SecOps-NG
Framework features

Four non-negotiable properties.

SecOps-NG is an opinionated, sovereignty-aware Python framework for building agentic Security Operations workflows. It is designed around four properties that are non-negotiable across every workflow in the commons.

Auditability

Every step in every workflow is reviewable as plain code, and every value crossing a boundary is a typed, validated artefact. Workflow state, tool calls, and decision points all leave a structured trail. This is what makes operational claims inspectable rather than asserted.

Determinism where it matters

Routing, policy, and state transitions are deterministic Python. Only the explicitly LLM-facing reasoning steps are non-deterministic, and those are isolated behind DSPy signatures so their inputs, outputs, and prompts are themselves versioned code. There is no hidden mutable state pulling the workflow off-script.

Sovereignty

No hidden calls to non-EU services. Inference endpoints are pluggable; the default configuration assumes the operator will pin the framework to an EU-resident language model. EU-hosted services and EU-origin libraries are preferred throughout, and alternatives are called out where they exist.

Operability

The runtime cost of a SecOps-NG workflow is a Python process. No external orchestrator cluster is required. Durability, when required, is delegated to a pluggable checkpointer (SQLite or Postgres) rather than to a separate orchestration stack.

The stack at a glance

Four independently swappable layers; the defaults below are what the cookbook workflows are built against.

  • Orchestration — LangGraph StateGraph: Python-native, low operational cost, good ergonomics for branching reasoning.
  • Contracts — Pydantic v2 with extra="forbid" and frozen=True: strict, immutable I/O contracts at every boundary.
  • LLM reasoning — DSPy signatures and modules: prompts as versioned code, diff-reviewable, testable with stubs.
  • Observability — OpenTelemetry spans on every node and every tool call, exported to the operator's collector.

Regulatory alignment

The framework includes a compliance evidence commons — human-authored control mappings and machine-emitted artefacts that let operators in different jurisdictions speak the same language to their auditors and to each other. Mappings currently cover NIS2 Articles 20–23 and GDPR data-flow templates. The mappings are operator-to-operator guidance, not legal advice.

Deploy a reference workflow Read the framework on GitHub