Vigil
The Security Agency That Never Sleeps β AI-powered security operations platform
Ask AI about Vigil
Powered by Claude Β· Grounded in docs
I know everything about Vigil. Ask me about installation, configuration, usage, or troubleshooting.
0/500
Reviews
Documentation
β¦ β¦β¦ββββ¦β¦
ββββββ β¦ββ
ββ β©ββββ©β©ββ
Vigil
The Security Agency That Never Sleeps.
Open-source, AI-powered security operations platform. Vulnerability scanning, autonomous agents, incident response, compliance tracking, and MCP server β all in a single Express.js process.
Nmap + Nuclei + Trivy + Nikto + OpenSSL + DNS
6 npm dependencies. No React. No build step. BYOK AI.
Website | GitHub | Docs | Twitter | β₯ Tip Jar
Built by Autopilot AI Tech LLC
Features
- 6 Built-in Scanners β Nmap, Nuclei, Trivy, Nikto, OpenSSL, DNS/WHOIS β no external dependencies
- 20 Autonomous Agents β Run parallel security campaigns with scheduling
- Incident Response β Full lifecycle workflow with playbooks, timeline, and AI postmortems
- Compliance Tracking β SOC 2, ISO 27001, NIST 800-53, PCI-DSS, HIPAA
- MCP Server β 25+ tools, 3 resources, 4 prompts for Claude Desktop/Code/Cursor
- BYOK AI β Bring your own Claude or Codex CLI. Zero AI cost baked in
- Works without a database β JSON file stores by default, optional PostgreSQL
- RBAC + 2FA β Admin, Analyst, Viewer roles with TOTP two-factor auth
- Credential Vault β AES-256-GCM encrypted storage
- 30 Views β Glass-themed dashboard with real-time Socket.IO updates
Quick Start
Option 1: npm (bare metal)
git clone https://github.com/vigil-agency/vigil.git
cd vigil
cp .env.example .env
npm install
npm start
# β http://localhost:4100 (use VIGIL_USER/VIGIL_PASS, or read the generated bootstrap password from the startup logs)
Option 2: Docker Compose
git clone https://github.com/vigil-agency/vigil.git
cd vigil
cp .env.example .env
docker compose up -d
# β http://localhost:4100 (use VIGIL_USER/VIGIL_PASS, or read the generated bootstrap password from the startup logs)
This starts Vigil + PostgreSQL 17. Scanner tools (nmap, nuclei, trivy, nikto) are included in the Docker image.
Option 3: Docker (standalone)
docker run -d \
-p 4100:4100 \
-e VIGIL_USER=admin \
-e VIGIL_PASS=change-me-now \
vigil-agency/vigil:latest
Prerequisites (bare metal)
- Node.js 22+ and npm
- Scanners (optional, for full functionality):
nmapβ network scanningnucleiβ vulnerability scanning (9000+ templates)trivyβ container/filesystem scanningniktoβ web server scanningopensslβ certificate analysisdig+whoisβ DNS reconnaissance
- Docker CLI (optional, for container security scanning)
- PostgreSQL 17 (optional β works without it using JSON file stores)
- AI CLI (optional β
claudeorcodexfor AI features)
See CLAUDE.md for the full bare metal install guide.
Features
Scanning & Vulnerability Management
- Network Scan β Nmap port scanning, host discovery, service detection, OS fingerprinting
- Vulnerability Scan β Nuclei template-based scanning with severity filtering
- Container Scan β Trivy image/filesystem scanning, SBOM generation
- Web Scan β Nikto web server misconfiguration detection
- SSL Audit β Certificate chain validation, cipher suite grading, protocol testing
- DNS Recon β DNS enumeration, zone transfer, WHOIS lookup
- Scheduled Scans β Cron-based recurring scan configuration
Intelligence & Hunting
- Threat Intelligence β RSS feed ingestion, IOC matching, adversary profiles
- Threat Hunting β AI-assisted hypothesis testing, MITRE ATT&CK mapping
- OSINT β Domain, IP, email, and infrastructure reconnaissance
- CVE Tracker β CVE database search, CVSS scoring, affected assets
Incidents & Response
- Incident Management β Full lifecycle workflow with severity, assignment, timeline
- Playbooks β Pre-built response templates (ransomware, phishing, data breach, DDoS)
- Attack Timeline β Event correlation and visualization
- Postmortem β AI-generated post-incident review with lessons learned
Agents & Campaigns
- 20 Built-in Agents β From vulnerability scanning to compliance auditing
- Campaign Mode β Run multiple agents in parallel with scheduled execution
- AI Triage β Automated vulnerability prioritization and remediation guidance
Compliance & Reporting
- Compliance Frameworks β SOC 2, ISO 27001, NIST 800-53, PCI-DSS, HIPAA
- Policy Editor β Security policy CRUD with enforcement rules
- Reports β PDF, JSON, CSV generation with scheduling
- Audit Log β Immutable audit trail with filtering and export
System
- Terminal β Embedded terminal for manual scanner commands
