SecGPT
Security-dense RAG-augmented LLM that answers infosec questions, analyzes logs, and assists incident response
โก TL;DR
๐ฏ The Problem It Solves
Generic LLMs hallucinate CVE details and don't understand ATT&CK or log formats. SecGPT wraps a base model (Llama-based) in a security-specific retrieval layer so its answers are grounded in real vulnerability data, PCAP evidence, and threat-intel reports. It's the difference between a chatbot that *sounds* security-savvy and one that actually maps your alert to a MITRE technique.
๐ง How It Works
SecGPT uses a RAG (Retrieval-Augmented Generation) pipeline | a local or cloud LLM backbone | and a curated security corpus (CVE feeds, ATT&CK, threat reports, PCAP samples). You ask it a SOC-style question ("analyze this IOC") or feed it a log file; it retrieves relevant slices of the corpus, conditions the LLM on that evidence, and produces an answer with citations. The result is an assistant that can triage an alert, draft an incident summary, or explain a technique โ without inventing CVE-IDs.
๐ Installation & Quick Start
Installation
git clone https://github.com/ZacharyZcR/SecGPT.git
cd SecGPT
pip install -r requirements.txt
# Option A: OpenAI backend (simplest)
echo "OPENAI_API_KEY=sk-..." > .env
# Option B: Local LLM
./scripts/download-model.sh llama-2-13b-chatQuick Start
- git clone https://github.com/ZacharyZcR/SecGPT && cd SecGPT
- pip install -r requirements.txt
- cp .env.example .env # add your API key or model path
- python -m secgpt configure
- python -m secgpt ask "Map this ATT&CK technique T1003 to a Windows log source"
โ Pros
- โขRAG grounding dramatically reduces hallucination vs vanilla GPT
- โขRuns fully locally when data can't leave the network
- โขFree and Apache-2.0
- โขPurpose-built for security vocab / log formats
โ Cons
- โขCorpus freshness depends on how often you refresh feeds
- โขLocal LLM quality lags behind GPT-4 for complex analysis
- โขSetup is more involved than just calling OpenAI
- โขStill needs human verification on any actionable output
๐ฌ Practitioner Verdict
"SecGPT is the right answer to "I want an LLM that actually understands security jargon." The RAG layer means it cites real CVEs and ATT&CK techniques instead of inventing them. Use the OpenAI backend for quality, local mode when data sensitivity demands it. Still verify โ but you'll verify far less than with a raw ChatGPT prompt."
๐ Specifications
- Language
- Python
- License
- Apache-2.0
- Platform
- Linux, macOS, Windows
- Kill Chain
- Detection / Analysis
- MITRE ATT&CK
- T1595, T1592, T1003
๐ฐ Pricing Reality
SecGPT itself is free (OSS). Costs: free if you self-host a local LLM; variable (OpenAI GPT-4, ~$0.03/1K tokens) if you use cloud. Refreshing the security corpus is free via public feeds.
๐ฅ Community Health
๐ท๏ธ Tags
๐ฌ Video Tutorials
SecGPT Security LLM Demo
ZacharyZcR ยท 34K views ยท 22:40