AI-Powered Security Operations Platform

Visibility and control
from network to endpoint

XDRagon Monitor watches your network, your computers, and your internet traffic around the clock — spots attacks, explains them in plain language, and tells you what to do next. Built-in EU compliance (NIS2) included. No security team required — and it scales up when you have one.

Free and open source (Apache 2.0) — no license fees, no subscriptions, no per-device pricing.

XDRagon Monitor — Live Dashboard (example data)
XDRagon Monitor Live Dashboard
Am I safe right now?
Secure
1 recommended next action · example data
Security Score
87/100
explainable, 0–100 · example data
AI-Powered Detection6 specialised local models
Real-Time TelemetryNetwork, DNS, endpoint
Self-HostedYour data stays on your hardware
NIS2 / NIST / CISBuilt-in compliance automation
Visibility. Detection. Response.

Everything your SOC needs.
One unified platform.

Network IDS/IPS
Suricata-powered real-time detection across all network traffic. Geographic heatmap, attack trends, MITRE ATT&CK mapping, and threat intel enrichment from 10+ sources.
Learn more
Autonomous AI SOC
Six local LLM models running on your hardware. Classifies every 2 minutes, correlates every 10, detects C2 beaconing, and delivers a written morning briefing at 07:00.
Learn more
Endpoint XDR
A small, secure agent on each Windows and Ubuntu machine watches for suspicious activity — malware behaviour, tampering, unusual logins — and reports back over an encrypted connection. Proven detection rules included; thousands more available with one click.
Learn more
Honeypot Defense
Deploy deception sensors with realistic personas — SSH server, IoT printer, Windows workstation. No legitimate user has any reason to touch a decoy — virtually every interaction is a high-confidence alert.
Learn more
Compliance Engine
Live scoring for NIS2, NIST CSF 2.0, and CIS Controls v8.1. Auto-generated evidence packages, human-approval workflow, and one-click audit ZIP export.
Learn more
Unified Telemetry

All signals.
One platform.

XDRagon Monitor unifies telemetry from firewalls, IDS/IPS sensors, DNS resolvers, and endpoint agents into a single high-fidelity data fabric — normalised, correlated, and enriched before an analyst ever sees it.

Real-time ingestion and normalisation Suricata EVE-JSON, pfBlockerNG, UniFi, and generic syslog — unified into one event schema
Threat intel enrichment from 10+ sources IP reputation, GeoIP, ASN, threat tags — attached automatically before storage
Asset attribution at detection time Every event linked to the asset inventory — blast-radius analysis is instant
Machine learning scores every event automatically Spotting unusual behaviour and closing routine noise — so only what matters reaches a human
Threat Sources Overview Live
Threat Sources
Events / hour
18,742
Example data
NETWORK OVERVIEW

How XDRagon Monitor fits into your SMB network

XDRagon Monitor SMB network overview diagram
Threat Detection + Response

Detect earlier.
Respond faster.

AI and behavioural analytics detect threats across every layer and route them to the right analyst — grouping related alerts into a handful of actionable incidents instead of hundreds of raw alerts, while catching the signals that matter.

MITRE ATT&CK mapping on every correlated event Full technique registry — incident reports speak the framework automatically
DNS analytics — DGA, tunneling, fast-flux detection DGA detector trained on a large corpus of known-legitimate domains, refreshed regularly
Hourly asset risk score per host 0–100 composite: alert frequency, criticality, TI hits, volume anomaly
Explore Threat Analysis
ThreatSourceSeverityStatus
C2 Beaconing Detected 192.168.1.47 Critical Investigating
DNS Tunneling — DGA 10.0.0.22 High Responding
Exfil Pattern — Port 443 pfSense WAN High Investigating
Honeypot Triggered — SSH 185.234.x.x Critical New
Lateral Movement Sigma WIN-WS-04 Medium Resolved
Brute-Force — Admin Panel 91.108.x.x High Resolved
Example data — illustrative alerts View all modules
Local AI. Private by Design.

Six local AI models.
No cloud AI. Ever.

