38 integrations. Every config file, every field, every provider.
How ZelC Config Works
ZelC commands like firewall block ip and edr isolate host are provider-agnostic. Your playbook never mentions Palo Alto or CrowdStrike directly. Instead, a config file tells ZelC which backend to use. Swap vendors by changing one line — zero playbook changes.
When you run zelc init myproject, ZelC generates this structure:
2. ZelC reads zelc.toml to see which integrations are enabled
3. ZelC loads .zelc.env and injects secrets into the environment
4. For each enabled integration, ZelC reads its config from integrations/
5. When your playbook says firewall block ip "1.2.3.4", ZelC checks the provider
6. ZelC checks exclude_ranges — if the IP is in a protected range, the action is refused
7. ZelC calls the correct vendor API using the credentials from .zelc.env
8. If an integration is disabled, ZelC uses a mock adapter that logs what would happen
Secrets are never stored in config files. Every sensitive value uses the _env suffix pattern. For example, api_key_env = "PAN_API_KEY" tells ZelC to read the actual key from the environment variable PAN_API_KEY, which lives in .zelc.env or your secrets manager.
Safety exclusions are hard limits. Each integration has exclusion lists (exclude_ranges, exclude_hosts, exclude_users) that can never be overridden by playbook code. Only editing the config file changes this.
zelc.toml — Master Project Config
zelc.toml
The master configuration file at the root of every ZelC project. Controls project metadata, safety enforcement levels, and which integrations are enabled. When an integration is set to true, ZelC loads its config from integrations/<name>.toml. When set to false, ZelC uses a mock adapter that logs what would happen without making real API calls. Safe to commit to git — contains no secrets.
-- ══════════════════════════════════════════════════════════════
-- zelc.toml — ZelC Project Configuration
-- Generated by: zelc init
-- Documentation: https://rocheston.com/zelc
-- ══════════════════════════════════════════════════════════════
[project]
name = "my-soc-playbooks"
version = "1.0.0"
author = "SOC Team"
description = "Security automation playbooks"
zelc_version = "1.2"
-- ══════════════════════════════════════════════════════════════
-- SAFETY SETTINGS
-- ══════════════════════════════════════════════════════════════
[safety]
-- strict: kinetic verbs outside do blocks = compile error
-- warn: kinetic verbs outside do blocks = warning
-- off: no enforcement (not recommended)
kinetic_enforcement = "strict"
-- strict: tainted data in kinetic actions = compile error
-- warn: tainted data in kinetic actions = warning
-- off: no taint tracking
taint_tracking = "warn"
-- Maximum number of targets a single do block can affect
-- Physics engine rejects playbooks that exceed this
max_blast_radius = 10
-- ══════════════════════════════════════════════════════════════
-- INTEGRATIONS
-- Each integration has its own config file in integrations/
-- Set true to load the integration, false to use mock adapter
-- Mock adapter logs what would happen without making real API calls
-- ══════════════════════════════════════════════════════════════
[integrations]
firewall = true -- integrations/firewall.toml
edr = true -- integrations/edr.toml
iam = true -- integrations/iam.toml
aws = true -- integrations/aws.toml
azure = false -- integrations/azure.toml
gcloud = false -- integrations/gcloud.toml
siem = true -- integrations/siem.toml
notifications = true -- integrations/notifications.toml (slack, teams, email, pager)
tickets = true -- integrations/tickets.toml
rosecoin = true -- integrations/rosecoin.toml
aina = true -- integrations/aina.toml
noodles = true -- integrations/noodles.toml
vines = false -- integrations/vines.toml
threat_intel = true -- integrations/threat_intel.toml
docker = true -- integrations/docker.toml
kubernetes = false -- integrations/kubernetes.toml
github = true -- integrations/github.toml
linux = true -- integrations/linux.toml
dns = false -- integrations/dns.toml
crypto = true -- integrations/crypto.toml
rcf = true -- integrations/rcf.toml
evidence = true -- integrations/evidence.toml
.zelc.env — Secrets File
.zelc.env (gitignored)
Environment variables file containing API keys, tokens, and passwords. Automatically loaded by zelc run and injected into the process environment. NEVER commit this file to git. Each variable is referenced by name in integration configs using the _env suffix pattern.
