AI Agents — The Complete Agent Reference
AuroraSOC uses 15 AI agents (1 Orchestrator + 14 specialists) to investigate security alerts. This page explains every agent: what it does, what tools it has access to, how it's configured, and how it interacts with other agents.
How Agents Work
Every agent in AuroraSOC follows the same pattern:
The Agent Construction Formula
Every agent is built from these components:
agent = RequirementAgent(
name="SecurityAnalyst", # Identity
llm=ChatModel("ollama:granite4:8b"), # Brain (LLM)
tools=[ThinkTool(), *mcp_tools], # Capabilities
requirements=[ConditionalRequirement( # Rules
ThinkTool, force_at_step=1
)],
memory=TieredAgentMemory(ANALYST_MEMORY), # Memory
role="Security Log Analyst", # Self-identity
instructions=SECURITY_ANALYST_PROMPT, # Personality
middlewares=[GlobalTrajectoryMiddleware()], # Observability
)
| Component | What It Is | Why It Matters |
|---|---|---|
| RequirementAgent | BeeAI agent class that enforces rules | Ensures agents always think before acting |
| ChatModel | Connection to Granite LLM via Ollama | The "brain" — generates all reasoning |
| ThinkTool | Mandatory at step 1 | Forces structured reasoning plan before any action |
| MCP Tools | Domain-specific security tools | How agents interact with SIEM, EDR, SOAR, etc. |
| ConditionalRequirement | Rule: "use ThinkTool at step 1" | Prevents agents from jumping to conclusions |
| TieredAgentMemory | 3-tier memory (working + episodic + threat intel) | Agents remember past investigations |
| GlobalTrajectoryMiddleware | Records every step | Audit trail of all agent reasoning and actions |
Agent Communication (A2A Protocol)
Agents talk to each other using the Agent-to-Agent (A2A) protocol:
Tool Access (MCP Protocol)
Each agent connects to MCP tool servers — separate HTTP services that expose security tools:
Tools are discovered dynamically at startup — the agent connects to the MCP server and asks "what tools do you provide?" This means:
- Adding a new tool to an MCP server doesn't require redeploying agents
- MCP servers can be implemented in any language
- Tool access is auditable — the
AGENT_MCP_BINDINGSmap is the single source of truth
The Orchestrator
| Property | Value |
|---|---|
| Name | Orchestrator |
| Port | 9000 |
| LLM | granite4:dense (larger model) |
| Memory | ORCHESTRATOR_MEMORY — sliding window of 60 messages, episodic enabled |
| MCP Domains | soar |
| Special Tools | 14 HandoffTool instances (one per specialist) |
The Orchestrator is the brain of the SOC. It receives investigation requests and coordinates the entire multi-agent workflow:
- Analyzes the alert to determine which specialists are needed
- Dispatches tasks to specialists using
HandoffTool(ACP) - Collects structured findings from each specialist
- Synthesizes a unified report with overall severity, confidence, and recommendations
- Gates high-risk actions on human approval
Key difference from specialists: The Orchestrator doesn't directly analyze logs or hunt for threats. It delegates to specialists and synthesizes their findings. It uses a larger LLM model (granite4:dense) because coordination requires more reasoning capability.
System Prompt Summary: For every alert, reason about type/assets/context → identify needed specialists → create investigation plan → dispatch via HandoffTool → collect → synthesize → gate high-risk actions on human approval.
Specialist Agents
SecurityAnalyst
| Property | Value |
|---|---|
| Port | 9001 |
| Role | Security Log Analyst |
| Memory | ANALYST_MEMORY — 30-message window, episodic enabled, auto-persist every 20 messages |
| MCP Domains | siem, soar, osint |
| LLM | granite4:8b |
What it does: Analyzes security logs from SIEM, extracts IOCs (IPs, domains, hashes, CVEs), maps observed behaviors to MITRE ATT&CK techniques, scores alert severity, identifies patterns across multiple log sources, and flags false positives.
