Allama
🔥🔥🔥 AI security automation platform. Build visual workflows, deploy autonomous agents, and automate threat detection and response. 80+ integrations with SIEM, EDR, ticketing, and cloud tools. Self-hosted SOAR alternative.
Install / Use
/learn @digitranslab/AllamaREADME
Why Allama?
Security teams face 500+ alerts daily. Manual investigation is slow, inconsistent, and burns out analysts. Legacy SOAR tools cost $100k+ and require consultants to implement.
Allama changes this:
- 90% faster triage — AI agents enrich and prioritise alerts automatically
- Zero vendor lock-in — 100% open source, self-hosted on your infrastructure
- No coding required — Visual workflow builder for common automation
- Enterprise-ready — Multi-tenant, SSO, audit trails, and compliance controls
Features
Visual Workflow Builder
Build security playbooks with drag-and-drop. Conditional logic, parallel execution, and loops — no code required.
AI-Powered Agents
Deploy autonomous agents that understand threats, make decisions, and execute responses. Supports OpenAI, Anthropic, Azure, or self-hosted models via Ollama.
80+ Integrations
Connect your entire security stack:</p>
| Category | Tools | |----------|-------| | SIEM | Splunk, Elastic, Datadog, Wazuh | | EDR/XDR | CrowdStrike, SentinelOne | | Identity | Okta, Microsoft Entra ID, Google Workspace | | Ticketing | Jira, Zendesk, PagerDuty | | Communication | Slack, Microsoft Teams, Email | | Threat Intel | VirusTotal, URLScan, IPInfo, Anomali | | Cloud | AWS, Google Cloud, Kubernetes |
Case Management
Track incidents from detection to resolution. Custom fields, task assignment, file attachments, and complete audit trails.
Secure Script Execution
Run custom Python in isolated WebAssembly sandboxes. Network isolation, resource limits, and full audit logging.
Quick Start
git clone https://github.com/digitranslab/allama.git
cd allama
make init
make dev
Or use the one-click demo script:
./demo.sh
Open http://localhost and start building workflows.
Requirements: Docker, Python 3.12+, 4GB RAM, 10GB disk space
Architecture
flowchart LR
subgraph Sources["Data Sources"]
S1[SIEM Alerts]
S2[EDR Events]
S3[Cloud Logs]
S4[Webhooks]
end
subgraph Platform["Allama Platform"]
API[API Gateway<br/>FastAPI]
WF[Workflow Engine<br/>Temporal]
AI[AI Agents<br/>PydanticAI]
INT[Integrations<br/>80+ Tools]
end
subgraph Actions["Automated Response"]
A1[Enrich & Triage]
A2[Contain Threats]
A3[Create Cases]
A4[Notify Teams]
end
S1 & S2 & S3 & S4 --> API
API --> WF
WF --> AI
AI --> INT
INT --> A1 & A2 & A3 & A4
| Component | Technology | Purpose | |-----------|------------|---------| | API Gateway | FastAPI | Authentication, routing, OpenAPI docs | | Workflow Engine | Temporal | Durable execution with automatic retry | | AI Agents | PydanticAI + LiteLLM | Multi-model support, tool orchestration | | Sandbox | WebAssembly | Isolated script execution | | Database | PostgreSQL | Persistent storage | | Object Storage | S3-compatible | File attachments, artefacts |
Security
| Feature | Implementation | |---------|----------------| | Authentication | Basic, Google OAuth, SAML 2.0 (Okta, Entra ID) | | Authorisation | Role-based access, workspace isolation | | Secrets | AES-256 encryption, automatic injection | | Audit | Complete access and execution history |
Use Cases
SOC Teams — Reduce alert fatigue by 90%. Automate triage, enrichment, and containment.
MSSPs — Multi-tenant architecture. White-label deployment. API-first integration.
Cloud Security — Infrastructure as code. Terraform modules. Self-hosted for data sovereignty.
Community
- Discord — Real-time support and discussion
