- Skip Sandbox: Only sandbox critical items
- Single LLM: Use only GPT-4 or DeepSeek
- Reduce Talos Checks: Only check on high priority
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch
- Test thoroughly
- Submit a pull request
MIT License - See LICENSE file
For issues and questions:
- GitHub Issues: https://github.com/yourusername/soc-ai-agent/issues
- Documentation: https://github.com/yourusername/soc-ai-agent/wiki
- Cisco Talos Intelligence for zero-day research
- OpenAI and DeepSeek for LLM APIs
- n8n community for workflow automation
- Security community for threat intelligence