Open-Source AI Security Automation
Automate threat detection and response with AI-powered workflows.
Self-hosted. 80+ integrations. Built for modern SOC teams.
Why Allama β’ Features β’ Quick Start β’ Architecture
Security teams face 500+ alerts daily. Manual investigation is slow, inconsistent, and burns out analysts. Legacy SOAR tools cost $100k+ and require consultants to implement.
Allama changes this:
- 90% faster triage β AI agents enrich and prioritise alerts automatically
- Zero vendor lock-in β 100% open source, self-hosted on your infrastructure
- No coding required β Visual workflow builder for common automation
- Enterprise-ready β Multi-tenant, SSO, audit trails, and compliance controls
Build security playbooks with drag-and-drop. Conditional logic, parallel execution, and loops β no code required.
Deploy autonomous agents that understand threats, make decisions, and execute responses. Supports OpenAI, Anthropic, Azure, or self-hosted models via Ollama.
Connect your entire security stack:
| Category | Tools |
|---|---|
| SIEM | Splunk, Elastic, Datadog, Wazuh |
| EDR/XDR | CrowdStrike, SentinelOne |
| Identity | Okta, Microsoft Entra ID, Google Workspace |
| Ticketing | Jira, Zendesk, PagerDuty |
| Communication | Slack, Microsoft Teams, Email |
| Threat Intel | VirusTotal, URLScan, IPInfo, Anomali |
| Cloud | AWS, Google Cloud, Kubernetes |
Track incidents from detection to resolution. Custom fields, task assignment, file attachments, and complete audit trails.
Run custom Python in isolated WebAssembly sandboxes. Network isolation, resource limits, and full audit logging.
git clone https://github.com/digitranslab/allama.git
cd allama
make init
make devOr use the one-click demo script:
./demo.shOpen http://localhost and start building workflows.
Requirements: Docker, Python 3.12+, 4GB RAM, 10GB disk space
flowchart LR
subgraph Sources["Data Sources"]
S1[SIEM Alerts]
S2[EDR Events]
S3[Cloud Logs]
S4[Webhooks]
end
subgraph Platform["Allama Platform"]
API[API Gateway<br/>FastAPI]
WF[Workflow Engine<br/>Temporal]
AI[AI Agents<br/>PydanticAI]
INT[Integrations<br/>80+ Tools]
end
subgraph Actions["Automated Response"]
A1[Enrich & Triage]
A2[Contain Threats]
A3[Create Cases]
A4[Notify Teams]
end
S1 & S2 & S3 & S4 --> API
API --> WF
WF --> AI
AI --> INT
INT --> A1 & A2 & A3 & A4
| Component | Technology | Purpose |
|---|---|---|
| API Gateway | FastAPI | Authentication, routing, OpenAPI docs |
| Workflow Engine | Temporal | Durable execution with automatic retry |
| AI Agents | PydanticAI + LiteLLM | Multi-model support, tool orchestration |
| Sandbox | WebAssembly | Isolated script execution |
| Database | PostgreSQL | Persistent storage |
| Object Storage | S3-compatible | File attachments, artefacts |
| Feature | Implementation |
|---|---|
| Authentication | Basic, Google OAuth, SAML 2.0 (Okta, Entra ID) |
| Authorisation | Role-based access, workspace isolation |
| Secrets | AES-256 encryption, automatic injection |
| Audit | Complete access and execution history |
SOC Teams β Reduce alert fatigue by 90%. Automate triage, enrichment, and containment.
MSSPs β Multi-tenant architecture. White-label deployment. API-first integration.
Cloud Security β Infrastructure as code. Terraform modules. Self-hosted for data sovereignty.
- Discord β Real-time support and discussion