When it's invoked: Almost every investigation. It's the first specialist called for most alerts because log analysis is the foundation of any investigation.
Output: { severity, confidence, mitre_techniques[], iocs[], affected_assets[], analysis_summary }
ThreatHunter
| Property | Value |
|---|---|
| Port | 9002 |
| Role | Threat Hunter |
| Memory | HUNTER_MEMORY — 40-message window, episodic + threat intel enabled, auto-persist every 15 messages |
| MCP Domains | siem, ueba, osint |
| LLM | granite4:8b |
What it does: Proactively hunts for threats that evade traditional detection. Searches for LOLBin abuse, behavioral anomalies, beaconing patterns, lateral movement, C2 communication, persistence mechanisms, and credential theft indicators.
When it's invoked: When the Orchestrator suspects advanced threats that signature-based detection missed. Uses hypothesis-driven hunting methodology.
Output: Hunting hypothesis tested, evidence found with log references, MITRE ATT&CK mapping, confidence assessment, recommended follow-up.
MalwareAnalyst
| Property | Value |
|---|---|
| Port | 9003 |
| Role | Malware Analyst |
| Memory | INTEL_MEMORY — 40-message window, episodic + threat intel enabled, auto-persist every 10 messages |
| MCP Domains | malware, threat_intel, malware_intel |
| LLM | granite4:8b |
What it does: Analyzes suspicious files using YARA rules, reviews sandbox results, identifies malware families/variants, extracts behavioral signatures, detects fileless malware, and generates detection signatures.
When it's invoked: When suspicious files are found during an investigation (email attachments, downloaded executables, anomalous scripts).
Output: { malware_family, confidence, yara_matches[], behavioral_indicators[], iocs[], recommended_actions[] }
IncidentResponder
| Property | Value |
|---|---|
| Port | 9004 |
| Role | Incident Responder |
| Memory | RESPONDER_MEMORY — 50-message window, episodic enabled, auto-persist every 10 messages |
| MCP Domains | soar, edr, network, document |
| LLM | granite4:8b |
What it does: Executes containment, eradication, and recovery actions. Isolates endpoints, blocks malicious IPs/domains, revokes credentials, runs response playbooks, and documents all actions in the case timeline.
When it's invoked: After investigation is complete and response actions are needed. It follows the CONTAIN → ERADICATE → RECOVER → LEARN framework.
Critical safety feature: For high-risk actions (production system isolation, mass credential resets, OT system changes), it always sets requires_human_approval = true and waits for analyst approval.
NetworkSecurity
| Property | Value |
|---|---|
| Port | 9005 |
| Role | Network Security Analyst |
| Memory | ANALYST_MEMORY |
| MCP Domains | network, siem, network_capture |
What it does: Detects DDoS attacks, intrusion attempts, DNS tunneling, covert channels, protocol anomalies, network reconnaissance, data exfiltration patterns, and VPN anomalies.
WebSecurity
| Property | Value |
|---|---|
| Port | 9006 |
| Role | Web Security Analyst |
| Memory | ANALYST_MEMORY |
| MCP Domains | siem, network, osint |
What it does: Detects OWASP Top 10 attacks (SQLi, XSS, CSRF), analyzes WAF logs, detects API abuse and credential stuffing, monitors for web shell deployment.
CloudSecurity
| Property | Value |
|---|---|
| Port | 9007 |
| Role | Cloud Security Analyst |
| Memory | ANALYST_MEMORY |
| MCP Domains | siem, cloud_provider |
What it does: Detects cloud misconfigurations (open S3 buckets, permissive security groups), monitors IAM for privilege escalation, detects container escape attempts, identifies serverless abuse.
