The SIEM your AI agents can actually use.
Vigil ingests endpoint events, evaluates Sigma detections in real time, and returns structured JSON. Claude, Codex, and your own agents query it directly. No dashboards required.
Apache 2.0 · Self-hosted in 5 minutes · No cloud account required
docker-compose -f api/docker-compose.yml up -dCapabilities
Everything you need. Nothing you don't.
Ingest anything.
Push events from any source over HTTP. The agent runs as a single static binary on Windows and Linux — no installer, no config file needed.
vigil agent register --name PROD-BOX-01 vigil agent start --profile standard
Sigma rules. Real time.
Every ingested event is evaluated against your rule set before the HTTP response returns. Write detection logic in standard Sigma YAML.
vigil detections create --file brute_force.yml vigil alerts list --severity high --output json
Hunt with HQL.
Query the full event history with aggregations and timelines. Filter by endpoint, time range, and field values. 100% JSON output.
vigil hunt --query "event_id:4625" \ --agg event_data.IpAddress \ --timeline --output json
Agents propose. Humans approve.
Destructive actions require explicit human approval. The CLI blocks and polls. Your agent resumes when you respond Yes, No, or Other.
vigil alerts acknowledge <id> \ --note "confirmed lateral movement"
How it works
From endpoint to alert in under a second.
Deploy the agent
Run vigil agent register then vigil agent start. The single binary collects Windows Event Logs or Linux journald and ships batches every 5 seconds.
vigil agent register --name MY-BOX vigil agent start --profile standard
Detections fire automatically
Every batch is evaluated against your Sigma rule library before the response returns. Matches become structured alerts with full event snapshots.
# Matches fire synchronously vigil alerts list --status open --output json
Agents or humans investigate
AI agents call vigil alerts list --output json and follow skills-based playbooks. Humans approve sensitive actions through the web UI or CLI.
vigil alerts acknowledge <id> \ --note "Confirmed TP: lateral movement"
See it live
One prompt. Full investigation.
Drop AGENT.md into your agent's system prompt. It reads the skill playbooks, picks the right commands, and runs the investigation — without you writing a single line of glue code.
"Review connectors and recent alerts. If there's anything suspicious, investigate and tell me what you find."
AI-native
Your AI agent already knows how to use it.
Every Vigil command returns structured JSON when you pass --output json. No screen-scraping. No fragile grep pipelines. Just clean objects your agent can reason about.
Vigil ships named playbooks — called skills — for common workflows: triage, investigate, hunt, forensic sweep. Drop them in your agent's system prompt. Claude Code can run a full incident investigation with no human intervention until it's ready to act.
# Claude Code running "triage" skill $ vigil status --output json { "api_status": "ok", "clickhouse_status": "ok" } $ vigil alerts list --status open --severity critical --output json { "alerts": [], "total": 0 } $ vigil alerts list --status open --severity high --output json { "alerts": [ { "id": "a1b2c3d4", "rule_name": "Brute Force Multiple Failures", "severity": "high", "event_snapshot": { "event_data": { "IpAddress": "192.168.1.45", "TargetUserName": "admin" } } } ], "total": 1 } # Pivoting on source IP... $ vigil hunt --query "192.168.1.45" --timeline --output json { "total": 847, "timeline": [...] } # 847 failed logons from one IP → spray attack confirmed
Detection library
Built-in detections. Write your own in YAML.
Ships with 41 Sigma rules across 10 MITRE ATT&CK tactics. Add your own with vigil detections create.
Alert severity distribution
Sigma-compatible
Rules in. Alerts out.
Write a Sigma rule in YAML. Deploy it with one command. Every matching event becomes a structured alert instantly.
title: Multiple Failed Logon Attempts (Brute Force) id: 3c4d5e6f-7890-abcd-ef01-234567890abc status: stable description: > Detects failed Windows logon attempts (Event ID 4625). logsource: product: windows service: security detection: selection: event_id: 4625 event_data.LogonType: - "2" - "3" - "7" - "10" condition: selection level: medium tags: - attack.credential_access - attack.t1110.001
$ vigil detections create --file brute_force.yml{ "id": "a1b2c3d4", "rule_name": "Brute Force Multiple Failures", "severity": "medium", "status": "open", "matched_at": "2026-03-23T14:22:01Z", "source_event_id": "winlog:Security:8821", "event_snapshot": { "event_id": 4625, "channel": "Security", "computer": "PROD-BOX-01", "event_data": { "TargetUserName": "admin", "IpAddress": "192.168.1.45", "LogonType": "3" } } }
Get started
Start watching.
Nothing to trust us with.
Self-hosted, open source, no phone-home. Deploy in 5 minutes with Docker. Or get on the waitlist for Vigil Cloud — managed hosting, zero ops.