JavaScript HTML Perl CSS CoffeeScript Perl 6 Other
Clone or download
brymon68 Merge pull request #50 from sandialabs/snyk-fix-ahbw0z
[Snyk] Fix for 1 vulnerable dependencies
Latest commit 20c49ee Jul 3, 2018
Failed to load latest commit information.
bin report for david and LB memorialization Jun 27, 2018
demo adding env to demo Mar 23, 2018
docker-configs Enabling email on SCOT container May 2, 2018
docker-scripts update to restore script for docker Mar 1, 2018
docs amq docs May 8, 2018
etc so close, so close Jan 12, 2017
install updating default config Jun 25, 2018
lib Merge branch 'master' of Jul 3, 2018
pkgs Initial SCOT release Dec 6, 2014
pubdev Merge pull request #50 from sandialabs/snyk-fix-ahbw0z Jul 3, 2018
public Added capabililty for grabbing guide links on entity detail popup Jul 3, 2018
script Initial SCOT release Dec 6, 2014
t log message update Jun 25, 2018
templates matching look of entry May 2, 2018
.dockerignore Working Nov 15, 2017
.gitignore Fix to guide entity detail popup not working Apr 12, 2018
.travis.yml Should update travis build instructions too :/ Dec 16, 2015
Dockerfile-Activemq udpates to Dockerfiles to include proxy settings for pulling in host … Jan 24, 2018
Dockerfile-Apache Fix to elastic data persistence and apache restarts Jan 30, 2018
Dockerfile-Elastic Fixes to Dockerfiles and restart build deploy script to allow for bac… Feb 8, 2018
Dockerfile-Flair Fixes to Dockerfiles and restart build deploy script to allow for bac… Feb 8, 2018
Dockerfile-Game Fixes to Dockerfiles and restart build deploy script to allow for bac… Feb 8, 2018
Dockerfile-Mail Fixes to Dockerfiles and restart build deploy script to allow for bac… Feb 8, 2018
Dockerfile-Mongodb removing logging on elastic container for now Feb 20, 2018
Dockerfile-Perl Update Dockerfile-Perl May 2, 2018
Dockerfile-Reflair Fixes to Dockerfiles and restart build deploy script to allow for bac… Feb 8, 2018
Dockerfile-Scot Enabling email on SCOT container May 2, 2018
Dockerfile-Stretch Fixes to Dockerfiles and restart build deploy script to allow for bac… Feb 8, 2018
LICENSE Update LICENSE Aug 27, 2014 Update Feb 13, 2018
circle.yml Update circle.yml Dec 17, 2014
docker-compose-custom.yml Enabling email on SCOT container May 2, 2018
docker-compose.yml removing logging on elastic container for now Feb 20, 2018 scot client and install work Mar 14, 2017 missing install functionality add, now we test Jan 9, 2017
license.txt Initial SCOT release Dec 6, 2014 Merge branch 'master' of Feb 28, 2018 adding simple test program Mar 14, 2017

ScotLogo Sandia Cyber Omni Tracker

version Documentation Status license

SCOT Online Demo

Give SCOT a try: with the username: admin/ password: admin

For this demo, the app is reverted every hour on the hour.

SCOT Mailing List

Send e-mail to with body of "subscribe scot-users"

Documentation and Install

Read our documentation at Read The Docs.

Also, for docker documentation, please read:

Install It!

Docker Method

The suggested method for installation of SCOT is using docker. For a walkthrough of installing SCOT via docker, please read:

Once you have read the documentation, please run the script in the root directory of the scot source code to begin the installation process.

Legacy Method

SCOT has an installer that will work with Ubuntu 16.04 and CentOS 7.3. While there should be nothing preventing SCOT to work on other Linux's, you will have to do a lot more work by hand to get SCOT installed. (Please post your successes for others)

To install on Ubuntu 16.04 or CentOS 7:

  • clone the SCOT repo:

    git clone

  • be sure to set http_proxy environment variables if necessary

  • run the installer as root:

    • $ sudo -E bash
    • cd SCOT
    • ./ 2>&1 | tee ../scot.install.log

The install can take a while. The installer output is very verbose and saving it to a log is recommended to help with debugging any issues that might arise.


The Sandia Cyber Omni Tracker (SCOT) is a cyber security incident response management system and knowledge base. Designed by cyber security incident responders, SCOT provides a new approach to manage security alerts, analyze data for deeper patterns, coordinate team efforts, and capture team knowledge. SCOT integrates with existing security applications to provide a consistent, easy to use interface that enhances analyst effectiveness.


Customer Need

Incident response (IR) teams utilize many systems to detect, collect and analyze cyber security event data. These systems, while solving pieces of the puzzle, often fail to give the analyst a holistic view of what is happening and their team’s response to those events. Many systems do not have the flexibility to work with the IR processes to research and document those activities. Research is not easily shared and searchable, so the team’s effectiveness decreases, especially when key personnel are on vacation or take other positions. Without a ready corpus of examples of past events, training new team members becomes a lengthy process. Each additional tool adds cognitive load to the analyst and the tool’s maintenance needs take the analyst away from the primary task of IR.

Our Approach

Focused on removing the friction between analysts and their tools, SCOT enables analysts to document and share their research and response efforts. As a software suite that integrates data from detectors, analysis, and other information sources, it provides real time updates of the team’s work to keep the team informed and coordinated. SCOT automatically identifies indicators to help the analyst discover and respond to advanced threats. Centralization of the data reduces the contextual shifts necessary to access each detection system. Fusing detection data with the accumulated team knowledge allows the team to quickly discover that a new alert might be part of a larger campaign. In addition, SCOT automates and simplifies common analyst tasks to increase analyst’s effectiveness by freeing them to concentrate on cyber security – not tool mastery.


The number of alerts Sandia’s IR team has seen has nearly doubled in the past several years. SCOT enabled the team to keep up with this increase without adding additional team members. As a training tool, new team members started contributing in weeks, instead of months. In just over 4 years SCOT has amassed a database of over 700K indicators from analyst and alert input. These indicators help the team spot an adversary’s methods and tactics, as well as highlighting common targets within the enterprise. SCOT, processed over 1.6 million alerts since deployment, while maintaining 99.9% availability, and required minimal administration. SCOT is fully scalable to meet higher loads.

Competitive Advantage

Sandia's incident response team realized several advantages using SCOT over other solutions. SCOT's ease of use eliminated the steep learning curve of traditional SIEMS and captured team knowledge much more effectively. Designed for cyber security, SCOT allows the IR team to enter data easily, instead of struggling to conform to a ticketing system designed for other purposes. While workflow systems handle linear workflows easily, SCOT is purpose built for the looping nature of cyber security investigations. SCOT also solves the challenges of keeping wikis, spreadsheets and documents up-to-date and accessible to an IR team. While top-notch analysts may be able to keep everything in their brains, SCOT will capture their knowledge for when they go on vacation or to other employment.


Contact US

News and Discussion:


Bugs/Feature Requests: Use our GitHub issue tracking