ZelC commands: aina ask, aina explain, aina decide, aina risk_score, aina simulate, aina guard, aina check
Configures the AINA AI agent for all AI commands: aina ask, aina explain, aina decide, aina risk_score, aina extract_ioc, aina simulate, aina guard prompt, and more. Includes guardrails that limit autonomous actions, confidence thresholds, prohibited actions, prompt injection defense, PII scanning of outputs, and context window management.
-- ══════════════════════════════════════════════════════════════
-- ZelC Integration: AINA (AI Security Agent)
-- Maps to: aina ask, aina explain, aina decide, aina risk_score, etc.
-- ══════════════════════════════════════════════════════════════
[api]
url = "https://aina.rocheston.com/v1"
api_key_env = "AINA_API_KEY"
model = "aina-security-v2"
timeout_seconds = 60
max_retries = 2
-- For self-hosted AINA:
-- url = "http://localhost:8000/v1"
[guardrails]
-- Maximum actions AINA can take per decision
max_actions_per_decision = 5
-- Minimum confidence to auto-execute (0.0 - 1.0)
confidence_threshold = 0.85
-- Require human approval for critical actions?
require_human_approval = false
-- Always dry-run before executing?
dry_run_first = true
-- Actions AINA can never execute autonomously
prohibited_autonomous = [
"system.shutdown",
"data.delete",
"aws.terminate_instance",
"iam.delete_user"
]
[prompt_safety]
-- aina guard prompt settings
block_injection_patterns = true
block_jailbreak_attempts = true
log_blocked_prompts = true
max_prompt_length = 10000
[output_safety]
-- aina check output settings
scan_for_pii = true
scan_for_hallucinations = true
redact_pii_in_response = true
[context]
-- How much context to send with each AINA call
include_event_data = true
include_evidence_log = true
include_playbook_history = true
max_context_tokens = 8000
[memory]
-- AINA memory persistence across calls within an incident
enabled = true
max_entries = 100
persist_to_disk = false
Configures authentication and service-specific settings for all AWS commands. Supports multiple auth methods: CLI profile, environment variables, IAM role, and SSO. Includes EC2 snapshot forensics, S3 public access blocking, IAM key rotation, CloudTrail audit, WAF blocklists, GuardDuty, and Security Hub.
Configures credentials and service settings for Azure. Uses a single Service Principal for authentication across Entra ID user blocking, NSG deny rules, Sentinel alert injection, and Key Vault lockdown.
Configures Docker runtime access for container management. Supports local socket and remote Docker host with TLS. Image scanning via Trivy, Grype, Snyk, or Prisma Cloud. Safety exclusions prevent stopping monitoring agents and log collectors.
Controls which EDR platform is called for endpoint containment. Supports CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne, VMware Carbon Black, and Palo Alto Cortex XDR. The exclude_hosts safety net prevents isolation of critical infrastructure like domain controllers.
Configures evidence handling including SHA-256/Blake3 hashing, Merkle tree construction, chain of custody tracking, automatic Rosecoin anchoring, retention policies (365 days default), export to S3/Azure Blob/GCS, compliance auto-tagging, digital signing, and tamper detection alerts.
-- ══════════════════════════════════════════════════════════════
-- ZelC Integration: Evidence & Retention
-- Maps to: evidence record, proof make, audit log, export report
-- ══════════════════════════════════════════════════════════════
[storage]
-- Where evidence packs are stored locally
output_dir = "./evidence"
-- Archive old evidence
archive_dir = "./evidence/archive"
[format]
-- Default export format for "export report"
default_format = "json" -- json | html | pdf
-- Include raw data in evidence records?
include_raw_data = true
-- Pretty print JSON?
pretty_json = true
[hashing]
-- Algorithm for evidence record hashes
algorithm = "sha256" -- sha256 | sha384 | sha512 | blake3
-- Hash the entire record or just the details?
hash_scope = "full_record" -- full_record | details_only
-- Include timestamp in hash input?
include_timestamp = true
[merkle_tree]
-- Build merkle tree for evidence packs?
enabled = true
-- Algorithm for merkle tree
algorithm = "sha256"
[chain_of_custody]
-- Track who/what touched each evidence record
enabled = true
-- Actor identity for automated records
actor_name = "ZelC Runtime v1.2"
-- Record the playbook name that generated the evidence
include_playbook_name = true
-- Record the host that executed the playbook
include_hostname = true
[blockchain]
-- Auto-anchor to Rosecoin? (requires rosecoin.toml)
auto_anchor = true
-- Anchor individual records or just the final pack?
