Zer0Vuln Community Edition – open-source SIEM + SOAR + EDR with autonomous local LLM triage
Built this because I was frustrated with the same gap every small blue team hits: great alerting, zero autonomous response. You get paged at 2am, stare at a dashboard, and still have to manually decide what to do.
Zer0Vuln runs a local Ollama model (llama3.2:3b by default) that classifies every incoming event in real time. When the Defensive worker's confidence hits the threshold, it acts without waiting for a human: BLOCK_IP, ISOLATE_HOST, KILL_PROCESS, QUARANTINE_FILE, DISABLE_USER, CONTAINER_STOP, SUSPEND_PROCESS. All dispatched directly to the agent.
Three AI workers run continuously:
- Automation: real-time triage on every event
- Manual: operator-driven deep scan on demand
- Defensive: autonomous SOAR dispatch on high-confidence threats
Agents (Windows + Linux) cover: SIEM log collection, File Integrity Monitoring, installed package inventory, open port scanning, Docker container monitoring, WebSocket screen streaming.
Server-side OSV vulnerability scanner reads each agent's installed packages and queries OSV (or your on-prem mirror) for CVE matches. Findings are persisted per agent.
Visual SOAR playbook engine with multi-node execution and per-step result tracking.
Air-gap ready: local Fernet keys, no external CDN, optional OSV mirror, zero telemetry. Fully offline capable.
No caps on agents, retention, or features. AGPL-3.0.
https://github.com/0giv/Zer0Vuln-Community-Edition
Would genuinely love feedback from people who have dealt with real SOC workflows, especially around the autonomous action confidence tuning.