ARES is an enterprise-grade, multi-tenant AI-Native Security Operations Center (SOC) platform designed for modern security analysts, IT teams, and managers. It prioritizes outcomes and decisions over raw telemetry, allowing organizations to triage alerts, manage investigations, and utilize AI assistance inside an integrated, fast, and minimalist workspace.
Built with a pnpm + Turborepo monorepo architecture, ARES bundles a Next.js 15 App Router frontend dashboard with a FastAPI Modular Monolith backend, backed by PostgreSQL, Redis, Elasticsearch, and Kafka.
The monorepo isolates reusable logic, shared typescript typings, SDK wrappers, and backend/frontend application workspaces:
ares/
├── apps/
│ ├── dashboard/ # Next.js 15 SOC dashboard (Port 3000)
│ ├── api/ # FastAPI Modular Monolith (Port 8000)
│ ├── ingestion/ # Kafka consumers (skeleton)
│ └── worker/ # Background jobs (skeleton)
├── packages/
│ ├── ui/ # Shared React components library
│ ├── types/ # Shared TypeScript declarations
│ ├── sdk/ # Type-safe JavaScript/TypeScript client SDK
│ └── schemas/ # Shared schema generators / OpenAPI definitions
├── infra/
│ └── docker/
│ └── docker-compose.yml # PostgreSQL, Redis, Elasticsearch, Kafka config
├── turbo.json # Turborepo task orchestrator configuration
├── pnpm-workspace.yaml # pnpm workspaces definition
└── package.json # Root monorepo configuration
- FastAPI: Async-first, automatic OpenAPI documentation.
- SQLAlchemy 2.x: Declarative models mapping, async connections utilizing
asyncpg(PostgreSQL) oraiosqlite(local SQLite fallback). - Alembic: Database migrations framework setup.
- Pydantic v2: Type validations and JSON serialization.
- Next.js 15 App Router: Modern styling utilizing Tailwind CSS and React 19.
- App Shell: Left-aligned navigation, tenant dropdown switcher, dark theme, and audit trail records.
- Split-Pane Alert Triage: Visual list of alerts coupled with slide-out assessment workspaces (timeline, indicators, AI analysis).
- Investigations Console: Chronological event logs, gathered evidence tabs, notes tracking, and a docked AI chat assistant panel.
- Onboarding Wizard: 4-step workflow establishing organization boundaries, connector linkages, and automated mock-data seeding.
You do not need to create any .env files to run the product locally! The codebase is configured with robust default values that automatically match the local development server scripts and the dockerized infrastructure.
- Database fallback: If PostgreSQL is not running or accessible, the FastAPI backend will automatically fall back to using a local SQLite file (
ares.dbinapps/api/) for testing. - Mock AI fallback: If the
ANTHROPIC_API_KEYis not provided, the platform automatically deploys a context-aware mock AI SOC analyst. The mock agent acts as a simulated Claude assistant, processing alerts and using mock VirusTotal/MITRE mapping data to remain fully testable without third-party API keys or expenses.
Should you wish to override the default configuration, you can create the following environment files:
Create a .env file inside apps/api/ with any of the following variables to customize:
| Variable | Description | Default Value |
|---|---|---|
DATABASE_URL |
Database connection string | postgresql+asyncpg://postgres:postgrespassword@localhost:5433/ares |
SECRET_KEY |
JWT signing secret key | ares-super-secret-key-change-in-production-123456 |
REDIS_URL |
Cache/sessions server URL | redis://localhost:6379/0 |
ELASTICSEARCH_URL |
Logs indexer endpoint | http://localhost:9200 |
KAFKA_BOOTSTRAP_SERVERS |
Event stream brokers | localhost:9092 |
ANTHROPIC_API_KEY |
Anthropic Claude API key | Optional (defaults to Mock AI SOC Analyst if left blank) |
Create a .env.local file inside apps/dashboard/ to modify client-side target API endpoints:
| Variable | Description | Default Value |
|---|---|---|
NEXT_PUBLIC_API_URL |
Base API target URL for the dashboard client | http://localhost:8000 |
Ensure you have the following installed:
- Node.js (v22+ recommended)
- pnpm (v10+ recommended)
- Python (v3.10+)
- Docker Desktop (active daemon)
At the root directory, install workspace nodes and compile Typescript packages:
pnpm install
pnpm buildLaunch PostgreSQL, Redis, Elasticsearch, and Kafka in the background:
docker compose -f infra/docker/docker-compose.yml up -dNote
Mapped services run on standard ports, with PostgreSQL bound to 5433 on the host to prevent default host port 5432 conflicts.
Navigate to apps/api/, create a virtualenv, and install requirements:
cd apps/api
python -m venv .venv
# On Windows PowerShell:
.venv\Scripts\Activate.ps1
# On Linux/macOS:
source .venv/bin/activate
pip install -r requirements.txt
cd ../..To initialize your database schema, run the Alembic migrations:
cd apps/api
# Make sure your virtualenv is active!
alembic upgrade head
cd ../..Run the dev servers concurrently using Turborepo:
pnpm dev- SOC Dashboard UI:
http://localhost:3000 - FastAPI API Server:
http://localhost:8000 - OpenAPI Documentation:
http://localhost:8000/docs
- Open
http://localhost:3000. You will be redirected to the Login Page. - Click "Create an organization" at the bottom to enter the onboarding wizard.
- Define your company, create credentials, select a log source (e.g. Elastic), and click Verify.
- The onboarding wizard will register your profile, test connection endpoints, and trigger database seeding:
- Seeded Alerts: A Critical account takeover brute-force attempt, a High Powershell trojan download process, and a Medium SQL injection scanner probe.
- Seeded Cases: 2 open cases linked to the threat telemetry logs.
- Click "Go to Workspace" to enter the live command console. Select any alert to inspect the timeline, indicators (IPs/hashes), and chat directly with the docked Claude-based AI Analyst.