anchor_mode = "pack" -- record | pack | both
-- Wait for confirmation?
wait_for_confirmation = false
[retention]
-- How long to keep evidence locally
retention_days = 365
-- Archive after this many days (move to archive_dir)
archive_after_days = 90
-- Delete after retention period?
auto_delete = false
-- Legal hold override (never delete)
legal_hold = false
[export]
-- Auto-export after every playbook run?
auto_export = true
-- Export destination
-- Options: local | s3 | azure_blob | gcs
destination = "local"
[export.s3]
-- If destination = "s3"
bucket = "acme-zelc-evidence"
prefix = "evidence/"
region = "us-east-1"
encryption = "AES256"
-- Uses aws.toml credentials
[export.azure_blob]
-- If destination = "azure_blob"
container = "zelc-evidence"
-- Uses azure.toml credentials
[compliance]
-- Auto-tag evidence with compliance controls?
-- Requires rcf.toml
auto_tag = true
-- Include compliance mapping in export?
include_mapping = true
[signing]
-- Digitally sign evidence packs?
enabled = true
-- Uses crypto.toml signing key
-- Sign individual records or just the pack?
sign_mode = "pack" -- record | pack | both
[notifications]
-- Notify when evidence pack is generated?
notify_on_export = false
-- Notify when evidence fails integrity check?
notify_on_tampering = true
tampering_alert_severity = "critical"
Controls which firewall backend is called when ZelC blocks or allows traffic. Supports Palo Alto Networks, Fortinet FortiGate, Check Point, Cisco ASA, AWS Security Groups, AWS WAF, Azure NSG, and Linux iptables/nftables/ufw. The exclude_ranges safety net prevents accidental blocking of internal infrastructure.
Configures authentication and service settings for GCP. Supports service account key files, application default credentials, and workload identity. Safety exclusions prevent accidental shutdown of bastion hosts and VPN gateways.
-- ══════════════════════════════════════════════════════════════
-- ZelC Integration: Google Cloud
-- Maps to: gcloud iam, gcloud storage, gcloud compute
-- ══════════════════════════════════════════════════════════════
[credentials]
project = "acme-security-prod"
credentials_file = "~/.gcloud/soc-key.json"
-- Or use application default credentials:
-- use_adc = true
-- Or workload identity:
-- use_workload_identity = true
[defaults]
region = "us-central1"
zone = "us-central1-a"
[compute]
-- Used by: gcloud compute stop
-- VMs that can never be stopped
exclude_instances = ["bastion-host", "vpn-gateway"]
[storage]
-- Used by: gcloud storage private
evidence_bucket = "acme-zelc-evidence"
-- Buckets that are intentionally public
exclude_buckets = ["acme-public-cdn"]
[iam]
-- Used by: gcloud iam disable
-- Service accounts that can never be disabled
exclude_accounts = ["[email protected]"]
[scc]
-- Security Command Center
organization_id = "123456789"
ZelC commands: iam lock, iam unlock, iam revoke, iam enable, iam reset
Controls which identity provider is called for user management. Supports Okta, Microsoft Entra ID (Azure AD), Ping Identity, and LDAP/Active Directory. The exclude_users safety net protects break-glass and service accounts.
Configures Kubernetes cluster access including kubeconfig path, context selection, NetworkPolicy templates for pod isolation, and safety exclusions that protect kube-system, monitoring, and service mesh namespaces.
-- ══════════════════════════════════════════════════════════════
-- ZelC Integration: Kubernetes
-- Maps to: kube isolate, kube delete, helm rollback
-- ══════════════════════════════════════════════════════════════
[cluster]
kubeconfig = "~/.kube/config"
context = "prod-cluster"
default_namespace = "default"
[safety]
-- Namespaces that can never have pods deleted/isolated
exclude_namespaces = ["kube-system", "monitoring", "istio-system"]
-- Pods that can never be killed
exclude_pods = ["coredns", "metrics-server"]
-- Max pods affected per action
max_pods_per_action = 10
[isolation]
-- NetworkPolicy template for "kube isolate pod"
deny_all_ingress = true
deny_all_egress = true
allow_dns = true -- allow DNS even when isolated
label_prefix = "zelc-isolated"
[helm]
-- For "helm rollback"
max_history = 10
timeout_seconds = 300
Linux System Administration
integrations/linux.toml
ZelC commands: linux service, linux firewall, linux user, linux cron, linux file, linux kill
Configures SSH access for all Linux commands. Supports named host groups (web_servers, db_servers) with different SSH users. Safety exclusions protect root, sshd, and critical services from accidental lockout.
