Language Rules
Essential syntax rules for writing correct ZelC code. Read this first.
Comments: -- (double dash)CRITICAL
ZelC comments use -- (double dash) to end of line. Always use double dash. This is the only comment syntax in ZelC.
-- This is a correct ZelC comment
-- Every comment starts with double dash
-- ZelC only uses double dash for comments
-- Nothing else is a valid comment syntax in ZelC
File Extension: .zelc or .zcCRITICAL
ZelC source files use the .zelc or .zc extension. Both are fully supported.
-- Save as: my_playbook.zelc or my_playbook.zc
Blocks End With endCRITICAL
Every block (check, do, when, each, while, try, catch, define, record) is closed with the end keyword. Indentation is cosmetic — the end keyword is what closes the block. Curly braces { } are only used for object literals like { key: value }.
check MyPlaybook -- opens a block
when threat_detected -- opens nested block
do -- opens kinetic block
firewall block ip "1.2.3.4"
end -- closes do
end -- closes when
end -- closes check
Program Entry: check (like main())CRITICAL
The check block is the program entry point — equivalent to main() in Python, C, or Java. Every ZelC program starts inside a check block. A file can have multiple check blocks, each evaluated independently.
-- Every ZelC program starts with check
check MyFirstPlaybook
alert low message "Hello from ZelC"
end
Kinetic Safety: do...end RequiredCRITICAL
ALL state-changing actions (block, isolate, revoke, kill, quarantine, delete, rotate, lock, unlock, reset, patch, rollback, snapshot, restore) MUST be inside a do...end block. Outside do blocks, ZelC is read-only. The compiler rejects kinetic verbs outside do blocks.
-- CORRECT: kinetic action inside do...end
when threat_detected
do
firewall block ip "1.2.3.4"
end
end
Variables: set, keep, changeCRITICAL
set creates a variable. keep creates an immutable constant (convention: SCREAMING_CASE). change mutates an existing variable. These are the only three variable keywords in ZelC.
set count = 0 -- mutable variable
keep MAX_RETRIES = 3 -- immutable constant
change count = count + 1 -- mutate existing
String Interpolation: {variable}syntax
Use {variable} inside double-quoted strings to interpolate values. Curly braces around the variable name is the only interpolation syntax in ZelC.
set ip = "1.2.3.4"
alert high message "Blocked attacker at {ip}"
Duration Literals: number + unitsyntax
Durations are a number followed by a unit: seconds, minutes, hours, days.
firewall block ip "1.2.3.4" for 2 hours
wait 30 seconds
keep TIMEOUT = 5 minutes
Emoji Visual Mode (Optional)syntax
ZelC supports optional emoji prefixes for visual clarity. Semantically identical to plain syntax. Key icons: ⭕️ open block, 🔴 close block (end), 🔥 check, ⚡ do (kinetic block), ⛔ block, 📝 evidence, 🚨 alert, ☁️ cloud, 🧠 AI, ⛓️ blockchain, ⚙️ config, 🔹 set/keep.
-- With emoji (visual mode)
-- ⭕️ opens a block, 🔴 closes it (same as end)
🔥 check RansomwareDefense
⭕️ when threat.velocity > 50
🚨 alert critical message "RANSOMWARE DETECTED"
⚡ do
⛔ firewall block ip event.source_ip
🧊 edr isolate host event.hostname
📝 evidence record "Blocked" details { ip: event.source_ip }
⛓️ rosecoin anchor evidence_pack "containment"
🔴
🔴
🔴
-- Without emoji (identical behavior)
check RansomwareDefense
when threat.velocity > 50
alert critical message "RANSOMWARE DETECTED"
do
firewall block ip event.source_ip
edr isolate host event.hostname
evidence record "Blocked" details { ip: event.source_ip }
rosecoin anchor evidence_pack "containment"
end
end
end
Complete Example Programtemplate
A complete, correct ZelC program showing all major features: check entry point, keep constants, when conditional, do kinetic block, domain actions, evidence recording, blockchain anchoring, and audit logging.
