One platform. Eight pillars. No integration tax.
Every pillar below ships in the same installer, shares the same evidence pipeline, and is released and audited together. There is no assembly required and no per-module licensing maze.
Red Team Engine
Authorized, scoped attack simulation driven by a 140-tool integrated arsenal. Every run is gated by explicit scope, operator approval and a hard kill-switch — no unrestricted action is ever possible.
- 140 integrated tools — Nuclei, Metasploit, Atomic Red Team, Nmap, Httpx and 135 more
- Scope enforcement on every run, with operator approval gates for risky actions
- Kill-switch and safety gates wired into the execution fabric
- Full run history with evidence capture and audit trail
Blue Team Engine
Detection engineering on top of the full SigmaHQ baseline and a curated YARA set, with incident correlation, log ingestion and a readable operator timeline.
- 3,132 Sigma rules and 730 YARA rules bundled and ready
- Machine-learning UEBA — anomaly detection and behavioural clustering
- Incident correlation, blocked-IP tracking and response history
- Plain-language incident explanations for the operator
Decision Engine
A deterministic risk-scoring and recommendation framework. No language model sits in the decision path — every conclusion is reproducible, explainable and free of hallucinated metrics.
- Deterministic risk scoring with drift control — zero LLM in the decision path
- D3 explainability dashboard showing exactly why a decision was made
- 50 mapped SOC 2 controls with signed compliance evidence
- Read-only auditor portal for external reviewers
Execution Fabric
Parallel, durable, idempotent execution of playbooks with retry semantics, a speculative runner and human approval for any destructive operation.
- 30 pre-built playbooks — ransomware, phishing, insider threat, CVE response
- Durable state with retry and idempotency guarantees
- Speculative runner for low-risk parallel work
- Human approval required for risky or destructive operations
Evidence Pipeline
Tamper-aware evidence handling with a SHA-256 hash chain, HMAC internal signing and Ed25519 export signing — aligned to NIST SP 800-86.
- SHA-256 hash chain with HMAC-SHA256 internal signing
- Ed25519 export signing for portable, verifiable evidence
- Provenance, runtime proof and release proof for every artifact
- NIST SP 800-86 aligned chain-of-custody semantics
SIEM / SOAR
Log ingestion over syslog, HTTP, Kafka and NATS, a correlation engine, playbook automation and 30+ integration connectors.
- Syslog / HTTP / Kafka / NATS ingestion paths
- 30+ connectors — Slack, PagerDuty, Okta, Microsoft Entra, CrowdStrike and more
- Correlation engine feeding playbook automation
- Operator timeline and incident-response workflows
Desktop & Runtime
Production-grade installers for Windows, Linux and macOS. The runtime works in the background — operators never touch a terminal.
- Single full-offline installer per platform — Ollama and tools bundled
- Zero-terminal experience — every action lives in the Operator UI
- Honest health, readiness, diagnostics and recovery flows
- Signed quarterly updates applied with one click
Compliance & Audit
Continuous, evidence-backed compliance mapping with auto-generated reports for SOC 2, NIS2, HIPAA and ISO 27001 frameworks.
- Auto-generated compliance evidence with cryptographic signatures
- SOC 2, NIS2, HIPAA and ISO 27001 control mappings
- Read-only auditor portal — no operator hand-holding required
- Every evidence-producing action emits an auditable record
AegisCore's offensive capabilities are designed for authorized, scoped, defensive security work — controlled labs, owned infrastructure, or customer-authorized engagements. Scope enforcement, operator approval, audit logging and the kill-switch are not optional features; they are core to how the Red Team Engine operates.
See all eight pillars on your own hardware
The free Community edition lets you explore every pillar. Download it, run it air-gapped, and inspect the evidence trail yourself.