Documentation

Everything you need to run Vigil — from quick install to MCP server configuration.

Installation

Git Clone (recommended)

git clone https://github.com/vigil-agency/vigil.git
cd vigil
cp .env.example .env
npm install
npm start
# → http://localhost:4100 (check startup logs for bootstrap password)

One-Liner

curl -fsSL https://raw.githubusercontent.com/vigil-agency/vigil/main/install.sh | bash

Prerequisites

Node.js 18+ (22 recommended)
Scanners (optional): nmap, nuclei, trivy, nikto, openssl, dig, whois
Docker CLI (optional, for container scanning)
PostgreSQL 17 (optional — works without it)
AI CLI (optional): claude or codex

Configuration

Copy .env.example to .env and customize:

Variable	Default	Description
`VIGIL_PORT`	4100	Server port
`VIGIL_USER`	admin	Default admin username
`VIGIL_PASS`	auto-generated	Bootstrap admin password (set it or read startup logs)
`DATABASE_URL`	—	PostgreSQL connection (optional)
`AI_PROVIDER`	—	`claude-cli` or `codex`
`ENCRYPTION_KEY`	auto	32-byte hex for credential vault
`DOCKER_HOST`	—	Docker socket for container scanning

Docker

git clone https://github.com/vigil-agency/vigil.git
cd vigil && cp .env.example .env
docker compose up -d
# Starts Vigil + PostgreSQL 17

The Docker image includes all scanners pre-installed (nmap, nuclei, trivy, nikto, openssl, dig/whois).

Scanners

Scanner	Purpose	Templates/Tests
Nmap	Network scanning, port discovery, service detection, OS fingerprinting	—
Nuclei	Template-based vulnerability scanning	9,000+
Trivy	Container/filesystem scanning, SBOM, secrets, misconfig	—
Nikto	Web server misconfiguration detection	6,700+
OpenSSL	Certificate chain analysis, cipher grading, protocol testing	—
dig/whois	DNS enumeration, zone transfer, WHOIS lookup	—
WAF Detection	WAF/CDN fingerprinting (30+ signatures), passive and active modes	30+
Code Audit	LLM-driven source code vulnerability scanning + binary analysis	7 vuln types

AI Integration (BYOK)

Vigil uses a Bring Your Own Key model. It shells out to CLI tools you install locally — zero AI cost for the product.

Provider	Command	Requires
Claude CLI	`claude --print`	Anthropic subscription
Codex CLI	`codex`	OpenAI API key
None	—	AI disabled, graceful degradation

AI powers: vulnerability triage, remediation guidance, incident postmortem, compliance gap analysis, threat briefings, NL-to-scanner commands.

Agents & Campaigns

27 built-in autonomous security agents that run parallel campaigns:

Vulnerability scanning and prioritization
Compliance auditing against frameworks
Threat hunting with hypothesis testing
OSINT reconnaissance (domain, IP, email, username, phone)
Adversarial analysis (5 Raptor agents with MUST-GATE reasoning)
Autonomous pentesting (P-E-R engine with dual causal graphs)
Purple Team MITRE ATT&CK kill chain simulation

MCP Server

Built-in Model Context Protocol server at POST /mcp (Streamable HTTP transport).

Connect from Claude Desktop

{
  "mcpServers": {
    "vigil": {
      "url": "http://localhost:4100/mcp",
      "transport": "streamable-http"
    }
  }
}

37 tools covering scanning, OSINT, pentesting, adversarial analysis, proxy infrastructure, compliance, incidents, and AI security assessment.

7 resources: security posture, threats, findings, code audit findings, WAF signatures, proxy nodes, AI security KB.

8 prompts: security audit, incident response, threat briefing, compliance report, code security review, WAF reconnaissance, anonymous pentest setup, AI security review.

Incident Response

Full lifecycle incident management:

Create, assign, escalate, resolve incidents
4 pre-built playbooks: ransomware, phishing, data breach, DDoS
Attack timeline visualization
AI-generated postmortem reports

Compliance

Built-in frameworks:

Framework	Controls
SOC 2	Trust Service Criteria
ISO 27001	Annex A controls
NIST 800-53	Security controls catalog
OWASP LLM Top 10	AI/LLM security (10 controls, MITRE ATLAS mapping)

Architecture

server.js              → Express + Socket.IO, auth, intervals
routes/  (~35 modules) → REST API endpoints
lib/     (~27 modules) → Scanner wrappers, AI, RBAC, crypto, engines
data/                  → JSON file stores (no DB required)
public/                → Vanilla JS frontend (37 views)
  css/                 → Vigil Dark theme (glass treatment)
  js/views/            → Self-registering ViewRegistry modules

6 npm dependencies: express, socket.io, pg, node-pty, multer, @modelcontextprotocol/sdk

37 Dashboard Views

Dashboard, Intel Hub, AI Terminal, AI Chat, MCP Playground, Security Agents, Campaigns, Pentest, Playbooks, Calendar, Notes, Git, GitHub Hub, Threat Feed, Alert Triage, Threat Hunt, Port Scanner, Vuln Scanner, Web Scanner, Container Security, SSL Monitor, DNS Security, Code Audit, Proxy Nodes, OSINT, Findings, Attack Timeline, Frameworks, Reports, Audit Log, Network, Log Analysis, Credentials, Notifications, Settings, Docs.

Auth & RBAC

PBKDF2 password hashing, auto-generated bootstrap password
Cookie sessions (vigil_session) or Bearer token
Optional TOTP 2FA with challenge-token flow (IP-bound, 5min TTL)
3 roles: admin (full), analyst (scan + view), viewer (read-only)
AES-256-GCM credential vault
Rate limiting: 5 login attempts per 15min window

Vigil Dark Theme

Glass treatment with backdrop blur. Signal system:

Cyan (#22d3ee) — secure, healthy, passing, active
Orange (#ff6b2b) — threats, vulnerabilities, warnings, critical

No green/red — all status indication uses the cyan/orange signal pair.

Roadmap

v1.1

Q2 2026

SIEM log ingestion, Slack/webhook notifications, scheduled report delivery, dark/light theme toggle, API key auth.

v1.2

Q3 2026

Multi-tenant mode, team workspaces, SSO/SAML, custom scanner plugins, Kubernetes scanning.

v2.0

Q4 2026

Cloud-hosted SaaS offering, mobile app, Google Cloud Marketplace, real-time collaborative investigations.