-- Brute Force Detection and Response
-- File: brute_force.zelc
check BruteForceShield
keep threshold = 12
keep block_duration = 2 hours
keep soc_channel = "#security-alerts"
when bruteforce_login
alert critical message "🚨 Brute force attack detected"
notify slack channel soc_channel message "Investigating brute force"
do
set attacker_ip = event.source_ip
set target_user = event.username
-- Contain the threat
firewall block ip attacker_ip for block_duration
iam lock user target_user
-- Record evidence
evidence record "brute-force-containment" details {
attacker_ip: attacker_ip,
target_user: target_user,
actions_taken: ["ip_blocked", "user_locked"]
}
-- Anchor to blockchain
rosecoin anchor evidence_pack "brute-force"
-- Audit trail
audit log "Incident contained" details {
status: "resolved"
}
end
end
end
Core Language
Flow control, variables, and program structure.
check Name ... endstructure
The program entry point — equivalent to main() in Python, C, or Java. Every ZelC program begins execution inside a check block. It is the top-level container for a detection rule, compliance audit, or response playbook. A .zelc file can contain multiple check blocks — each is an independent security unit that the engine evaluates against incoming events.
check BruteForceDetection
when login_failures > 5
alert critical message "Brute force detected"
end
end
do ... endkinetic
The Kinetic Block. The ONLY zone where state-changing actions (delete, block, kill, revoke) are permitted. Outside this block, ZelC is read-only. Record evidence explicitly inside the do block with evidence record and anchor to the blockchain with rosecoin anchor. The Shadow Thread automatically generates cryptographic hashes of all actions. If evidence generation fails, the action rolls back.
when ransomware_detected
do
edr isolate host "endpoint-07"
ticket open title "Ransomware containment"
-- Record evidence explicitly
evidence record "Ransomware Containment" details {
host: "endpoint-07",
action: "isolated"
}
-- Anchor to blockchain
rosecoin anchor evidence_pack "latest"
end
end
when condition ... endcontrol flow
Conditional gate. If the condition evaluates to true, the enclosed logic executes. Otherwise skipped.
when risk_score > 90
alert critical message "High risk detected"
end
otherwisecontrol flow
Fallback path. Executes if the primary when condition fails. Essential for Default Deny patterns.
when user_verified
iam allow user
otherwise
iam deny user
end
each item in collection ... endcontrol flow
Iterates through a list of assets (IPs, Users, Files). Applies the logic to every item.
each ip in suspicious_ips
firewall block ip ip
end
while condition ... endcontrol flow
Repeats the enclosed block as long as the condition is true. Used for sentinel loops and continuous monitoring.
while sentinel_active is true
set packet = traffic_stream.next()
-- process packet
end
try ... catch err ... endcontrol flow
Resilience Wrapper. Wraps volatile actions. If the action fails, catch executes a safe fallback instead of crashing.
try
aws scan posture
catch err
alert warning message "Scan failed: {err}"
end
define name(params) ... endstructure
Defines a reusable function with parameters and a return value.
define block_threat(target_ip)
set risk = threat_intel.lookup(target_ip)
when risk > critical
do
firewall block ip target_ip
end
end
end
intent Name { ... }structure
Defines an intent contract with constraints. The Physics Constraint Engine validates do blocks against these limits at compile time, preventing AI hallucination disasters.
intent IsolateSingle {
category: "containment"
risk_level: high
constraints {
max_targets: 1
allowed_actions: ["edr.isolate", "firewall.block"]
prohibited_actions: ["process.kill", "system.shutdown"]
}
}
set name = valuevariable
Allocates a new variable binding. By default, variables are locked to prevent accidental modification.
set threshold = 10
set users = ["alice", "bob"]
change name = valuevariable
Explicitly modifies an existing variable. Tracks the change event in the debug trace.
set count = 0
change count = count + 1
keep NAME = valueconstant
Defines a global constant. Burned into the runtime — cannot be altered by any logic path, preventing injection attacks on configuration.
keep MAX_RETRIES = 3
keep SOC_CHANNEL = "#security"
record Name ... endstructure
Defines a custom data structure (Schema). Strict typing for JSON blobs.
record Finding
user: UserId
ip: IP
severity: Text
end
stopcontrol
Immediate Hard Halt. Ceases execution of the current playbook instantly when a critical safety invariant is violated.
when critical_failure
alert critical message "Safety violation"
stop
end
wait durationcontrol flow
Pauses execution for a specified time window. Useful for service restarts or log propagation delays.
linux service "nginx" restart
wait 30 seconds
trace "text"output
Prints text to the terminal. This is ZelC's equivalent of print() in Python, console.log() in JavaScript, or echo in Bash. Used for debugging, status messages, and operator feedback during playbook execution. Supports string interpolation with {variable}.
