The Security Agency That Never Sleeps
AI-powered security operations platform — scanners, agents, incidents, compliance, MCP
Quick Start • Features • Screenshots • Architecture • MCP Server • Contributing • Website
Most security teams fail audits because they lack a repeatable workflow, not because they lack tools.
Vigil combines automated scanners, AI-powered triage, autonomous agents, incident response, and compliance tracking into a single platform — with zero vendor lock-in.
- BYOK AI — Bring your own Claude or Codex CLI subscription. Zero AI cost for the product.
- 6 scanners built-in — Nmap, Nuclei, Trivy, Nikto, OpenSSL, DNS/WHOIS
- 20 autonomous agents — Run parallel security campaigns
- MCP server — 25+ tools, 3 resources, 4 prompts for Claude Desktop/Code/Cursor
- Works without a database — JSON file stores by default, optional PostgreSQL
- 6 npm dependencies — Express, Socket.IO, pg, node-pty, multer, MCP SDK
git clone https://github.com/vigil-agency/vigil.git
cd vigil
cp .env.example .env
npm install
npm start
# → http://localhost:4100 (admin / admin)git clone https://github.com/vigil-agency/vigil.git
cd vigil
cp .env.example .env
docker compose up -d
# → http://localhost:4100 (admin / admin)This starts Vigil + PostgreSQL 17. Scanner tools (nmap, nuclei, trivy, nikto) are included in the Docker image.
docker run -d \
-p 4100:4100 \
-e VIGIL_USER=admin \
-e VIGIL_PASS=admin \
vigil-agency/vigil:latest- Node.js 22+ and npm
- Scanners (optional, for full functionality):
nmap— network scanningnuclei— vulnerability scanning (9000+ templates)trivy— container/filesystem scanningnikto— web server scanningopenssl— certificate analysisdig+whois— DNS reconnaissance
- Docker CLI (optional, for container security scanning)
- PostgreSQL 17 (optional — works without it using JSON file stores)
- AI CLI (optional —
claudeorcodexfor AI features)
See CLAUDE.md for the full bare metal install guide.
- Network Scan — Nmap port scanning, host discovery, service detection, OS fingerprinting
- Vulnerability Scan — Nuclei template-based scanning with severity filtering
- Container Scan — Trivy image/filesystem scanning, SBOM generation
- Web Scan — Nikto web server misconfiguration detection
- SSL Audit — Certificate chain validation, cipher suite grading, protocol testing
- DNS Recon — DNS enumeration, zone transfer, WHOIS lookup
- Scheduled Scans — Cron-based recurring scan configuration
- Threat Intelligence — RSS feed ingestion, IOC matching, adversary profiles
- Threat Hunting — AI-assisted hypothesis testing, MITRE ATT&CK mapping
- OSINT — Domain, IP, email, and infrastructure reconnaissance
- CVE Tracker — CVE database search, CVSS scoring, affected assets
- Incident Management — Full lifecycle workflow with severity, assignment, timeline
- Playbooks — Pre-built response templates (ransomware, phishing, data breach, DDoS)
- Attack Timeline — Event correlation and visualization
- Postmortem — AI-generated post-incident review with lessons learned
- 20 Built-in Agents — From vulnerability scanning to compliance auditing
- Campaign Mode — Run multiple agents in parallel with scheduled execution
- AI Triage — Automated vulnerability prioritization and remediation guidance
- Compliance Frameworks — SOC 2, ISO 27001, NIST 800-53, PCI-DSS, HIPAA
- Policy Editor — Security policy CRUD with enforcement rules
- Reports — PDF, JSON, CSV generation with scheduling
- Audit Log — Immutable audit trail with filtering and export
- Terminal — Embedded terminal for manual scanner commands
- Credentials Vault — AES-256-GCM encrypted credential storage
- Knowledge Base — Notes and FAQ for team knowledge sharing
- MCP Playground — Interactive tool testing for Claude Desktop/Code/Cursor
- Notifications — Real-time alerts via Socket.IO
- RBAC — Admin, Analyst, Viewer roles with 2FA (TOTP)
Click to expand all screenshots
| View | Screenshot |
|---|---|
| Dashboard | |
| AI Terminal |  |
| Security Agents |  |
