Open Source AI Security Framework

K.O.D.A.

KKinetic

OOperative

DDefense

AAgent

Scanner integration, real-time monitoring, event correlation, and automated response. Pure Python. Zero dependencies. Any LLM.

10,000+ lines of security infrastructure. 23 LLM-callable tools. Works with Ollama, Claude, OpenAI, or any OpenAI-compatible API.

pip install koda-agent

View on GitHub →

The Name

Every defense system needs a name that means something. K.O.D.A. isn't an acronym bolted on after the fact — it's the design philosophy.

Kinetic — it moves. Scans propagate, events correlate, responses fire. No waiting for a human to click “run.”

Operative — it works autonomously. 23 tools, any LLM, zero hand-holding. Point it at your infrastructure and it operates.

Defense — not offense. K.O.D.A. hardens, monitors, detects, contains. Every action is reversible. Dry-run by default.

Agent — not a script. K.O.D.A. reasons about what it finds. It chains scanners, correlates events across time, and decides what matters.

How it works

Five stages. Every stage is an LLM-callable tool.

Scan

7 scanners. Semgrep, Trivy, Bandit, Gitleaks, Nuclei, OSV, Nmap.

→

Enrich

NVD CVE data, CISA KEV, EPSS scores. Context, not just findings.

→

Correlate

Chain events across time windows. Detect multi-step attacks.

→

Respond

Block, kill, quarantine, disable. Reversible. Time-boxed.

→

Report

SARIF 2.1.0. GitHub Code Scanning. CI/CD. Any format.

Built for real infrastructure

Not a toy. Not a wrapper. A full security pipeline you can point at production.

7 scanners

Scanner Integration

Wraps Semgrep, Trivy, Bandit, Gitleaks, Nuclei, OSV-Scanner, and Nmap. Unified output from any combination.

14 checks

SCA Policy Engine

YAML-based Security Configuration Assessment. Compliance mapping to PCI-DSS, NIST 800-53, CIS, and MITRE ATT&CK.

6 rules

Event Correlation

Stateful rule engine chains events across time windows. Built-in detection for brute force, port scans, cryptominers, and privilege escalation.

8 actions

Active Response

Automated, reversible containment — block IPs, kill processes, quarantine files, disable accounts. Time-boxed with auto-reversal.

always-on

Guardian Monitor

Real-time file integrity monitoring, auth log analysis, suspicious process detection, and anomalous network connection alerting.

standard

SARIF 2.1.0

Full SARIF parser and generator. Import from any tool, export for GitHub Code Scanning, VS Code, and CI/CD pipelines.

Get started in 60 seconds

terminal

$ pip install koda-agent

# Scan a project
$ koda scan ./my-project

# Security configuration assessment
$ koda sca

# Real-time monitoring
$ koda guard

Architecture

koda/
  security/
    findings.py      # UnifiedFinding model + FindingStore
    scanners/        # Semgrep, Trivy, Bandit, Gitleaks, Nuclei, OSV, Nmap
    sarif/           # SARIF 2.1.0 parser + generator
    enrichment.py    # NVD CVE, CISA KEV, EPSS enrichment
    sca.py           # YAML policy engine + compliance mapping
    correlation.py   # Stateful event correlation engine
    response.py      # Active response + auto-responder
    guardian.py       # Real-time file/auth/process/network monitor
    hardening.py     # System configuration auditor
    roles.py         # Hardcoded agent roles
    workflow.py      # Assessment pipeline orchestration
    report.py        # Multi-format report generation
  security_tools.py  # 23 LLM-callable tool registrations
  gateway.py         # Agent runtime (Ollama, Claude, OpenAI)

Start securing your systems

K.O.D.A. is free, open source, and built by Vektra Industries.

Get K.O.D.A.Documentation