-- Print to terminal (like print in Python)
trace "Playbook started"
-- With string interpolation
set ip = "1.2.3.4"
trace "Blocking attacker at {ip}"
-- Debug output during execution
check MyPlaybook
set count = 42
trace "Current count: {count}"
when count > 10
trace "Threshold exceeded — taking action"
do
firewall block ip "1.2.3.4"
trace "Firewall rule applied"
end
end
end
package name.spacestructure
Declares the module namespace for the current file. Organizes playbooks into logical groups.
package soc.endpoint
package soc.aina.manifest
package devsecops.supply_chain
use module1, module2structure
Imports one or more modules into the current file. Enables the commands from those modules.
use aina, edr, aws, threat
use core, integrity, rosecoin
use linux, docker, kubernetes
import "package"structure
Imports an external package from the ZelC package registry.
import "rocheston/threat-feeds"
import "rocheston/compliance-maps"
set name: Type = valuevariable
Declares a variable with an explicit type annotation. Supported types: String, Integer, Decimal, Boolean, Array, Object, IP, UserId, Hash.
set target_ip: String = event.source_ip
set count: Integer = 0
set confidence: Decimal = 0.85
set is_threat: Boolean = true
set indicators: Array = aina extract_ioc from data
set context: Object = event.all_context
keep TOTAL_FILES: Integer = 168
breakcontrol flow
Exits the current loop early. Used inside each and while blocks.
each ip in suspicious_ips
set verdict = threat lookup ip ip
when verdict.is_malicious == true
alert critical message "Found malicious IP: {ip}"
break
end
end
return valuecontrol flow
Returns a value from a function defined with define.
define assess_risk(host_tier)
set score = aina risk_score for host_tier
return score
end
Alerts & Notifications
Getting the message to the human in the loop during security incidents.
alert <severity> message "text"notification
Triggers a priority interrupt. Severity levels: critical, high, medium, low, warning. Critical flashes UI elements and wakes on-call engineers.
alert critical message "🚨 Ransomware detected on production"
alert high message "Brute force attack in progress"
alert low message "Routine scan completed"
notify slack channel "#name" message "text"notification
Injects a message into a Slack channel. Supports block-kit formatting for rich mini-dashboards.
notify slack channel "#soc" message "🔥 Brute force detected from 1.2.3.4"
notify teams channel "name" message "text"notification
Posts a card to Microsoft Teams. Can include Action Buttons for approve/deny directly from chat.
notify teams channel "Security Operations" message "Incident detected"
notify email to "addr" subject "text" body "text"notification
Composes and sends a formatted HTML email. Supports High Priority headers and evidence report attachments.
notify email to
"[email protected]" subject
"Security Alert" body
"Incident requires attention"
pager trigger message "text"notification
Fires an incident in PagerDuty or OpsGenie. Starts the escalation policy timer for human acknowledgement.
pager trigger message "Critical security incident - immediate response required"
webhook to "url" body { ... }notification
Sends a raw JSON POST request to an external URL. Triggers third-party logic apps or legacy integrations.
webhook to "https://api.example.com/alert" body {
severity: "high",
message: "Incident detected"
}
Evidence & Audit
Proof-of-Work for security operations. Every action leaves a tamper-proof trace.
evidence record "title" details { ... }evidence
Snapshots the current state into a tamper-proof evidence object with SHA-256 hash. The Digital Witness to the operation.
evidence record "containment-action" details {
host: "endpoint-07",
action: "isolated",
timestamp: now()
}
proof make type "type" details { ... }evidence
Constructs a formal Proof Artifact (PDF report or signed hash) derived from collected evidence. Used to satisfy auditors.
proof make type "ContainmentProof" details {
action: "isolate",
result: "success"
}
audit log "event" details { ... }evidence
Writes a structured event to the immutable compliance journal. Write-only — cannot be deleted.
audit log "Security action completed" details {
event: "containment",
status: "success"
}
export report format "fmt" to "path"evidence
Compiles all evidence and logs from the current run into a human-readable file for external consumption.
export report format "pdf" to "reports/incident.pdf"
hash verify "file" against "hash"evidence
Computes SHA-256 checksum of a file and compares against a known good value to detect tampering.
hash verify "evidence.json" against "sha256:abc123..."
sign artifact "name"evidence
Applies a digital signature using the system's identity key. Proves this specific ZelC runtime authorized the data.
