CAI Technology
Book a demo
Menu ☰
aegis Live

AEGIS — Observability + SecOps with AI

Splunk/Datadog enterprise stack — at 1/10 of the cost, 100% on-premise, with local LLM for triage.

Request a demo →
The problem

Mid-market firms (50-500 servers) want enterprise SIEM but can't afford €100k+/year. Open-source options (Graylog, Wazuh) work but lack AI triage. Operators lose hours in alert fatigue.

How it works

  1. 1

    We install unified stack — Fluent Bit collects, Graylog indexes, OpenSearch searches, Prometheus measures, Wazuh detects, Suricata + Zeek inspect the network.

  2. 2

    5 pre-configured Grafana dashboards: DC Overview, Apps & Containers, VMs & Infra, Containers, Alerts & Pipeline. Customizable.

  3. 3

    AI Incident Analysis with local Qwen3-32B LLM — alerts get narrative context, not JSON dumps. Triage becomes 30 seconds, not 30 minutes.

  4. 4

    Wazuh Active Response — common attacks (SSH brute force, RCE attempts) blocked automatically at iptables level. Operator confirms later, no need to jump out of bed at night.

Capabilities

Unified open-source stack — no lock-in

All components are mature open-source (Graylog, OpenSearch, Prometheus, Grafana, Wazuh, Suricata, Zeek, Falco, Alertmanager). Configured to work together, but no proprietary product lock-in.

AI incident analysis with local LLM

Qwen3-32B runs in your datacenter. Alerts get narrative context ('SSH brute force on host X from IP Y, 327 attempts last hour, pattern similar to incident #2024-018'). Fast triage, no data leakage.

Wazuh Active Response auto-block

Known-pattern attacks (SSH brute force, web RCE, anti-virus attacks) blocked at iptables/firewall in <5 seconds. Operator notified, not woken up.

Pipeline events API + WebSocket

AEGIS publishes events in real-time (WebSocket) — other applications can react programmatically. Integration with IRIS for auto-remediation with approval flow.

Compliance reporting (PCI-DSS, ISO 27001, NIS2)

Pre-mapped dashboards for audit log access, retention, classification. Lexnomia integration for automatic export into audit questionnaires.

Integration with Cisco FDM / pfSense / Mikrotik

Dedicated connectors for common network devices. No more manual SSH to routers — everything flows to Graylog.

Tech stack

  • Fluent Bit + Graylog + OpenSearch (logs)
  • Prometheus + Alertmanager + Grafana (metrics)
  • Wazuh + Suricata + Zeek + Falco (security)
  • Qwen3-32B local LLM (AI analysis)

Evidence

  • Phases F0-F5.1 LIVE; F6-F12 on roadmap
  • Total cost: 1/10 of equivalent enterprise SIEM
  • Wazuh Active Response live with 29+ agents
  • 5 production-ready Grafana dashboards

FAQ

What company size is this suitable for? +
Sweet spot: 50-500 physical/virtual servers, 5-50k events/sec. Below: standalone Graylog likely sufficient. Above: stack scales, but we work hand-in-hand with your SOC for tuning.
Do log data leave the network? +
Never in standard config. LLM runs in your DC (Qwen3-32B), Graylog/OpenSearch run in your DC. For clients who also want SaaS analytics, we offer optional aggregated dashboards with anonymized data.
How long does implementation take? +
F0-F2 (logs + basic dashboards): 1 week. F3-F5 (alerting + Wazuh + AI analysis): another 2 weeks. F6+ (SOAR, threat intel integration): per your needs.
Open source / commercial license? +
Components are open-source. Configuration, dashboards, integrations + LLM model selection — that's our product. Commercial license per cluster, no surprise seat licensing.

We start with a 30-minute conversation.

Free AI-readiness audit for companies with 50+ employees. We reply within 24 hours.

Open contact form →