-- ══════════════════════════════════════════════════════════════
-- ZelC Integration: Linux System Administration
-- Maps to: linux service, linux firewall, linux user, linux cron, linux file
-- ══════════════════════════════════════════════════════════════
[ssh]
default_user = "soc-admin"
key_file = "~/.ssh/soc_key"
-- Or password (not recommended):
-- password_env = "SSH_PASS"
port = 22
timeout_seconds = 10
known_hosts_file = "~/.ssh/known_hosts"
strict_host_checking = true
[targets]
-- Default hosts for linux commands
-- Can be overridden per command
default = ["10.0.1.10", "10.0.1.11"]
-- Named groups
[targets.web_servers]
hosts = ["10.0.1.10", "10.0.1.11", "10.0.1.12"]
user = "www-admin"
[targets.db_servers]
hosts = ["10.0.2.10", "10.0.2.11"]
user = "db-admin"
[firewall]
-- Backend for "linux firewall block"
backend = "nftables" -- iptables | nftables | ufw
chain = "input"
default_action = "drop"
[safety]
-- Users that can never be locked
exclude_users = ["root", "soc-admin", "monitoring"]
-- Services that can never be stopped
exclude_services = ["sshd", "docker", "kubelet"]
-- Paths that can never be chmod'd
exclude_paths = ["/etc/ssh", "/boot"]
Configures all notification channels with severity-based routing (critical alerts to #soc-critical, low alerts to #soc-info), rate limiting, adaptive cards for Teams, PagerDuty escalation policies with auto-resolve timers, OpsGenie, and generic webhooks.
Configures compliance mapping across NIST-800-53, SOC2, ISO 27001, HIPAA, PCI-DSS, GDPR, CCPA, FedRAMP, CMMC, CIS, and DPDP. Includes auto-mapping of actions to controls, baseline drift detection, gap analysis reports, attestation signing, and evidence freshness requirements.
-- ══════════════════════════════════════════════════════════════
-- ZelC Integration: RCF (Rocheston Compliance Framework)
-- Maps to: rcf map, rcf drift, rcf gap, rcf verify
-- ══════════════════════════════════════════════════════════════
[frameworks]
-- Which compliance frameworks are active for this project?
-- ZelC auto-maps actions to controls from these frameworks
active = ["NIST-800-53", "SOC2", "ISO27001"]
-- All supported: NIST-800-53 | SOC2 | ISO27001 | HIPAA | PCI-DSS |
-- GDPR | CCPA | FedRAMP | CMMC | CIS | DPDP
[auto_mapping]
-- Automatically tag evidence with compliance controls?
enabled = true
-- Include all active frameworks or just primary?
map_all_frameworks = true
-- Primary framework (used when only one mapping is needed)
primary_framework = "NIST-800-53"
[baseline]
-- Golden standard for "rcf drift check"
version = "v1.0"
baseline_file = "./compliance/baseline.json"
-- Auto-generate baseline from current state?
auto_generate = false
-- Check interval for continuous drift detection
drift_check_interval = "6 hours"
-- Alert on drift?
alert_on_drift = true
alert_severity = "high"
[gap_analysis]
-- Output settings for "rcf gap report"
output_dir = "./compliance/reports"
format = "html" -- html | pdf | json
include_recommendations = true
include_evidence_links = true
-- Group by framework or by control family?
group_by = "framework" -- framework | control_family | status
[attestation]
-- Who signs off on compliance attestations?
attestor_name = "SOC Manager"
attestor_email = "[email protected]"
-- Auto-sign with ZelC identity key?
auto_sign = false
-- Require manual review before attestation?
require_review = true
-- Attestation validity period
validity_period = "90 days"
[evidence_requirements]
-- Minimum evidence freshness for a control to be "satisfied"
max_evidence_age = "30 days"
-- Require blockchain anchor for evidence to count?
require_rosecoin_anchor = true
-- Minimum evidence records per control
min_records_per_control = 1
[custom_controls]
-- Define custom control mappings beyond the built-in database
-- Example: map a custom action to a control
-- [custom_controls.mappings]
-- "acme.vpn.enforce_mfa" = ["NIST-IA-2", "SOC2-CC6.1"]
-- "acme.backup.verify" = ["NIST-CP-9", "ISO-A.12.3.1"]
Configures the Rosecoin blockchain node for evidence anchoring, verification, and notarization. Includes wallet address, signing key, batch anchoring to save transaction fees, offline queueing when the node is unreachable, and verification caching.