sign artifact "evidence-pack"
SOC Operations
The verbs of defense: Detect, Contain, Eradicate.
firewall block ip "addr" for durationkinetic
Updates the edge firewall, WAF, or security group to drop all packets from a specific IP address. The Digital Wall.
do
firewall block ip "192.168.1.100" for 2 hours
end
edr isolate host "hostname"kinetic
Commands the EDR agent to cut network access for a specific endpoint, leaving only a management tunnel open for forensics.
do
edr isolate host "endpoint-07"
end
edr kill process PID on "host"kinetic
Sends a SIGKILL to a specific Process ID on a remote host. Instantly terminates malicious execution.
do
edr kill process 1234 on "endpoint-07"
end
edr quarantine file "path" on "host"kinetic
Moves a suspicious file to a secure encrypted vault and strips its execute permissions.
do
edr quarantine file "/tmp/malware.exe" on "endpoint-07"
end
iam revoke sessions user_idkinetic
Invalidates all active session tokens for a user identity. Forces logout across all applications and requires MFA re-authentication.
do
iam revoke sessions user_id
end
iam lock user "name"kinetic
Locks a user account, preventing all authentication attempts.
do
iam lock user "alice"
end
iam enable user "name"kinetic
Restores access to a locked user account after successful identity verification.
do
iam enable user "alice"
end
iam reset password user_idkinetic
Triggers a Force Password Change flow. Emails a one-time secure link for new credentials.
do
iam reset password user_id
end
ticket open title "text" severity "level"case mgmt
Creates a new incident ticket in the ticketing system with title, severity, and priority.
ticket open title "Brute Force Attack" severity "high"
ticket close "id"case mgmt
Closes an existing incident ticket after resolution. Links the final evidence pack to the ticket.
do
ticket close "SOC-1234"
evidence record "Ticket Closed" details {
ticket_id: "SOC-1234",
status: "resolved"
}
rosecoin anchor evidence_pack "latest"
end
ticket update "id" comment "text"case mgmt
Adds a progress note or comment to an existing ticket.
ticket update "SOC-1234" comment "Containment complete. Awaiting forensics."
iam unlock user "name"kinetic
Restores login capability to a previously locked user account after identity verification.
do
iam unlock user "alice"
evidence record "Account Unlocked" details {
user: "alice",
action: "unlocked"
}
rosecoin anchor evidence_pack "latest"
end
Cloud Security — AWS
Native controls for Amazon Web Services infrastructure.
aws rotate keyskinetic
Invalidates current AWS IAM Access Keys and generates new ones, creating a secure handover.
do
aws rotate keys
aws rotate keys user_id
end
aws s3 block_public bucket "name"kinetic
Enforces Block Public Access on an S3 bucket. Kill-switch for accidental data leaks.
do
aws s3 block_public bucket "my-bucket"
end
aws ec2 snapshot instance "id"kinetic
Triggers an immediate volume snapshot of an EC2 instance. Preserves forensic state before remediation.
do
aws ec2 snapshot instance "i-1234567890abcdef0"
end
aws security_group revoke sg "id" rule "spec"kinetic
Removes a specific ingress or egress rule from a security group. Closes the port on a live cloud firewall.
do
aws security_group revoke sg "sg-12345" rule "0.0.0.0/0:22"
end
aws cloudtrail ensure oncloud
Verifies CloudTrail logging is active. If disabled, immediately re-enables it to keep the audit trail unbroken.
aws cloudtrail ensure on
aws waf update_ip_setkinetic
Updates AWS WAF IP set to add or remove IPs from the global blocklist. Edge-level blocking.
do
aws waf update_ip_set action "INSERT" ip "1.2.3.4" list "Global_Blocklist"
end
Docker & Kubernetes
Securing the microservices layer and container runtime.
docker stop container "name"kinetic
Halts a running Docker container without killing the host.
do
docker stop container "app-container-1"
end
docker image scan "image"read-only
Deconstructs a container image layer-by-layer to identify CVEs, bad binaries, or leaked secrets.
docker image scan "app:latest"
kube isolate pod "name"kinetic
Applies a restrictive NetworkPolicy to a Pod. Jails it so it cannot talk to other microservices.
do
kube isolate pod "suspicious-pod"
end
kube delete pod "name"kinetic
Destroys a pod, forcing the ReplicaSet to spawn a fresh, clean version. Pave and Rebuild strategy.
