Skip to content

Beginner Quickstart

This is the fastest way to get useful value from SecOpsAI without learning every feature up front.

SecOpsAI is a local-first security operations toolkit for OpenClaw, macOS, Linux, and Windows. It can collect telemetry, generate findings, correlate activity across platforms, and match local activity against threat-intel feeds.

What this quickstart covers

In about 10 minutes, you will:

  1. install SecOpsAI
  2. run your first refresh
  3. list and inspect findings
  4. try cross-platform collection
  5. run correlation
  6. refresh threat intel and match IOCs

1. Install SecOpsAI

curl -fsSL https://secopsai.dev/install.sh | bash
cd ~/secopsai
source .venv/bin/activate

Manual install

git clone https://github.com/Techris93/secopsai.git
cd secopsai
python3 -m venv .venv
source .venv/bin/activate
pip install -e .

Confirm the CLI is available:

secopsai --help

You should see commands such as:

  • refresh
  • live
  • list
  • show
  • mitigate
  • check
  • correlate
  • intel

2. Run your first refresh

Start with the default pipeline:

secopsai refresh

This is the easiest first run and is the best place to begin if you are primarily using SecOpsAI with OpenClaw.

3. Review findings

List findings:

secopsai list

Show only higher-priority findings:

secopsai list --severity high

Inspect one finding in detail:

secopsai show OCF-XXXX

Get mitigation guidance:

secopsai mitigate OCF-XXXX

4. Try platform-based collection

SecOpsAI can collect from one or more supported platforms using --platform.

Supported platform values:

  • openclaw
  • macos
  • linux
  • windows

Examples:

secopsai refresh --platform macos
secopsai refresh --platform linux
secopsai refresh --platform windows
secopsai refresh --platform openclaw

You can also combine platforms:

secopsai refresh --platform macos,openclaw

5. Run correlation

After collecting findings from more than one source, run correlation:

secopsai correlate

This helps connect related activity across users, hosts, IPs, time windows, or artifacts.

6. Refresh threat intel

Pull current IOC feeds:

secopsai intel refresh

List some locally stored indicators:

secopsai intel list --limit 20

Match IOCs against local data:

secopsai intel match --limit-iocs 500

7. Try live mode

Use live mode to validate collection or observe events in real time:

secopsai live --platform macos --duration 60

You can swap macos for any supported platform.

8. Useful JSON mode

For scripts and automation:

secopsai --json list
secopsai list --json
secopsai show OCF-XXXX --json

9. Best first walkthrough

If you want one short sequence to try everything important, run:

cd ~/secopsai
source .venv/bin/activate

secopsai --help
secopsai refresh
secopsai list
secopsai refresh --platform macos,openclaw
secopsai correlate
secopsai intel refresh
secopsai intel match --limit-iocs 500

10. Where to go next