Pick your orchestrator. Compile the content in.
SecOps-NG is a content layer, not a runtime. Operators keep the orchestrator they already run; the commons supplies the canonical playbooks, detections, controls, data shape, and metrics, and a compiler that emits the content into the runtime of your choice.
Three launch compile targets
- n8n — a visual, self-hostable automation runtime. CACAO playbooks compile into n8n workflows; OCSF-shaped events flow through native nodes.
- Temporal — durable, restartable workflows for operators who need long-running state machines that survive process restarts and partial failures.
- LangGraph — graph-shaped agentic flows for content that needs LLM-facing reasoning steps inside the playbook.
Community-contributed adapters are welcome for other runtimes — MindStudio, Make, Zapier, StackAI, CrewAI, and beyond. The compile contract is open; the launch three are simply the ones the commons maintains directly.
The sovereign default
Reference deployments target European-resident, European-governed infrastructure: EU-operated compute, EU-resident object storage, and an EU-resident language model where the operator's chosen compile target uses one. The content layer takes no position on which AI provider is used; that choice belongs to the operator, and the commons writes content to remain coherent across providers.
Shape of a deployment
- The canonical content — playbooks, detections, controls, OCSF mappings, and the metrics catalogue, pulled from the open repository on GitHub.
- A compile target — n8n, Temporal, LangGraph, or a community adapter. The compiler emits orchestrator-native artefacts from the canonical content.
- An OCSF event spine — events, alerts, and findings flow in OCSF shape, so content stays portable even as the runtime underneath is swapped.
- An AI provider (where the chosen target uses one) — pluggable, pinned by the operator. EU-resident endpoints are the default in the reference configuration.
A first run
The commons publishes a runnable vulnerability-triage playbook in CACAO and a reference compile to each of the three launch targets. Each emitted workflow is self-contained, safe by default, and annotated with the OSCAL controls and Sigma detections it relates to.
Cloning the repository and compiling the reference playbook into the orchestrator already running in your environment is the fastest path to seeing the content layer in motion.
The sovereign quickstart guide is now available — the shortest path from a clean machine to a compiled reference playbook on European infrastructure. Open the guide on GitHub →