do
kube delete pod "compromised-pod"
end
helm rollback "release" versionkinetic
Reverts a Kubernetes deployment to the previous known-good version. Instant remediation for bad config pushes.
do
helm rollback "app-release" 1
end
Linux System Administration
Hands-on server management and system operations.
linux service "name" restartkinetic
Bounces a systemd service. Turn it off and on again for stuck daemons.
do
linux service "nginx" restart
end
linux firewall block ip "addr"kinetic
Updates iptables or nftables to drop traffic from a source. Host-level defense.
do
linux firewall block ip "1.2.3.4"
end
linux user lock "name"kinetic
Modifies /etc/shadow or uses usermod to lock a local user account on a Linux server.
do
linux user lock "alice"
end
linux cron listread-only
Enumerates all scheduled tasks on the system. Essential for finding persistence mechanisms used by malware.
linux cron list
linux file chmod "path" modekinetic
Changes file permissions. Used to lock down sensitive configs.
do
linux file chmod "/etc/config.conf" 600
end
linux kill process PIDkinetic
Sends a kill signal to terminate a process by PID on a Linux host.
do
linux kill process 1234
evidence record "Process Killed" details {
pid: 1234,
action: "killed"
}
rosecoin anchor evidence_pack "latest"
end
Web & Network Defense
Transport layer and application edge protection.
nginx reloadkinetic
Triggers a configuration reload for Nginx. Applies new WAF rules or blocklists without dropping connections.
do
nginx reload
end
apache2 reloadkinetic
Triggers a graceful configuration reload for Apache HTTP Server. Applies new security rules without dropping active connections.
do
apache2 reload
end
dns resolve "domain"read-only
Performs a DNS lookup (A, AAAA, TXT, MX) to verify domain ownership or check for malicious redirection.
dns resolve "example.com"
http get "url"read-only
Sends a safe GET request. Used for health checks or verifying a site is up/down.
http get "https://api.example.com/health"
ssl verify "url"read-only
Checks the TLS certificate of a remote endpoint. Validates expiry, issuer, and chain of trust.
ssl verify "https://example.com"
ssh disconnect session "id"kinetic
Forcefully kills an active SSH connection on the gateway. Kicks out an attacker immediately.
do
ssh disconnect session "session-123"
end
GitHub / DevSecOps
Pipeline integrity and shift-left security.
github scan repo "repo" for secret_leakread-only
Crawls a GitHub repository looking for high-entropy strings, hardcoded keys, or vulnerable dependencies.
github scan repo "company/app" for secret_leak
github block merge pr numberkinetic
Sets a Failure status check on a PR. Physically prevents code from being merged until security issues are fixed.
do
github block merge pr 123
end
sbom generate format "fmt" output "path"read-only
Produces a Software Bill of Materials listing every library inside the app. SPDX/CycloneDX format.
sbom generate format "spdx" output "sbom.json"
github open issue title "text"kinetic
Creates a new issue in a GitHub repository. Used to track discovered vulnerabilities or policy violations.
do
github open issue title "Critical CVE found in dependency"
evidence record "Issue Created" details {
repo: "acme/main-app",
action: "issue_opened"
}
rosecoin anchor evidence_pack "latest"
end
github comment pullrequest "id" message "text"kinetic
Posts a comment on a pull request. Used by security bots to leave scan results or approval notes.
do
github comment pullrequest "123" message "Security scan passed. No critical CVEs found."
end
gitlab pipeline stop job IDkinetic
Cancels a running GitLab CI/CD pipeline job. Used to halt deployments when security checks fail.
do
gitlab pipeline stop job 456
end
Cryptography Operations
Protecting data at rest and in transit.
crypto encrypt aes file "path"kinetic
Encrypts a data blob using AES-256-GCM. Military-grade protection for local files.
do
crypto encrypt aes file "sensitive.txt"
end
crypto sign ed25519 message datakinetic
Signs a message using Ed25519 Elliptic Curve cryptography. High performance authentication.
do
crypto sign ed25519 message data
end
crypto hash sha256 file "path"read-only
Generates a standard SHA-256 fingerprint of a file. The bread and butter of integrity checking.
crypto hash sha256 file "data.bin"
secret mask raw_logread-only
Scans a string for sensitive patterns (Credit Cards, API Keys) and replaces them with ********.
