Security teams are trapped between proprietary AI SOC vendors that obscure model intelligence and open-source tools that haven’t kept up with agentic architectures. A new open source project,Vigil, launched at RSA today, changes that. Vigil enhances rather than obfuscates the transformative intelligence of rapidly advancing reasoning models, including Anthropic’s Claude.
Available immediately under an Apache 2.0 license, Vigil ships with13 specialized AI agents, 30+ integrations, and 7,200+ detection rules spanning Sigma, Splunk, Elastic, and KQL formats. Additionally, Vigil includes four initial production-tested multi-agent workflows that tie together underlying capabilities to address common use cases in the SOC: incident response, investigation, threat hunting, and forensic analysis. Users can easily add additional integrations, custom rules, and agents often as simply as checking in a file to a designated repository.
Vigil’s architecture is pluggable and transparent. Teams bring their own enterprise model deployments, their own rule sets, and their own integrations for operational context. As reasoning models improve rapidly, those advances surface directly in analyst-facing workflows rather than remaining buried in proprietary black boxes. As a result, users can apply it to their particular environment quickly, and can leverage their own enterprise deployments of reasoning models, their own rule sets and other systems for detection, and of course their own integrations to provide operational context. Importantly, as models improve, the architecture is structured so those advances surface directly in analyst-facing workflows rather than remaining obscured in proprietary systems.
Vigil is one of a new wave of open source projects built in the agentic era. Contributors are welcome across product direction, module development, governance, and developer relations. Agentic red teaming projects are a natural fit. Vigil initial engineers have hands-on experience with Stanford’s Artemis and other frameworks and are keen to collaborate.
Built by Open-Source Security Veterans
The DeepTempo team built Vigil as a side project initially and saw demand from users and partners, including professional services partners and research collaborators at Stanford and other educational institutions, for an open and simple to extend solution. Larger enterprises and national SOCs and similar scale organizations are already writing their own agentic SOC capabilities, and Vigil is a community in which they can collaborate on relevant components.
Open by Design
Vigil is vendor-independent. Contributors are welcome from across the security ecosystem, including AI SOC vendors, internal security teams, services organizations, open-source maintainers, and developers building on MCP and agentic frameworks. The Trail of Bits skills repository represents one natural area of collaboration, offering reusable building blocks for cyber-specific reasoning that Vigil is designed to interoperate with via clear Claude skills definitions. Projects like Cisco’s Foundation Sec-8 are candidates for first-class integration, alongside Claude and other advanced reasoning models.
Extending Vigil is simple: multi-agent workflows are defined in a single SKILL.md file, tool integrations use the open MCP standard, and detection rules can be contributed in any major format. Every MCP server in the security ecosystem is a potential Vigil integration.Every skill someone writes makes the platform more capable for everyone.
Availability and Community
Vigil is available now:
git clone –recurse-submodules https://github.com/deeptempo/vigil.git
cd vigil && ./start_web.sh
# Open http://localhost:6988 — your AI SOC is running.
Security practitioners, researchers, and developers interested in contributing, leading, or experimenting with Vigil are encouraged to connect with the maintainers via the GitHub repository or community Discord.
As AI systems grow more capable, security analysts need shared patterns, tools, and workflows to keep pace. DeepTemp released Vigil as open source to accelerate that learning, building a transparent, adaptable foundation for the next generation of security operations.
See Vigil at RSA Conference 2026
The team behind Vigil will be showcasing the project live at RSA Conference 2026 at Moscone North Expo Hall, Cribl Booth #6353. Visit the booth for live demos, contributor onboarding, and conversations with the Vigil maintainers.
FBI Warns Of Iran-Linked Threat Actors Using Telegram For Attacks
Posted in Commentary with tags FBI, Hacked on March 23, 2026 by itnerdThe FBI has warned of Iran-linked Handala hackers using Telegram in malware attacks:
The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate information on malicious cyber activity conducted by actors on behalf of the Government of Iran Ministry of Intelligence and Security (MOIS). Specifically, MOIS cyber actors are responsible for using Telegram as a command-and-control (C2) infrastructure to push malware targeting Iranian dissidents, journalists opposed to Iran, and other opposition groups around the world. This malware resulted in intelligence collection, data leaks, and reputational harm against the targeted parties. The FBI is releasing this information to maximize awareness of malicious Iranian cyber activity and provide mitigation strategies to reduce the risk of compromise.
Due to the elevated geopolitical climate of the Middle East and current conflict, the FBI is highlighting this MOIS cyber activity. The FBI assessed MOIS cyber actors are responsible for using Telegram as a C2 infrastructure to push malware targeting Iranian dissidents, journalists opposed to Iran, and other oppositional groups around the world. This FLASH warns network defenders and the public of continued malicious cyber activity by Iran MOIS cyber actors and outlines the tactics, techniques, and procedures (TTPs) used in this malware campaign.
Commenting on this news is Ensar Seker, CISO at SOCRadar:
“The use of Telegram as command-and-control infrastructure is not surprising, it reflects a broader shift where threat actors deliberately blend malicious traffic into trusted, encrypted platforms. By leveraging a widely used application like Telegram, groups such as Handala significantly reduce the likelihood of detection, because security controls are often tuned to allow this traffic by default.
What makes this particularly concerning is the targeting profile. These operations are not opportunistic; they are highly intentional, focusing on journalists, dissidents, and opposition voices. This aligns with state-sponsored objectives, where cyber operations are used as an extension of intelligence gathering and influence campaigns rather than purely financial gain.
From a defensive standpoint, this highlights a critical gap: many organizations still rely too heavily on traditional indicators like IP blocking or domain reputation. When attackers operate inside legitimate platforms, defenders must shift toward behavioral detection, monitoring anomalies in application usage, data flows, and endpoint activity rather than trusting the platform itself.
The bigger implication is that encrypted messaging platforms are becoming dual-use infrastructure for both communication and covert operations. Security teams need to reassess their trust assumptions and implement visibility controls around sanctioned apps, including logging, anomaly detection, and strict access policies.
Ultimately, this is not about Telegram specifically, it’s about the normalization of “living off trusted services.” Organizations that fail to adapt to this model will continue to miss early-stage intrusions, especially those tied to advanced persistent threat actors with geopolitical motivations.”
This highlights the fact that warfare is different now because the battlefield has expanded to the cyber world. Thus you need to keep that in mind in order to keep your organization safe from this new generation of threats.
Leave a comment »