๐Ÿ”’SecurityRepoIndex

SecGPT

Security-dense RAG-augmented LLM that answers infosec questions, analyzes logs, and assists incident response

3.9/ 52,800 GitHub starsPythonApache-2.0

โšก TL;DR

What
Security-dense RAG-augmented LLM that answers infosec questions, analyzes logs, and assists incident response
Who
SOC Analysts, Incident Responders, Security Students, Threat Intel Analysts
Catch
Corpus freshness depends on how often you refresh feeds
Verdict
โญโญโญโญ Recommended

๐ŸŽฏ The Problem It Solves

Generic LLMs hallucinate CVE details and don't understand ATT&CK or log formats. SecGPT wraps a base model (Llama-based) in a security-specific retrieval layer so its answers are grounded in real vulnerability data, PCAP evidence, and threat-intel reports. It's the difference between a chatbot that *sounds* security-savvy and one that actually maps your alert to a MITRE technique.

๐Ÿ”ง How It Works

SecGPT uses a RAG (Retrieval-Augmented Generation) pipeline | a local or cloud LLM backbone | and a curated security corpus (CVE feeds, ATT&CK, threat reports, PCAP samples). You ask it a SOC-style question ("analyze this IOC") or feed it a log file; it retrieves relevant slices of the corpus, conditions the LLM on that evidence, and produces an answer with citations. The result is an assistant that can triage an alert, draft an incident summary, or explain a technique โ€” without inventing CVE-IDs.

๐Ÿš€ Installation & Quick Start

Installation

git clone https://github.com/ZacharyZcR/SecGPT.git
cd SecGPT
pip install -r requirements.txt
# Option A: OpenAI backend (simplest)
echo "OPENAI_API_KEY=sk-..." > .env
# Option B: Local LLM
./scripts/download-model.sh llama-2-13b-chat

Quick Start

  1. git clone https://github.com/ZacharyZcR/SecGPT && cd SecGPT
  2. pip install -r requirements.txt
  3. cp .env.example .env # add your API key or model path
  4. python -m secgpt configure
  5. python -m secgpt ask "Map this ATT&CK technique T1003 to a Windows log source"

โœ… Pros

  • โ€ขRAG grounding dramatically reduces hallucination vs vanilla GPT
  • โ€ขRuns fully locally when data can't leave the network
  • โ€ขFree and Apache-2.0
  • โ€ขPurpose-built for security vocab / log formats

โŒ Cons

  • โ€ขCorpus freshness depends on how often you refresh feeds
  • โ€ขLocal LLM quality lags behind GPT-4 for complex analysis
  • โ€ขSetup is more involved than just calling OpenAI
  • โ€ขStill needs human verification on any actionable output

๐Ÿ’ฌ Practitioner Verdict

"SecGPT is the right answer to "I want an LLM that actually understands security jargon." The RAG layer means it cites real CVEs and ATT&CK techniques instead of inventing them. Use the OpenAI backend for quality, local mode when data sensitivity demands it. Still verify โ€” but you'll verify far less than with a raw ChatGPT prompt."
โ€” Emmanuel, Security Reviewer

๐Ÿ“Š Specifications

Language
Python
License
Apache-2.0
Platform
Linux, macOS, Windows
Kill Chain
Detection / Analysis
MITRE ATT&CK
T1595, T1592, T1003

๐Ÿ’ฐ Pricing Reality

SecGPT itself is free (OSS). Costs: free if you self-host a local LLM; variable (OpenAI GPT-4, ~$0.03/1K tokens) if you use cloud. Refreshing the security corpus is free via public feeds.

๐Ÿ‘ฅ Community Health

Stars2,800
Forks350
Contributors56
Health Score5.8/10

๐Ÿท๏ธ Tags

AgentsLLM

๐ŸŽฌ Video Tutorials

SecGPT Security LLM Demo

ZacharyZcR ยท 34K views ยท 22:40