set safe_log = secret mask raw_log
crypto random string length Nfunction
Generates a cryptographically secure random string of specified length. Used for temporary passwords, session tokens, and nonces.
set temp_password = crypto random string length 32
set nonce = crypto random string length 64
Threat Intelligence & Malware
Hunting and analyzing the adversary.
threat lookup ip "addr"read-only
Queries a threat intelligence provider to check if an IP is known to be malicious.
set verdict = threat lookup ip "1.2.3.4"
malware detonate file "path"read-only
Sends a file to a sandbox for behavioral analysis. Returns a report on what the file does when run.
set report = malware detonate file "suspicious.exe"
yara scan file "path" rules "rules"read-only
Scans a file against YARA rules. Identifies malware based on code patterns and strings, not just hash.
yara scan file "/tmp/binary" rules "malware.yar"
threat feed ingest source "url"read-only
Pulls in a list of Indicators of Compromise from a STIX/TAXII threat feed to update blocklists.
threat feed ingest source "https://feeds.example.com/iocs"
AINA — AI Security Governance
AI-powered analysis, decision-making, and security automation. The Brain of the Rocheston ecosystem.
aina ask "question"AI
Ask a natural language question with current security context. Returns AI response as Text.
set answer = aina ask "What caused the CPU spike on prod-db?"
aina explain event raw_dataAI
Reads raw logs or hex dumps and generates a human-readable summary of what happened.
set analysis = aina explain event raw_logs
aina summarize eventsAI
Summarizes a list of security events into a brief narrative. Used for incident reports and shift handoffs.
set summary = aina summarize events
aina correlate eventsAI
Finds relationships between seemingly unrelated events. Returns correlation graph.
set links = aina correlate events
aina decide situationAI
Given a security situation, recommends a course of action with confidence score and reasoning.
set decision = aina decide event
aina recommend contextAI
Suggests ranked next steps for an ongoing incident.
set steps = aina recommend event
aina write_report incident_dataAI
Generates a full incident report from collected evidence with executive summary, timeline, and recommendations. Optionally outputs to a file path with the to keyword.
-- Store report in variable
set report = aina write_report event
-- Write report directly to file
aina write_report for event.case_id to "reports/aina_analysis_{event.case_id}.pdf"
aina generate_steps "objective"AI
Given a high-level objective, generates a step-by-step ZelC playbook. Returns valid ZelC code.
set playbook = aina generate_steps "contain the ransomware"
aina extract_ioc from textAI
NLP extraction of Indicators of Compromise from unstructured text. Returns structured IOCSet with IPs, domains, hashes.
set indicators = aina extract_ioc from email_body
aina risk_score activityAI
Calculates a dynamic risk score (0-100) based on anomaly detection and historical behavior.
set risk = aina risk_score user_activity
aina guard prompt user_inputAI
Scans an incoming LLM prompt for injection attacks, jailbreaks, or toxic content. Blocks before it reaches the model.
aina guard prompt user_input
aina check output llm_responseAI
Analyzes AI-generated text for PII leakage, hallucinations, or unsafe advice before showing to user.
aina check output llm_response
aina map_controls actionsAI
Maps security actions to compliance framework controls (NIST, SOC2, ISO 27001).
set controls = aina map_controls ["firewall.block", "evidence.record"]
aina simulate scenarioAI
Runs a what-if simulation. Returns predicted outcomes and side effects of taking action X.
set outcome = aina simulate scenario
aina verify_evidence dataAI
Uses AI to verify the integrity and completeness of collected evidence before anchoring to blockchain. Checks for gaps, inconsistencies, and chain of custody violations.
aina verify_evidence for telemetry_data
Noodles — Reporting & Dashboards
Visualization and reporting for the Rocheston dashboard.
noodles build chart type "type" data datasetreporting
Generates a data visualization (Pie, Bar, Line, Heatmap) from a dataset. Embeds into the final report.
noodles build chart type "pie" data severity_counts
noodles export pdf to "path"reporting
Renders the current Evidence Board into a high-fidelity PDF suitable for auditors or the board of directors.
noodles export pdf to "reports/incident_summary.pdf"
noodles timeline add event "text" time now()reporting
Inserts a significant event into the Incident Timeline. Constructs a chronological narrative of the attack and response.
noodles timeline add event "Initial breach detected" time now()
noodles generate evidence_packevidence
Compiles all evidence records from the current execution into an EvidencePack with Merkle root.
