Vigil is built by the people who run SOCs. Workshops, working sessions, contributions in detection rules, MCP integrations, agents, and workflows — this is where it happens.
Hands-on sessions, AMAs, and detection exercises. Hosted on Luma — RSVP from the calendar below.
Vigil is a platform, not a product. Here's what you can build, with no vendor permission required.
Workflows are markdown files defining multi-agent playbooks. Phishing triage, cloud incident response, insider threat: encode any process and share it with the community. No code required.
If your security tool has an API, wrap it in an MCP server and Vigil connects to it. SIEM, threat intel, firewalls, identity providers: all welcome.
Contribute rules in Sigma, Splunk SPL, Elastic KQL, or any format. Every new rule improves detection coverage for every Vigil deployment.
Each agent's behavior is readable Python. Better MITRE mapping, tighter forensic chain-of-custody formatting, sharper triage scoring: open a PR.
A searchable index of community workflows, by use case, alert type, and tool stack. Share a playbook, get one.
Run agents across multiple environments. Data stays local to each.
Version-controlled detection rules with automated testing and deployment.
Ollama and other local LLM providers as drop-in alternatives to the default Claude backend.
Currently DEV_MODE bypass. Production auth (SSO, scoped tokens, role-based access) is on deck.
Vigil is early. The architecture is solid, the agents are working, and the workflow system is production-tested.
What we need now is the community: people who run SOCs, build integrations, write detections,
and know what's broken in their security operations today.
The agents are transparent. The workflows are text files. The integrations are open standard.
Everything is designed for you to make it yours.