ON-PREMISE · SOC · AI

Ask your infrastructure in plain language.

gsage is an on-premise SOC assistant that combines AI agents, structured tooling, and human review — so security teams can monitor, investigate, triage, and respond faster, without handing core workflows to a third-party SaaS.

Get started See workflows
Runs in your environment Full audit trail Web · Email · Telegram · CLI
gSage AI
Chat Knowledge Approvals Files Tasks AI Agents DataStores
AAdmin
Send a message… (Enter to send, Shift+Enter for new line)
gSage AI product family

The cybersecurity vertical of the gSage AI platform.

gSage AI SOC is built on the gSage AI orchestration platform. This site is the source-available open edition; GuardianKey delivers the commercial Enterprise edition for organizations that need deployment, homologated integrations, support and SLA.

gSage AI orchestration platform gSage AI SOC Enterprise
What it does

AI with guardrails. Tools with permissions. Humans in the loop.

Security teams lose time switching between dashboards, repeating the same checks, and manually gathering context before they can make a decision. gsage reduces that friction while improving both operational efficiency and security.

01 / ORCHESTRATION

AI agents with scoped tool access

FastAPI backend, Celery workers, RedBeat scheduler. Agents run with a clear execution model — logged, audited, and isolated through an MCP server with per-org/department/user permissions.

02 / INTEGRATIONS

Speaks your existing tools

Antivirus, EDR, SIEM, ticketing, WAF, proxies, HR, Active Directory, asset inventory — exposed to the engine as typed tools you can combine, schedule, and govern with rules.

03 / CONTROL

On-premise, auditable, multi-tenant

Runs in your environment. Organizations, departments, and users are core primitives. Every execution leaves a trail in Elasticsearch. Your data never has to leave.

Real workflows

From a single prompt to a finished incident.

gsage turns a natural-language question into a sequence of tool calls, enrichments, and actions — returning a summary you can audit.

WORKFLOW · 01

Investigating a malicious hash

gsage, search the environment for file hash abc123, gather antivirus update status from the affected machines, identify the associated users, open a ticket for each impacted host, add the hash to the blacklist, and email me the final status.

Execution plan
1Search hash abc123 in the integrated SIEM / EDR (Bitdefender, CrowdStrike, Trellix)
2Query antivirus APIs for update status on each affected machine
3Look up responsible users in Active Directory and HR systems
4Open a ticket in the integrated ticketing platform per affected host
5Add the hash to the centralized blacklist via API
6Email a final summary with host status, users, and tickets
WORKFLOW · 02

Responding to a phishing report

gsage, a user reported a suspicious email. Analyze the content, inspect links and attachments, and tell me whether it is phishing. If it is, create an incident ticket and send a summary for human review.

Execution plan
1Analyze the email content with an LLM to identify phishing indicators
2Inspect links via the URL analysis tool
3Detonate attachments in the integrated sandbox / malware analysis tool
4If phishing: block the sender, open an incident ticket
5Return classification, indicators found, and actions taken
6Email the analyst with the summary and ticket details
WORKFLOW · 03

Scheduled check for risky apps

gsage, every day at 9:00 AM, search the environment for AnyDesk, TeamViewer and OpenVPN. For each host, tell me the machine name and the currently logged-in user.

Execution plan
1Schedule the prompt via the internal scheduler (RedBeat / Celery)
2Run the search against inventory / asset management integrations
3Collect machine name and logged-in user per match
4Compile and email the summary to the analyst
Entry points

Meet your team where they work.

Web UI

React-based interface for analysts. Conversations, schedules, tool permissions, audit trail.

Email

Send prompts, attach files, receive responses. Ideal for async analysis and paper-trail workflows.

Telegram

On-call triage from your phone. Same permissions, same audit, without opening a laptop.

CLI

Terminal-first workflow with markdown rendering and conversation management. gsage ask "…"

Architecture in one minute

A small number of focused services.

Docker Compose is enough for the intended scale. Every service has a clear job, and the boundaries are the audit points.