| Campaigns |  |
| Findings |  |
| Threat Feed |  |
| Threat Hunt |  |
| OSINT |  |
| Attack Timeline |  |
| Alert Triage |  |
| Compliance |  |
| Playbooks |  |
| Pentest |  |
| Reports |  |
| Audit Log |  |
| Credentials Vault |  |
| Knowledge Base |  |
| MCP Playground |  |
| Notifications |  |
| Settings |  |
| Vigil AI |  |
server.js → Express + Socket.IO, auth middleware, .env loader
routes/ (~25 modules) → REST API endpoints (scans, vulns, incidents, compliance, MCP, …)
lib/ (~17 modules) → Scanner wrappers, AI, RBAC, audit, crypto, sessions
data/ → Runtime JSON stores (works without database)
public/ → Vanilla JS frontend (ViewRegistry pattern)
css/ → Vigil Dark theme (glass treatment, cyan/orange signal system)
js/views/ (30 views) → Self-registering view modules
docker/ → Kali bridge, PostgreSQL schema, WARP proxy
- Cyan (#22d3ee) — secure, healthy, passing, active
- Orange (#ff6b2b) — threat, vulnerability, warning, critical
- PBKDF2 password hashing
- Session tokens in cookies (
vigil_session) or Bearer header - Optional TOTP 2FA
- RBAC: admin, analyst, viewer
Users bring their own AI subscriptions. Vigil shells out to locally-installed CLI tools:
- Claude CLI (
claude --print) — requires Anthropic subscription - Codex CLI (
codex) — requires OpenAI API key - None — AI features disabled, graceful degradation
Vigil includes a built-in Model Context Protocol server at POST /mcp (Streamable HTTP transport).
Connect from Claude Desktop, Claude Code, Cursor, or any MCP client:
{
"mcpServers": {
"vigil": {
"url": "http://localhost:4100/mcp",
"transport": "streamable-http"
}
}
}Scanning (nmap, nuclei, trivy, nikto, SSL, DNS) • Vulnerabilities (search, get, list CVEs) • Assets (list, details, discover hosts) • Docker (list containers, inspect, scan image) • Compliance (check framework, policy status) • Incidents (create, update, timeline) • Reports (generate, get scan results) • System (posture score, metrics, alerts)
vigil://security-posture • vigil://scan-summary • vigil://vulnerability-summary
security_audit • incident_response • vulnerability_assessment • compliance_review
Copy .env.example to .env and customize:
| Variable | Default | Description |
|---|---|---|
VIGIL_PORT |
4100 |
Server port |
VIGIL_USER |
admin |
Default admin username |
VIGIL_PASS |
admin |
Default admin password (change immediately) |
DATABASE_URL |
— | PostgreSQL connection string (optional) |
AI_PROVIDER |
— | claude-cli or codex (optional) |
ENCRYPTION_KEY |
auto | 32-byte hex for credential vault |
DOCKER_HOST |
— | Docker socket path for container scanning |
| Scanner | Purpose | Install |
|---|---|---|
| Nmap | Network scanning, port discovery, service detection | apt install nmap |
| Nuclei | Template-based vulnerability scanning (9000+ templates) | projectdiscovery/nuclei |
| Trivy | Container/filesystem vuln scanning, SBOM, secrets | aquasecurity/trivy |
| Nikto | Web server misconfiguration detection | apt install nikto |
| OpenSSL | Certificate chain analysis, cipher grading | Pre-installed on most systems |
| dig/whois | DNS reconnaissance, WHOIS lookup | apt install dnsutils whois |
# Health check
curl http://localhost:4100/api/health
# With auth
curl -b "vigil_session=TOKEN" http://localhost:4100/api/system
curl -b "vigil_session=TOKEN" http://localhost:4100/api/scans
curl -b "vigil_session=TOKEN" http://localhost:4100/api/vulnerabilities
# Smoke tests
node scripts/chat-smoke.mjs
node scripts/agents-smoke.mjs
node scripts/brain-smoke.mjsSee CONTRIBUTING.md for development setup and guidelines.
AGPL-3.0 — free for personal and commercial use. If you modify and deploy Vigil as a service, you must open-source your modifications.
- Only scan targets you own or have written authorization to test.
- Keep credentials out of AI prompts.
- Change the default admin password immediately after first login.
- Use the built-in credential vault for sensitive data (AES-256-GCM encrypted).