StackMap
Subscribe
Explore / allama
digitranslab

allama

Open-source AI security automation (SOAR): visual playbook builder, autonomous triage agents, and 80+ SIEM/EDR/identity/ticketing integrations. Self-hosted, multi-tenant.

179 14 Python AGPL-3.0updated 5 months ago
Curator's take

The open answer to $100k SOAR contracts: drag-and-drop security playbooks, AI agents that enrich and prioritize the 500-alert firehose, and integrations across the stack you already run (Splunk, CrowdStrike, Okta, Jira…) — with local models via Ollama so nothing sensitive leaves your infra. The honesty check: it's young (~180 stars) and the commit graph has been quiet for months, so treat claims as a pilot to verify, not a deployment to trust — and AGPL-3.0 matters if you embed it in a service. Ingested over the curator's maturity objection: the niche (open AI-SOAR) is real and empty.

Mapped by ShipWithAI editors · links verified
README.md

Allama

Allama

Open-Source AI Security Automation

Automate threat detection and response with AI-powered workflows.
Self-hosted. 80+ integrations. Built for modern SOC teams.

License Discord GitHub Stars

Why AllamaFeaturesQuick StartArchitecture


Why Allama?

Security teams face 500+ alerts daily. Manual investigation is slow, inconsistent, and burns out analysts. Legacy SOAR tools cost $100k+ and require consultants to implement.

Allama changes this:

  • 90% faster triage — AI agents enrich and prioritise alerts automatically
  • Zero vendor lock-in — 100% open source, self-hosted on your infrastructure
  • No coding required — Visual workflow builder for common automation
  • Enterprise-ready — Multi-tenant, SSO, audit trails, and compliance controls

Features

Visual Workflow Builder

Build security playbooks with drag-and-drop. Conditional logic, parallel execution, and loops — no code required.

AI-Powered Agents

Deploy autonomous agents that understand threats, make decisions, and execute responses. Supports OpenAI, Anthropic, Azure, or self-hosted models via Ollama.

80+ Integrations

Connect your entire security stack:

Category Tools
SIEM Splunk, Elastic, Datadog, Wazuh
EDR/XDR CrowdStrike, SentinelOne
Identity Okta, Microsoft Entra ID, Google Workspace
Ticketing Jira, Zendesk, PagerDuty
Communication Slack, Microsoft Teams, Email
Threat Intel VirusTotal, URLScan, IPInfo, Anomali
Cloud AWS, Google Cloud, Kubernetes

Case Management

Track incidents from detection to resolution. Custom fields, task assignment, file attachments, and complete audit trails.

Secure Script Execution

Run custom Python in isolated WebAssembly sandboxes. Network isolation, resource limits, and full audit logging.


Quick Start

git clone https://github.com/digitranslab/allama.git
cd allama
make init
make dev

Or use the one-click demo script:

./demo.sh

Open http://localhost and start building workflows.

Requirements: Docker, Python 3.12+, 4GB RAM, 10GB disk space


Architecture

flowchart LR
    subgraph Sources["Data Sources"]
        S1[SIEM Alerts]
        S2[EDR Events]
        S3[Cloud Logs]
        S4[Webhooks]
    end

    subgraph Platform["Allama Platform"]
        API[API Gateway<br/>FastAPI]
        WF[Workflow Engine<br/>Temporal]
        AI[AI Agents<br/>PydanticAI]
        INT[Integrations<br/>80+ Tools]
    end

    subgraph Actions["Automated Response"]
        A1[Enrich & Triage]
        A2[Contain Threats]
        A3[Create Cases]
        A4[Notify Teams]
    end

    S1 & S2 & S3 & S4 --> API
    API --> WF
    WF --> AI
    AI --> INT
    INT --> A1 & A2 & A3 & A4
Component Technology Purpose
API Gateway FastAPI Authentication, routing, OpenAPI docs
Workflow Engine Temporal Durable execution with automatic retry
AI Agents PydanticAI + LiteLLM Multi-model support, tool orchestration
Sandbox WebAssembly Isolated script execution
Database PostgreSQL Persistent storage
Object Storage

Continue your stack

What teams reach for next — and why each earns a place beside allama. Ranked by curator confidence.