The AI layer runs entirely on your hardware using Ollama. Six specialised SOC models derived from qwen2.5:7b handle classification, explanation, correlation, natural-language search, and the daily briefing. All AI inference runs locally. The only optional exception is threat-feed enrichment, which sends just the single IP or domain being looked up — never your alert context — and can be switched off entirely.

Auto-classify all alerts
every 2 min
Correlate into incidents
every 10 min
Detect C2 beaconing
every 15 min
Written morning briefing
daily 07:00
Cluster orphan alerts
every 5 min
Auto-cluster incidents
every 30 min
Certificate rotation check
daily 03:00
Deep-dive on the AI SOC
AI Briefing
soc-correlation-engine
Correlation
temp 0.2ctx 8k
soc-alert-explainer
Explainer
temp 0.3ctx 4k
Cloud. On-Prem. Air-Gapped.

Built for any environment.

From home lab to enterprise data centre. XDRagon Monitor runs on Docker — deploy integrated, segmented, or fully air-gapped depending on your threat model and regulatory requirements.

Ubuntu Server (AMD64)Production default — full stack in Docker
Apple Silicon (ARM64)GPU-accelerated via native Ollama + Metal
NVIDIA Linux + CUDAFastest AI path for autonomous SOC
Air-gapped / Physical DiodeNo external connections — NIS2 critical infrastructure ready
42
Platform Modules
6
Security Domains
10+
Threat Intel Sources
7
Autonomous Background Jobs
NIS2. NIST. CIS.

NIS2. NIST. CIS.
Automated, not manual.

XDRagon Monitor maps your security telemetry to framework requirements automatically — generating live compliance scores, evidence packages, and audit-ready documentation without a consultancy engagement.

Live framework scoring Continuous scoring against NIS2, NIST CSF 2.0, and CIS Controls v8.1 — updated as your security posture changes
Auto-generated evidence packages Human-in-the-loop approval workflow, zip-and-ship audit pack for your next assessment
AI remediation guidance Every gap comes with an AI-written remediation recommendation grounded in your actual telemetry
Explore Compliance
82%
NIS2
84%
NIST CSF
78%
CIS v8.1

Example data — illustrative compliance scores

Evidence log — last 7 days · Example data
NIS2 §21 — Incident detection evidence package generated
CIS Control 8 — Audit log retention verified (365 days)
NIST ID.AM-1 — Asset inventory exported and approved
NIS2 §23 — 72h reporting readiness confirmed
MITRE Coverage
More of what's inside

Shipped and running today.

A quick look at recent additions to XDRagon Monitor. Every card below is covered in depth on the platform pages.

Behavior Analytics (UEBA)
Learns what normal looks like for every user and device — then flags unusual behavior such as impossible travel or off-hours admin logins.
Learn more
Patch Priority
One ranked answer to "patch these first" — combining known-exploited status, severity, and how critical each asset is to your business.
Learn more
Retrospective IOC Hunt
New threat indicators are automatically matched against up to 180 days of your own history — catching what slipped past before the threat was known.
Learn more
Dark Web Monitoring
Watches Have I Been Pwned for your domains and alerts you when employee credentials show up in a known breach.
Learn more
Executive Reporting
Board-ready PDF reports in plain language — generated and emailed automatically, so leadership stays informed without analyst hours.
Learn more
Integrations
Alerts where you already work — Slack, Teams, and PagerDuty webhooks — plus Active Directory / LDAP user context on every event.
Learn more
Multi-Firewall Support
Works with the firewall you already have: pfSense, OPNsense, FortiGate, Sophos, and UniFi — with auto-detection and per-vendor setup guides.
Learn more
One-Command Install
From bare server to running platform with a single command:curl -fsSL https://xdragonxdr.com/install.sh | bash
Learn more
Signed Releases
Every release ships with SLSA build provenance, signed via Sigstore — so you can verify that what you run is what was built.
Learn more

Secure every endpoint.
Every edge.

See how XDRagon Monitor can strengthen your security operations. Deploy on your own hardware — free and open source, full platform running in under an hour.