Huginn

Early Access

Your network already knows when something's wrong.

Behavioral SIEM that learns your network. Device fingerprinting, anomaly detection, alert correlation. No rules to write, no agents to install.

Downloads Changelog

Capabilities

Device Fingerprinting

Automatically identifies every device via DHCP, DNS, and traffic patterns using Hyperdimensional Memory vectors. No agents required.

Behavioral Anomaly Detection

Learns what's normal per device using predictive coding. Alerts when behavior changes. No thresholds to tune, no rules to write.

Alert Correlation

Spreading activation through the entity graph surfaces multi-stage attacks. When independent suspicion signals converge, that's a real threat.

MITRE ATT&CK Mapping

Every detection maps to ATT&CK techniques. Interactive coverage heatmap shows where you're protected and where gaps exist.

Sigma Rules

Optional Sigma rule import for exact-match signatures. The behavioral engine handles the rest without writing a single rule.

Case Management

Group related alerts into cases. Add investigation notes. Track status. Export evidence for compliance audits.

Threat Intelligence

Match events against known-bad indicators. Import from AbuseIPDB, AlienVault OTX, or CSV. Auto-elevate matching alerts.

Zero Configuration

Plug in, point your syslog at it, done. Devices appear, baselines build, anomalies surface. No 40-hour setup marathon.

What is Huginn? #

Huginn is a turnkey SIEM appliance that ingests standard network logs (syslog, CEF) and automatically discovers devices, learns behavioral baselines, and surfaces anomalies. No endpoint agents, no hand-written rules, no manual tuning.

Named after Odin’s raven who flies the world gathering intelligence and reports back, Huginn passively observes your network traffic and builds a cognitive model of what’s normal. When something changes, you know.

How it works #

1. Ingest. Point your firewall’s syslog output at Huginn. It parses syslog, CEF, DHCP, DNS, and firewall logs automatically.

2. Fingerprint. Every device is identified through Hyperdimensional Memory (HDM) vectors built from MAC OUI, DHCP options, hostname patterns, DNS behavior, and connection timing. Even devices that randomize their MAC address are tracked via hostname.

3. Learn. Predictive coding builds a behavioral baseline per device: typical DNS query volume, connection patterns, data transfer rates, time-of-day activity. No configuration required.

4. Detect. When a device deviates from its baseline, the prediction engine generates a surprise score. Spreading activation propagates suspicion through the entity graph. When independent signals converge (collision detection), that’s a multi-stage attack.

5. Investigate. Every alert comes with MITRE ATT&CK mapping, recommended actions, and links to related events. Create cases, add notes, export evidence for compliance.

Built different #

Most SIEMs detect threats by matching patterns against a database of known attacks. That works for known threats but misses everything novel.

Huginn detects threats by understanding what’s normal and flagging what isn’t. A device that always queries 20 DNS domains suddenly querying 2,000? That’s a surprise, even if no rule exists for it. Two unrelated anomalies converging on the same server via different network paths? That’s a collision, and it’s exactly how lateral movement manifests.

This isn’t bolted-on ML. The detection engine is built from cognitive architecture components (HDM, spreading activation, predictive coding) that have been proven in a separate 32,000-line project. Security is just the domain.

Integrations

UniFi

First-class CEF log ingestion from UniFi Security Gateway and Dream Machine.

Sigma

Optional import of community detection rules for exact-match signatures.