-- ══════════════════════════════════════════════════════════════
-- ZelC Integration: Rosecoin (Blockchain Evidence)
-- Maps to: rosecoin anchor, rosecoin verify, rosecoin notarize
-- ══════════════════════════════════════════════════════════════
[node]
-- Rosecoin node RPC endpoint
url = "https://rosecoin.rocheston.com/rpc"
-- For local development:
-- url = "http://localhost:9333"
timeout_seconds = 30
max_retries = 3
[wallet]
address = "rc1_acme_soc_2026"
signing_key_env = "ROSECOIN_SIGNING_KEY"
-- Key derivation path (if using HD wallet)
-- derivation_path = "m/44'/999'/0'/0/0"
[evidence]
-- Automatically anchor every evidence pack?
auto_anchor = true
-- Include full evidence details or just merkle root?
anchor_mode = "merkle_root" -- merkle_root | full_hash | both
-- Minimum batch size before anchoring (saves tx fees)
batch_size = 1
-- Maximum wait time before flushing batch
batch_timeout = "5 minutes"
[offline]
-- Queue transactions locally if node is unreachable
queue_enabled = true
queue_dir = "~/.zelc/pending_anchors"
-- Auto-retry interval
retry_interval = "10 minutes"
max_queue_size = 1000
[verification]
-- Explorer URL for generating proof links
explorer_url = "https://explorer.rosecoin.rocheston.com"
-- Cache verification results
cache_duration = "24 hours"
SIEM
integrations/siem.toml
ZelC commands: zelfire ingest, zelfire correlate
Controls where events are ingested from and exported to. Supports Splunk (with HEC ingestion), Elastic SIEM, Microsoft Sentinel, IBM QRadar, and Google Chronicle. Each provider has its own authentication and endpoint configuration.
Controls where incident tickets are created and managed. Supports Jira Cloud/Server and ServiceNow with auto-assignment by severity and evidence attachment.
Rocheston code security platform. Performs SAST, SCA, secrets detection, and IaC scanning across Python, JavaScript, Java, Go, Rust, ZelC, and Terraform. Integrates into CI/CD as a merge gate. Uses AINA for AI-powered fix suggestions. Outputs SARIF for IDE integration.
-- ══════════════════════════════════════════════════════════════
-- ZelC Integration: ZelCode
-- Rocheston Secure Code Analysis Platform
-- Maps to: zelcode scan, zelcode review, zelcode fix, zelcode gate
-- ══════════════════════════════════════════════════════════════
[api]
url = "https://zelcode.rocheston.com/api"
api_key_env = "ZELCODE_API_KEY"
[scanning]
-- Analysis types
sast = true -- Static Application Security Testing
dast = false -- Dynamic Application Security Testing
sca = true -- Software Composition Analysis (dependencies)
secrets = true -- Hardcoded secret detection
iac = true -- Infrastructure as Code scanning (Terraform, K8s YAML)
-- Languages supported
languages = ["python", "javascript", "java", "go", "rust", "zelc", "terraform", "yaml"]
-- Scan on every commit?
scan_on_commit = true
[rules]
-- Rule sets
owasp_top_10 = true
sans_top_25 = true
custom_rules_dir = "./zelcode_rules"
-- Severity threshold to fail the build
fail_on_severity = "high" -- critical | high | medium | low
-- Ignore known false positives
ignore_file = ".zelcodeignore"
[fix]
-- Auto-fix suggestions
suggest_fixes = true
-- Use AINA to generate fix recommendations?
use_aina = true
-- Auto-apply safe fixes (whitespace, import ordering)?
auto_fix_safe = true
-- Auto-apply security fixes?
auto_fix_security = false -- Too risky for auto-apply
[gate]
-- CI/CD pipeline gating
enabled = true
-- Block merge if critical issues found?
block_merge_on_critical = true
-- Block deploy if high issues found?
block_deploy_on_high = true
-- Grace period for existing issues
grace_period = "7 days"
[reporting]
output_dir = "./code_security_reports"
format = "html"
include_code_snippets = true
include_fix_suggestions = true
-- SARIF output for IDE integration
sarif_output = true
Rocheston drift detection engine. Continuously monitors firewall rules, security groups, IAM policies, Kubernetes configs, and OS configurations against a golden baseline. Alerts on unauthorized changes and optionally auto-remediates.