CPSSecurity
| Property | Value |
|---|---|
| Port | 9008 |
| Role | CPS / IoT Security Specialist |
| Memory | RESPONDER_MEMORY |
| MCP Domains | cps, network_capture |
What it does: The bridge between the physical and cyber worlds. Analyzes telemetry from edge devices, verifies hardware attestation certificates, correlates physical events (door open, tamper detect) with cyber events, monitors OT/ICS protocols, identifies rogue devices.
Unique capability — Physical-Cyber Correlation Types:
| Type | Meaning | Example |
|---|---|---|
PHYSICAL_ONLY | Physical anomaly, no matching cyber event | Tamper detection on sensor with no network activity |
CYBER_ONLY | Cyber attack, no physical trigger | Standard IT malware on network-connected PLC |
CORRELATED | Physical + cyber events within time window | Door breach + new device joins WiFi simultaneously |
ESCALATED | Physical breach enabling cyber access | USB insertion detected right after physical door bypass |
ThreatIntel
| Property | Value |
|---|---|
| Port | 9009 |
| Role | Threat Intelligence Analyst |
| Memory | INTEL_MEMORY |
| MCP Domains | threat_intel, siem, osint, vuln_intel |
What it does: Enriches IOCs with external threat intelligence, correlates IOCs with known APT campaigns, tracks emerging threats and zero-days, manages IOC lifecycle, shares IOCs across sites via NATS JetStream.
EndpointSecurity
| Property | Value |
|---|---|
| Port | 9010 |
| Role | Endpoint Security Analyst |
| Memory | ANALYST_MEMORY |
| MCP Domains | edr, siem, malware |
What it does: Analyzes EDR telemetry, detects process injection/hollowing/LOLBin abuse, monitors file integrity, identifies persistence mechanisms, tracks PowerShell and WMI attacks.
UEBAAnalyst
| Property | Value |
|---|---|
| Port | 9011 |
| Role | UEBA Analyst |
| Memory | HUNTER_MEMORY |
| MCP Domains | ueba, siem |
What it does: Creates and maintains behavioral baselines for users and entities, detects deviations from baselines, identifies insider threat indicators, detects compromised accounts, analyzes access patterns (temporal, geographic), scores user/entity risk.
ForensicAnalyst
| Property | Value |
|---|---|
| Port | 9012 |
| Role | Forensic Analyst |
| Memory | RESPONDER_MEMORY |
| MCP Domains | forensics, siem, network_capture |
What it does: Collects and preserves digital evidence with chain of custody, analyzes file system artifacts, performs memory forensics, reconstructs timelines, identifies anti-forensic techniques. All evidence actions are logged to the immutable audit trail.
ComplianceAnalyst
| Property | Value |
|---|---|
| Port | 9013 |
| Role | Compliance Analyst |
| Memory | LIGHTWEIGHT_MEMORY — 20-message window, no episodic, no auto-persist |
| MCP Domains | siem, soar, document |
What it does: Maps security events to compliance frameworks (NIST CSF 2.0, IEC 62443, ISO 27001, SOC 2, GDPR, HIPAA), identifies compliance violations in real-time, generates compliance reports.
VulnerabilityManager
| Property | Value |
|---|---|
| Port | 9014 |
| Role | Vulnerability Manager |
| Memory | LIGHTWEIGHT_MEMORY |
| MCP Domains | siem, threat_intel, vuln_intel, document |
What it does: Correlates vulnerability scan results with active threats, prioritizes by exploitability and asset criticality (CVSS + exploit availability + asset criticality + network exposure), tracks patch deployment, assesses CPS/IoT device exposure.
ReportGenerator
| Property | Value |
|---|---|
| Port | 9015 |
| Role | Report Generator |
| Memory | LIGHTWEIGHT_MEMORY |
| MCP Domains | soar, siem, document |
What it does: Produces executive summaries, detailed technical reports, compliance audit reports, threat landscape briefings, SOC performance metrics, and CPS/IoT device inventory reports.
