Local-first telemetry orchestration

Cross-platform SecOps with telemetry, triage, and policy staying local.

SecOpsAI unifies telemetry from OpenClaw, macOS, Linux, and Windows, detects threats, correlates findings across systems, and keeps analyst workflows grounded in a local SOC store instead of a remote control plane.

Quick Start View Documentation

OpenClaw + host telemetry Unified schema SQLite SOC store Cross-platform correlation Queued analyst actions

secopsai / local ops

findings stay on-box

$ secopsai refresh --platform macos,openclaw

[OK] Collected host + OpenClaw telemetry

[OK] Findings persisted to local SOC store

$ secopsai correlate

[OK] Cross-platform correlation complete

$ secopsai triage orchestrate --search-root ~/secopsai

[OK] Low-risk findings auto-triaged

QUEUED: Review ACT-0001 (tune_policy)

Capabilities

Detect, investigate, and triage without shipping your context away.

SecOpsAI keeps collection, correlation, triage, and policy decisions close to the operator. That makes the workflow easier to inspect, faster to iterate on, and a better fit for teams that care about local control over telemetry and analyst actions.

Universal adapters

Collect from OpenClaw, macOS, Linux, and Windows with a shared adapter model and normalize events into one schema that is easier to reason about.

Cross-platform correlation

Correlate findings by IP, user, time window, and file hash so attack patterns stand out even when the raw telemetry came from different systems.

Native triage orchestration

Investigate findings, auto-close low-risk cases, queue higher-risk analyst actions, and keep the review trail in your local SOC store.

Local-first policy control

Tune supply-chain thresholds, rules, and allowlists locally instead of depending on a remote service to approve the last mile of security decisions.

Platform support

Available now

OpenClaw and macOS are production-ready today, while Linux and Windows adapters are in active beta. The support matrix keeps deployment posture obvious at a glance without dropping users into documentation too early.

Platform

Source

Status

Notes

PlatformOpenClaw

SourceAudit logs

StatusProduction

NotesNative telemetry source

PlatformmacOS

SourceUnified logging

StatusProduction

NotesHost activity and security events

PlatformLinux

Sourcejournalctl / auditd

StatusBeta

NotesReady for Linux deployment

PlatformWindows

SourceEvent Logs / Sysmon

StatusBeta

NotesReady for Windows deployment

Quick Start

Zero to findings in minutes

Bring back the fast install paths without bringing back the clutter. The one-liner stays front and center, npm remains available, the manual path is hackable, and Windows keeps a clear beta lane.

One-liner npm Hackable macOS macOS & Linux Windows β Beta

macOS & Linux Quick Start

One-liner

Recommended install for most operators

Use the bootstrap script when you want the fastest local path from zero to SecOpsAI on a fresh machine.

macOS is the smoothest path today. Windows teams can use the same installer from WSL2.

bash

local install path