-- ══════════════════════════════════════════════════════════════
-- ZelC Integration: ZelDrift
-- Rocheston Configuration Drift Detection Engine
-- Maps to: zeldrift scan, zeldrift baseline, zeldrift compare, zeldrift remediate
-- ══════════════════════════════════════════════════════════════
[api]
url = "https://zeldrift.rocheston.com/api"
api_key_env = "ZELDRIFT_API_KEY"
[baseline]
-- Golden standard configuration baseline
version = "v1.0"
baseline_file = "./baselines/golden_config.json"
-- Auto-snapshot baseline on first run?
auto_generate = true
[scanning]
-- What to scan for drift
scan_targets = ["firewall_rules", "security_groups", "iam_policies", "k8s_configs", "os_configs"]
-- Schedule
schedule = "hourly" -- realtime | hourly | daily | weekly
-- Exclude known-changing configs
exclude_patterns = ["*.log", "*.tmp", "session_*"]
[drift_response]
-- What happens when drift is detected
alert_severity = "high"
auto_remediate = false -- Revert to baseline automatically?
-- Require approval before remediation?
require_approval = true
-- Create ticket on drift?
auto_ticket = true
[reporting]
output_dir = "./drift_reports"
format = "html"
include_diff = true -- Show exact changes between baseline and current
include_timeline = true -- Show when drift occurred
Rocheston exploit tracking platform. Monitors the exploit lifecycle from POC to weaponized to in-the-wild. Tracks NVD, CISA KEV, ExploitDB, GitHub POCs, Metasploit, and Nuclei templates. Correlates with your asset inventory to alert when your stack is affected. Uses AINA for impact prediction.
-- ══════════════════════════════════════════════════════════════
-- ZelC Integration: ZelExploits
-- Rocheston Exploit Intelligence & Weaponization Tracking
-- Maps to: zelexploits lookup, zelexploits track, zelexploits prioritize, zelexploits alert
-- ══════════════════════════════════════════════════════════════
[api]
url = "https://zelexploits.rocheston.com/api"
api_key_env = "ZELEXPLOITS_API_KEY"
[intelligence]
-- Track exploit maturity lifecycle
track_lifecycle = true -- POC → weaponized → in-the-wild → commodity
-- Sources to monitor
sources = ["nvd", "cisa_kev", "exploit_db", "github_poc", "metasploit", "nuclei"]
-- Auto-correlate with your asset inventory?
correlate_with_assets = true
-- Use AINA for impact prediction?
ai_impact_prediction = true
[alerting]
-- Alert when a CVE affecting your stack gets a public exploit
alert_on_weaponization = true
alert_severity = "critical"
-- Alert when CISA adds to KEV (Known Exploited Vulnerabilities)
alert_on_kev = true
-- Alert lead time goal (hours between exploit release and your patch)
target_lead_time = 24
[prioritization]
-- Priority factors
factor_exploit_maturity = true -- Is there a working exploit?
factor_asset_exposure = true -- Is the asset internet-facing?
factor_asset_criticality = true -- How important is this asset?
factor_compensating_controls = true -- Do we have mitigations in place?
-- Use AINA to calculate composite priority score?
use_aina = true
[tracking]
-- Track patch status
track_patch_status = true
-- SLA compliance monitoring
sla_monitoring = true
-- Sync with ZelScan results
sync_with_zelscan = true
Zelfire — SOC Platform
integrations/zelfire.toml
ZelC commands: zelfire ingest, zelfire correlate, zelfire contain, zelfire close
Rocheston unified SOC platform combining SIEM, XDR, and SOAR. Ingests events from all sources, correlates with AINA AI engine, auto-maps to MITRE ATT&CK, manages incident lifecycle with SLA timers, and provides real-time SOC dashboards. The nerve center of the Rocheston security stack.
Rocheston attack surface discovery platform. Passive DNS enumeration, certificate transparency monitoring, port scanning, subdomain discovery, and cloud asset inventory. Continuously monitors for new exposures and shadow IT. Auto-classifies assets by criticality.