noodles generate evidence_pack
Zelfire — SOC Platform
SOC operations, containment execution, and event processing.
zelfire ingest eventsplatform
Feed events from SIEMs, EDRs, and cloud providers into the Zelfire engine for processing.
zelfire ingest events
zelfire correlate eventsplatform
Groups related events by time window, IP, or user for unified incident view.
zelfire correlate events
zelfire contain incident "id"kinetic
Executes the containment playbook for a specific incident.
do
zelfire contain incident "INC-2026-0042"
end
zelfire close incident "id"kinetic
Closes the incident and generates the final evidence pack.
do
zelfire close incident "INC-2026-0042"
end
AI Command Phrases (Speakable)
Natural language aliases for AINA commands. These are interchangeable with their full AINA equivalents. Designed for voice input and rapid typing.
ai summarize eventsAI alias
Alias for aina summarize events. Summarizes security events into a brief narrative for shift handoffs.
set summary = ai summarize events
ai explain findingAI alias
Alias for aina explain event. Translates raw logs or hex dumps into human-readable analysis.
set analysis = ai explain finding
ai classify alertAI alias
Uses AI to classify an alert into a category (malware, phishing, insider threat, policy violation, etc.) and assign a severity level.
set classification = ai classify alert
ai score incidentAI alias
Alias for aina risk_score. Calculates a dynamic risk score (0-100) based on anomaly detection and behavioral analysis.
set risk = ai score incident
ai recommend actionsAI alias
Alias for aina recommend. Suggests ranked next steps for an ongoing incident.
set steps = ai recommend actions
ai extract ioc from textAI alias
Alias for aina extract_ioc. Extracts Indicators of Compromise (IPs, domains, hashes, emails, URLs) from unstructured text.
set indicators = ai extract ioc from email_body
ai group alerts by fieldAI alias
Groups related alerts by a specified field (source IP, hostname, user, technique). Deduplicates noise into unified incidents.
set grouped = ai group alerts by "source_ip"
ai correlate events with intelAI alias
Cross-references internal events against threat intelligence feeds. Enriches events with known adversary context (APT group, campaign, TTPs).
set enriched = ai correlate events with intel
Built-in Functions
Standard library functions available in all ZelC programs.
now()function
Returns the current UTC timestamp.
set time = now()
len(value)function
Returns the length of a string or list.
set count = len(users)
is_internal_ip(ip)function
Returns true if the IP is in RFC1918 private ranges (10.x, 172.16.x, 192.168.x).
when is_internal_ip(event.source_ip)
alert warning message "Internal IP flagged"
end
mask_secret(text)function
Replaces sensitive patterns (API keys, credit cards) with ****.
set safe = mask_secret(raw_log)
entropy(data)function
Calculates Shannon entropy of data. High entropy indicates encryption or packing.
set e = entropy(payload)
when e > 7.5
alert warning message "Possible encrypted payload"
end
contains(text, substring)function
Returns true if the text contains the substring.
when contains(event.path, "/etc/shadow")
alert critical message "Shadow file access"
end
split(text, delimiter)function
Splits a string by delimiter into a list.
set parts = split(log_line, " ")
base64_encode(text) / base64_decode(text)function
Encode or decode Base64 strings.
set encoded = base64_encode("secret")
set decoded = base64_decode(encoded)
today()function
Returns the current date (without time component). Format: YYYY-MM-DD.
set date = today()
trace "Report date: {date}"
upper(text)function
Converts a string to uppercase.
set severity = upper("critical")
-- Result: "CRITICAL"
lower(text)function
Converts a string to lowercase.
set normalized = lower(event.username)
-- Result: "alice"
trim(text)function
Removes leading and trailing whitespace from a string.
set clean_input = trim(raw_input)
replace(text, old, new)function
Replaces all occurrences of a substring with a new value.
set sanitized = replace(user_input, "<script>", "")
join(list, delimiter)function
Joins a list of strings into a single string separated by the delimiter.
set ips = ["1.2.3.4", "5.6.7.8"]
set csv = join(ips, ", ")
-- Result: "1.2.3.4, 5.6.7.8"
is_valid_ip(text)function
Returns true if the text is a valid IPv4 or IPv6 address. Used for input validation before passing to kinetic actions.
when is_valid_ip(event.source_ip)
trace "Valid IP: {event.source_ip}"
end