SecurityClaw
SecurityClaw is an open-source autonomous SOC agent framework for teams running OpenSearch or Elasticsearch.
About
SecurityClaw is an open-source autonomous SOC agent framework for teams running OpenSearch or Elasticsearch. It monitors security telemetry on a cron-like heartbeat (1-minute anomaly watcher, 6-hour memory builder), maintains RAG-based behavioral baselines using vector embeddings, and routes findings through LLM-driven analysis. Skills are modular — each is a folder with a Python logic file and a Markdown instruction file — making the framework extensible without touching core code.
Security engineers and infra teams who already use OpenSearch or Elasticsearch for telemetry and want a self-hosted, extensible agent framework for continuous anomaly monitoring, behavioral baselining, and LLM-assisted threat triage — without relying on a commercial SIEM.
Pros & Cons
Pros
- check Skill-based modularity makes it genuinely extensible — add new detection or enrichment capabilities without modifying the core
- check RAG-backed behavioral memory means anomaly assessment improves as it accumulates context over time
- check Docker-based onboarding with a web UI and CLI reduces setup friction for self-hosted deployments
- check Ollama support means you can run fully local LLM inference — no OpenAI API key required
- check Active development (35+ commits, frequent updates) with a test suite and mocked unit tests for CI
Cons
- close OpenAI support was removed in favor of Ollama-only — limits flexibility for teams preferring cloud inference
- close Requires OpenSearch or Elasticsearch; not useful without existing SIEM infrastructure
- close Still early (no stars shown publicly, 17 forks) — limited community and production case studies
- close Self-hosted deployment means teams own all infrastructure reliability, scaling, and maintenance
- close Python-only implementation; integration into existing security stacks may require additional plumbing
More Security
Other tools in the same category.