NetworkAnalyzer
| Property | Value |
|---|---|
| Port | 9016 |
| Role | Network Analyzer (Read-Only) |
| Memory | ANALYST_MEMORY |
| MCP Domains | network, siem, network_capture |
| Excluded Tools | block_ip |
What it does: Performs read-only network traffic analysis. Same capabilities as NetworkSecurity for analysis (flow analysis, DNS anomaly detection, IDS alert correlation) but cannot take any active response actions — it cannot block IPs, modify firewall rules, or isolate hosts.
Why it exists: Provides a safe agent for exploratory network analysis by analysts who want to investigate without risk of accidental automated response actions.
Agent-to-Tool Bindings
The AGENT_MCP_BINDINGS map is the single source of truth for which agent can access which MCP tool domains:
| Agent | MCP Domains |
|---|---|
| Orchestrator | soar |
| SecurityAnalyst | siem, soar, osint |
| ThreatHunter | siem, ueba, osint |
| MalwareAnalyst | malware, threat_intel, malware_intel |
| IncidentResponder | soar, edr, network, document |
| NetworkSecurity | siem, network, network_capture |
| NetworkAnalyzer | siem, network, network_capture |
| CPSSecurity | cps, network_capture |
| ThreatIntel | siem, threat_intel, osint, vuln_intel |
| UEBAAnalyst | siem, ueba |
| ForensicAnalyst | siem, forensics, network_capture |
| EndpointSecurity | siem, edr, malware |
| WebSecurity | siem, network, osint |
| CloudSecurity | siem, cloud_provider |
| ComplianceAnalyst | siem, soar, document |
| VulnerabilityManager | siem, threat_intel, document, vuln_intel |
| ReportGenerator | siem, soar, document |
Memory Configuration Profiles
| Profile | Sliding Window | Episodic | Threat Intel | Auto-Persist Every | Used By |
|---|---|---|---|---|---|
ANALYST_MEMORY | 30 msgs | ✓ | ✗ | 20 calls | SecurityAnalyst, NetworkSecurity, NetworkAnalyzer, EndpointSecurity, WebSecurity, CloudSecurity |
HUNTER_MEMORY | 40 msgs | ✓ | ✓ | 15 calls | ThreatHunter, UEBAAnalyst |
RESPONDER_MEMORY | 50 msgs | ✓ | ✗ | 10 calls | IncidentResponder, CPSSecurity, ForensicAnalyst |
INTEL_MEMORY | 40 msgs | ✓ | ✓ | 10 calls | MalwareAnalyst, ThreatIntel |
ORCHESTRATOR_MEMORY | 60 msgs | ✓ | ✗ | 25 calls | Orchestrator |
LIGHTWEIGHT_MEMORY | 20 msgs | ✗ | ✗ | disabled | ComplianceAnalyst, VulnerabilityManager, ReportGenerator |
Key insight: Agents that need to correlate threats (Hunter, UEBA, Malware, ThreatIntel) have threat intel memory enabled. Response-focused agents (Incident Responder, Forensic, CPS) have larger sliding windows because IR workflows involve more back-and-forth. Lightweight agents (Compliance, Vuln, Report) don't need long-term recall.
Adding a New Agent
To add a new specialist agent:
- Write a system prompt in
aurorasoc/agents/prompts.py - Add an AgentSpec to
AGENT_SPECSinaurorasoc/agents/factory.py - Define MCP bindings in
AGENT_MCP_BINDINGSinaurorasoc/agents/mcp_agent_loader.py - Add a port to
A2ASettingsinaurorasoc/config/settings.py - Add a HandoffTool to
SPECIALIST_NAMESinaurorasoc/agents/orchestrator/server.py - Create a folder under
aurorasoc/agents/{agent_name}/with aserver.py(or usegeneric_server.py) - Add a Docker service in
docker-compose.yml - Run binding validation —
validate_bindings()will catch any configuration drift
Next: Repository Structure → — Where every file lives and what it does.