Wazuh OpenClaw Autopilot v1.0.0
First production-ready release of the autonomous SOC layer for Wazuh.
Highlights
- 497 tests across 14 files, zero failures, zero npm vulnerabilities
- 48 MCP tools supported via Wazuh MCP Server v4.2.1
- 7 SOC agents — triage, correlation, investigation, response-planner, policy-guard, responder, reporting
- End-to-end security audit — all critical, high, and medium findings resolved
- Human-in-the-loop enforcement hardened with bootstrap approval gate
Key Features
- Autonomous alert triage with entity extraction and IP enrichment
- Entity-based alert grouping into unified cases
- MITRE ATT&CK mapping and attack timeline generation
- Risk-assessed response plan generation
- Two-tier approval workflow (approve + execute) with policy enforcement
- Inline enforcement: action allowlists, confidence thresholds, time windows, rate limits, idempotency
- Structured evidence packs for compliance and forensics
- Prometheus metrics with SOC KPIs (MTTD, MTTR, auto-triage rate)
- Slack integration with interactive approval buttons (Socket Mode)
- Webhook-based agent orchestration with stalled pipeline detection
- Crash recovery for stuck EXECUTING plans
- LLM type coercion for local model compatibility (Qwen, Llama, etc.)
Supported LLM Providers
Cloud: OpenRouter (recommended), Anthropic, OpenAI, Groq, Google, Mistral, xAI, Together, Cerebras
Local: Ollama, vLLM (self-hosted GPU inference)
Deployment Options
- Docker Compose (production)
- Systemd (native Linux)
- Air-gapped with Ollama
- Self-hosted GPU with vLLM
Documentation
See README for full installation, configuration, and API reference.
Changelog
See CHANGELOG.md for the complete list of changes.