AI Agents — The Current Runtime Reference
AuroraSOC currently runs 14 agents total: 1 orchestrator and 13 specialist agents. The live runtime is centered on a shared factory and a generic specialist server, not on one dedicated server.py per agent package.
Current Runtime Layout
aurorasoc.agents.factory.AGENT_SPECSis the source of truth for runnable specialist agents, their roles, prompts, and memory templates.aurorasoc.agents.mcp_agent_loader.AGENT_MCP_BINDINGSis the source of truth for which MCP domains each agent may access.aurorasoc.agents.generic_serverlaunches almost every specialist service from environment variables.aurorasoc.agents.orchestrator.serverremains a dedicated entry point because it builds A2A handoff tools to the specialist fleet.- The subpackages under
aurorasoc/agents/*are mostly package markers or migration-compatibility shims. They are not the primary runtime implementation surface.
Example specialist launch:
AGENT_NAME=SecurityAnalyst \
AGENT_PORT=9001 \
AGENT_TAGS=siem,detection \
python -m aurorasoc.agents.generic_server
The generic specialist server accepts these environment variables:
| Variable | Required | Purpose |
|---|---|---|
AGENT_NAME | yes | Agent key from AGENT_SPECS, for example SecurityAnalyst |
AGENT_PORT | yes | A2A listener port |
AGENT_TAGS | no | Comma-separated discovery tags |
AGENT_FACTORY_METHOD | legacy | Backward-compatibility alias for older create_* naming |
How The Fleet Works
- The orchestrator receives an investigation request.
- It reasons about the task and chooses the right specialists.
- It delegates work over A2A handoff tools.
- Each specialist loads only the MCP tools authorized for its domain bindings.
- The orchestrator synthesizes the results and routes high-risk actions through approval gates.
Runnable Agents
| Agent | Port | Memory | MCP Domains | Primary Use |
|---|---|---|---|---|
Orchestrator | 9000 | ORCHESTRATOR_MEMORY | soar | Investigation planning, delegation, synthesis, approval-aware coordination |
SecurityAnalyst | 9001 | ANALYST_MEMORY | siem, soar, osint, document | Alert triage, IOC extraction, MITRE mapping, compliance-oriented analysis |
ThreatHunter | 9002 | HUNTER_MEMORY | siem, ueba, osint | Hypothesis-driven hunting, LOLBin detection, behavioral threat review |
MalwareAnalyst | 9003 | INTEL_MEMORY | malware, threat_intel, malware_intel | Malware family analysis, sandbox review, YARA and behavioral signatures |
IncidentResponder | 9004 | RESPONDER_MEMORY | soar, edr, network, document | Containment, eradication, recovery, and response playbook execution |
NetworkSecurity | 9005 | ANALYST_MEMORY | network, siem, network_capture | Network detections, anomalies, exfiltration, and response context |
WebSecurity | 9006 | ANALYST_MEMORY | siem, network, osint | Web attacks, WAF review, and API abuse analysis |
CloudSecurity | 9007 | ANALYST_MEMORY | siem, cloud_provider | Cloud posture, IAM anomalies, and container-oriented security review |
CPSSecurity | 9008 | RESPONDER_MEMORY | cps, network_capture | CPS, IoT, OT, attestation, and physical-cyber correlation |
ThreatIntel | 9009 | INTEL_MEMORY | threat_intel, siem, osint, vuln_intel, document | IOC enrichment, threat feeds, CVE and EPSS prioritization, regulatory correlation |
EndpointBehavior | 9010 | HUNTER_MEMORY | ueba, edr, siem, malware | Unified EDR and UEBA analysis, process trees, baselines, insider-risk signals |
ForensicAnalyst | 9012 | RESPONDER_MEMORY | forensics, siem, network_capture | Evidence collection, timeline reconstruction, and chain-of-custody workflows |
ReportGenerator | 9015 | LIGHTWEIGHT_MEMORY | soar, siem, document | Executive summaries, technical reports, and documentation output |
NetworkAnalyzer | 9016 | ANALYST_MEMORY | network, siem, network_capture | Read-only network analysis; explicitly excludes active blocking tools |
Historical Consolidations
Older docs, screenshots, or branch history may still mention specialists that are no longer standalone runtime agents:
EndpointSecurityandUEBAAnalystwere consolidated intoEndpointBehavior.VulnerabilityManagercapabilities were folded intoThreatIntel.ComplianceAnalystresponsibilities were absorbed bySecurityAnalystandThreatIntel.
The compatibility packages for those names remain in the repository, but they are retained for migration stability rather than active deployment.
Tool Authorization And Safety
- Tool access is deterministic. Agents only see MCP tools from the domains listed in
AGENT_MCP_BINDINGS. generic_servervalidates the requested agent name before startup.- MCP bindings are validated at startup to catch unregistered domains or missing ports.
NetworkAnalyzeris the read-only network specialist. It shares network-analysis domains withNetworkSecuritybut excludesblock_ip.
Memory Profiles
| Profile | Used By | Notes |
|---|---|---|
ANALYST_MEMORY | SecurityAnalyst, NetworkSecurity, WebSecurity, CloudSecurity, NetworkAnalyzer | Analyst-oriented working set with episodic recall |
HUNTER_MEMORY | ThreatHunter, EndpointBehavior | Optimized for hunting and behavioral investigations |
RESPONDER_MEMORY | IncidentResponder, CPSSecurity, ForensicAnalyst | Larger working context for multi-step response flows |
INTEL_MEMORY | MalwareAnalyst, ThreatIntel | Best fit for enrichment-heavy and context-rich analysis |
LIGHTWEIGHT_MEMORY | ReportGenerator | Minimal footprint for summarization and reporting |
ORCHESTRATOR_MEMORY | Orchestrator | Coordination-focused memory for delegation and synthesis |
Adding Or Changing An Agent
- Add or update the system prompt in
aurorasoc/agents/prompts.py. - Add or change the
AgentSpecentry inaurorasoc/agents/factory.py. - Update the MCP domain bindings in
aurorasoc/agents/mcp_agent_loader.py. - If the orchestrator should delegate to the agent directly, add it to
SPECIALIST_NAMESinaurorasoc/agents/orchestrator/server.py. - Add the deployment wiring in
docker-compose.ymlorscripts/run_local_agents.pywithAGENT_NAME,AGENT_PORT, andAGENT_TAGS. - Use
aurorasoc.agents.generic_serverunless the agent truly needs custom startup behavior. - Update this page and the contributor reference so the runtime docs stay aligned with the code.
What To Ignore In Older Docs
If you still see any of the following, treat them as historical:
- claims that AuroraSOC runs 17 agents
- startup commands that use
python -m aurorasoc.agents.<specialist>.server - standalone runtime descriptions for
EndpointSecurity,UEBAAnalyst,ComplianceAnalyst, orVulnerabilityManager
The current runtime architecture is the 14-agent, factory-driven, generic-server model documented above.