CorebackendFastAPI. API, agent orchestration, health checks, core application logic.
UIweb-uiReact. User-facing web interface.
Toolsmcp-serverIsolated tool execution layer with scoped permissions.
Asynccelery + beatBackground and scheduled execution per queue.
Entryemail-workerEmail ingestion and response flow.
Entrytelegram-workerPrompt submission and response delivery via Telegram.
ServicecuratorBlocklist / allowlist management used by tools and rules.
StorepostgresOperational data.
StoreweaviateSemantic memory and retrieval.
QueueredisBroker, cache, locks, pub/sub.
LogselasticsearchAudit logs, metrics, structured app logs.
LLMexternal providerOllama, OpenAI, Gemini, DeepSeek or any OpenAI-compatible endpoint — selected via LLM_PROVIDER.
Rulesrules engineApprove or reject tool execution with custom logic before the call runs.
Tools & integrations

Designed for the integrations you already have.

gsage ships with a growing catalogue of tools and makes it straightforward to add your own. Community-contributed tools live in guardiankey/gSage-soc-ai-tools.

EDR · AVBitdefender
EDRCrowdStrike
EDRTrellix
SIEMElastic
InventoryGLPI
IntelMS Security KB
IntelShodan
IntelWHOIS
IdentityActive Directory
IdentityHR systems
TicketingTicketing APIs
EmailEmail security
WebURL analysis
SandboxMalware sandbox
NetworkWAF · Proxy
DataCurator lists
VizMermaid diagrams
+ moreBuild your own

Build a tool in minutes.

Tools are BaseTool subclasses exposed through the MCP server. You define metadata, schemas, permissions, and execution logic; gsage handles registration, auditing, and orchestration.

Read the tool guide 
from __future__ import annotations
    from typing import ClassVar, Optional
    from src.mcp_server.tools.base import BaseTool, ToolResult
    from src.shared.security.context import AgentContext

    class MyTool(BaseTool):
      """Short description used in MCP and admin metadata."""
      name: ClassVar[str] = "my_tool"
      version: ClassVar[str] = "1.0.0"
      summary: ClassVar[str] = "One-line summary used by search_tools"
      category: ClassVar[str] = "utility"
      permissions: ClassVar[list[str]] = ["utility:run"]
      rate_limit_per_minute: ClassVar[int] = 30
      timeout_seconds: ClassVar[int] = 15
      use_circuit_breaker: ClassVar[bool] = False
      params_schema: ClassVar[dict] = {"type": "object", "properties": {"value": {"type": "string", "description": "Input value to process"}}, "required": ["value"], "additionalProperties": False}
      config_schema: ClassVar[Optional[dict]] = {"properties": {"prefix": {"type": "string", "description": "Optional prefix used in the output"}}, "required": []}
      config_defaults: ClassVar[dict] = {"prefix": ""}

      async def execute(self, agent_context: AgentContext, params: dict, config: dict, state: dict) -> ToolResult:
        raw_value = params.get("value")
        if not isinstance(raw_value, str) or not raw_value.strip():
          return self._failure("INVALID_INPUT", "'value' must be a non-empty string")
        return self._success({"value": f"{config.get('prefix', '')}{raw_value.strip()}", "org_id": str(agent_context.org_id)})
◉ gSage AI SOC Source-Available License 1.0

Source-available. Free for internal SOC use.

gsage is proprietary but source-available. You can read the code, deploy it, and use it to defend your own organization — for free, within a few clear limits.

Free internal use
Up to 10 users
Authorized Internal Users per rolling 30-day period, including service accounts and API credentials.
Scope
SOC operations only
Security monitoring, triage, investigation, incident response, detection engineering, enrichment, security automation.
Commercial
Partner required
SaaS, hosted, managed, MSSP, white-label, OEM or resale offerings require a written agreement with GuardianKey.
Read the full license gSage AI SOC Enterprise

Ship an auditable AI SOC.
Without shipping your data.

Clone, docker compose up, and start asking.

Get the quick-start View on GitHub