-- ══════════════════════════════════════════════════════════════
-- ZelC Integration: ZelMap
-- Rocheston Attack Surface Mapping & Asset Discovery
-- Maps to: zelmap discover, zelmap inventory, zelmap expose, zelmap monitor
-- ══════════════════════════════════════════════════════════════
[api]
url = "https://zelmap.rocheston.com/api"
api_key_env = "ZELMAP_API_KEY"
[discovery]
-- Discovery methods
passive_dns = true -- Passive DNS enumeration
certificate_transparency = true -- CT log monitoring
port_scanning = true -- Active port scanning
subdomain_enumeration = true -- Subdomain discovery
cloud_inventory = true -- Cloud asset enumeration
-- Scan targets (domains and IP ranges)
domains = ["acme.com", "acme.io"]
ip_ranges = ["203.0.113.0/24"]
-- Excluded from scanning
exclude = ["internal.acme.com"]
[monitoring]
-- Continuous attack surface monitoring
enabled = true
check_interval = "6 hours"
-- Alert on new assets
alert_on_new_asset = true
-- Alert on exposed services
alert_on_exposure = true
alert_severity = "high"
[inventory]
-- Asset classification
auto_classify = true -- Auto-classify by service type
-- Criticality tagging
auto_tag_criticality = true
-- Sync with CMDB?
sync_cmdb = false
[exposure]
-- What counts as an exposure
exposed_ports = [22, 23, 3389, 445, 1433, 3306, 5432, 6379, 27017]
-- Alert on shadow IT (unknown assets)
alert_shadow_it = true
Rocheston posture management platform. Assesses network, endpoint, cloud, identity, application, and data security against NIST CSF, CIS, and MITRE D3FEND. Calculates a weighted posture score (0-100), benchmarks against industry peers, and generates AI-powered remediation roadmaps.
Rocheston security rating and benchmarking platform. Scores your organization across network, application, endpoint, identity, cloud, and compliance. Benchmarks against industry peers by vertical and company size. Continuous monitoring with drop alerts.
Rocheston vulnerability scanner. Full, quick, targeted, and compliance scan modes with port range 1-65535. Uses AINA for AI-powered prioritization factoring in threat intelligence, asset criticality, and business impact. SLA tracking per severity with auto-ticketing.
-- ══════════════════════════════════════════════════════════════
-- ZelC Integration: ZelScan
-- Rocheston Vulnerability Scanner
-- Maps to: zelscan scan, zelscan report, zelscan track, zelscan prioritize
-- ══════════════════════════════════════════════════════════════
[api]
url = "https://zelscan.rocheston.com/api"
api_key_env = "ZELSCAN_API_KEY"
[scanning]
-- Scan types
scan_type = "full" -- full | quick | targeted | compliance
-- Targets
default_targets = ["10.0.0.0/16"]
exclude_targets = ["10.0.0.1"]
-- Scheduling
schedule = "weekly" -- hourly | daily | weekly | monthly | manual
-- Port range
port_range = "1-65535"
-- Service detection
service_detection = true
os_detection = true
[prioritization]
-- Use AINA AI to prioritize vulnerabilities by business impact?
ai_prioritization = true
-- Factor in threat intelligence (is this CVE actively exploited?)
factor_threat_intel = true
-- Factor in asset criticality
factor_asset_criticality = true
[sla]
-- Remediation SLA by severity
critical_days = 7
high_days = 30
medium_days = 90
low_days = 180
[reporting]
output_dir = "./vulnerability_reports"
format = "pdf"
include_remediation_steps = true
include_cvss_scores = true
group_by = "severity" -- severity | host | cve | service
[integration]
-- Auto-create tickets for new vulnerabilities?
auto_ticket = true
auto_ticket_severity = "high" -- create tickets for high and above
-- Sync with Vines?
sync_with_vines = true
Rocheston SOAR platform. Orchestrates playbook execution across all integrations with event-driven triggers from SIEM, email, webhooks, and cron schedules. Human-in-the-loop approval for dangerous actions. Tracks MTTD, MTTR, and playbook success rates.
Rocheston WAF. OWASP Core Rule Set with SQL injection, XSS, command injection, path traversal, and file inclusion protection. Rate limiting, auto-sync blocklist from ZelC firewall actions, and auto-block IPs with high threat intel scores.
Rocheston vulnerability intelligence platform. Automated vulnerability scanning with AI-powered prioritization, scan scheduling, severity-based auto-ticketing, SLA timers for remediation tracking, and optional auto-quarantine of critically vulnerable hosts. Integrates with ZelScan for deep scanning and AINA for impact analysis.