- Credentials Vault β AES-256-GCM encrypted credential storage
- Knowledge Base β Notes and FAQ for team knowledge sharing
- MCP Playground β Interactive tool testing for Claude Desktop/Code/Cursor
- Notifications β Real-time alerts via Socket.IO
- RBAC β Admin, Analyst, Viewer roles with 2FA (TOTP)
Screenshots
Click to expand all screenshots
| View | Screenshot |
|---|---|
| Dashboard |  |
| AI Terminal |  |
| Security Agents |  |
| Campaigns |  |
| Findings |  |
| Threat Feed |  |
| Threat Hunt |  |
| OSINT |  |
| Attack Timeline |  |
| Alert Triage |  |
| Compliance |  |
| Playbooks |  |
| Pentest |  |
| Reports |  |
| Audit Log |  |
| Credentials Vault |  |
| Knowledge Base |  |
| MCP Playground |  |
| Notifications |  |
| Settings |  |
| Vigil AI |  |
Architecture
server.js β Express + Socket.IO, auth middleware, .env loader
routes/ (~25 modules) β REST API endpoints (scans, vulns, incidents, compliance, MCP, β¦)
lib/ (~17 modules) β Scanner wrappers, AI, RBAC, audit, crypto, sessions
data/ β Runtime JSON stores (works without database)
public/ β Vanilla JS frontend (ViewRegistry pattern)
css/ β Vigil Dark theme (glass treatment, cyan/orange signal system)
js/views/ (30 views) β Self-registering view modules
docker/ β Kali bridge, PostgreSQL schema, WARP proxy
Signal System
- Cyan (#22d3ee) β secure, healthy, passing, active
- Orange (#ff6b2b) β threat, vulnerability, warning, critical
Auth
- PBKDF2 password hashing
- Session tokens in cookies (
vigil_session) or Bearer header - Optional TOTP 2FA
- RBAC: admin, analyst, viewer
AI Integration (BYOK)
Users bring their own AI subscriptions. Vigil shells out to locally-installed CLI tools:
- Claude CLI (
claude --print) β requires Anthropic subscription - Codex CLI (
codex) β requires OpenAI API key - None β AI features disabled, graceful degradation
MCP Server
Vigil includes a built-in Model Context Protocol server at POST /mcp (Streamable HTTP transport).
Connect from Claude Desktop, Claude Code, Cursor, or any MCP client:
{
"mcpServers": {
"vigil": {
"url": "http://localhost:4100/mcp",
"transport": "streamable-http"
}
}
}
25+ Tools
Scanning (nmap, nuclei, trivy, nikto, SSL, DNS) β’ Vulnerabilities (search, get, list CVEs) β’ Assets (list, details, discover hosts) β’ Docker (list containers, inspect, scan image) β’ Compliance (check framework, policy status) β’ Incidents (create, update, timeline) β’ Reports (generate, get scan results) β’ System (posture score, metrics, alerts)
3 Resources
vigil://security-posture β’ vigil://scan-summary β’ vigil://vulnerability-summary
4 Prompts
security_audit β’ incident_response β’ vulnerability_assessment β’ compliance_review
Configuration
Copy .env.example to .env and customize:
| Variable | Default | Description |
|---|---|---|
VIGIL_PORT | 4100 | Server port |
VIGIL_USER | admin | Default admin username |
VIGIL_PASS | auto-generated | Bootstrap admin password. Set it explicitly or read the startup logs on first launch. |
DATABASE_URL | β | PostgreSQL connection string (optional) |
AI_PROVIDER | β | claude-cli or codex (optional) |
ENCRYPTION_KEY | auto | 32-byte hex for credential vault |
DOCKER_HOST | β | Docker socket path for container scanning |
Scanners
| Scanner | Purpose | Install |
|---|---|---|
| Nmap | Network scanning, port discovery, service detection | apt install nmap |
| Nuclei | Template-based vulnerability scanning (9000+ templates) | projectdiscovery/nuclei |
| Trivy | Container/filesystem vuln scanning, SBOM, secrets | aquasecurity/trivy |
| Nikto | Web server misconfiguration detection | apt install nikto |
| OpenSSL | Certificate chain analysis, cipher grading | Pre-installed on most systems |
| dig/whois | DNS reconnaissance, WHOIS lookup | apt install dnsutils whois |
Testing
# Release regression test
npm test
# Health check
curl http://localhost:4100/api/health
# With auth
curl -b "vigil_session=TOKEN" http://localhost:4100/api/system
curl -b "vigil_session=TOKEN" http://localhost:4100/api/scans
curl -b "vigil_session=TOKEN" http://localhost:4100/api/vulnerabilities
Contributing
See CONTRIBUTING.md for development setup and guidelines.
License
AGPL-3.0 β free for personal and commercial use. If you modify and deploy Vigil as a service, you must open-source your modifications.
Safety
- Only scan targets you own or have written authorization to test.
- Keep credentials out of AI prompts.
- Change the default admin password immediately after first login.
- Use the built-in credential vault for sensitive data (AES-256-GCM encrypted).