Back to blog

March 11, 2026

Introducing OpenKai: Why Your Security Team Should Build Its Own AI Platform

OpenGuardrails Team ยท Product & Securityยท15 min readยทOpen Source, AI Agents, Enterprise Security, OpenKai

โ€œThe era of buying security platforms from vendors is ending. The era of building your own โ€” with AI โ€” has begun.โ€

The Problem Nobody Talks About

Enterprise security teams are drowning. Not in threats โ€” in tools.

The average large enterprise runs 60 to 80 security products. Vulnerability scanners, SIEM, SOAR, EDR, CSPM, SAST, SCA, identity platforms, compliance tools, threat intelligence feeds. Each one generates alerts. Each one has its own dashboard. Each one demands a human to interpret its output, triage its findings, and manually bridge the gap to the next tool in the chain.

The result? Security analysts spend 80% of their time on toil โ€” triaging false positives, copying data between systems, writing tickets, updating spreadsheets, and attending handoff meetings. The remaining 20% is the only time they spend actually defending the organization.

Meanwhile, attackers have no such problem. They are already using AI to automate reconnaissance, generate phishing campaigns, discover vulnerabilities, and move laterally at machine speed. The asymmetry is accelerating.

The security industry's answer has been predictable: build another product. Sell another platform. Add another vendor to the stack. We think that answer is wrong.

A Different Thesis

In the age of AI, enterprise security teams do not need another vendor's platform. They need the capability to build and operate their own.

This is not a radical claim. It is the logical consequence of two shifts happening simultaneously.

First, agentic AI has made autonomous security operations possible. Large language models can now reason about vulnerabilities, generate detection rules, analyze threat intelligence, triage findings, and produce remediation guidance โ€” not as a demo, but at production quality. An AI agent can process 15 million vulnerability findings in 10 hours. It can reduce SAST false positives by 65%. It can compress a four-week threat modeling exercise into minutes.

Second, AI coding assistants have made custom software development radically faster. A senior security engineer with an AI coding assistant can build a working integration with their internal CMDB in an afternoon. They can write a custom detection rule generator tuned to their specific SIEM in a day. They can extend an open-source agent with a new security skill in hours. The bottleneck is no longer engineering capacity. It is imagination.

Put these two shifts together and the implication is clear: the security team that builds its own AI-native platform, tailored to its own environment, will outperform the one that waits for a vendor to ship a one-size-fits-all product.

Today we are releasing OpenKai โ€” an open-source project designed to make this possible. It is available now at github.com/openkai-security/openkai.

What OpenKai Is

OpenKai is an overlay that transforms OpenClaw, an open-source autonomous agent runtime, into a cybersecurity-focused agentic AI platform. It is not a fork. It is not a new runtime. It is a set of configurations, extensions, agents, skills, and connectors that give OpenClaw the knowledge, tools, and structure to perform security work autonomously.

When you run the OpenKai setup script against an OpenClaw installation, you get:

Nine Specialist Security Agents

  • OpenKai Commander โ€” the orchestrator that routes and coordinates tasks
  • Vulnerability Analyst โ€” triages millions of findings using CVSS, EPSS, CISA KEV, and asset context
  • Detection Engineer โ€” generates, tunes, and validates SIEM rules in Sigma, SPL, KQL, and EQL
  • Asset Manager โ€” discovers and enriches IT and OT assets, maps ownership, finds shadow IT
  • Threat Intel Analyst โ€” processes threat reports, extracts IOCs, maps TTPs to MITRE ATT&CK
  • Compliance Auditor โ€” assesses posture against NIST, ISO 27001, SOC 2, PCI DSS, HIPAA, CIS
  • AppSec Analyst โ€” triages SAST and SCA findings, generates developer-ready code fixes
  • Identity Guardian โ€” audits IAM policies, detects over-privilege, generates least-privilege policies
  • Log Optimizer โ€” analyzes log pipelines and generates routing rules to cut SIEM costs

Platform Capabilities

  • 25+ security tools that agents can invoke โ€” from risk scoring calculators and NVD/EPSS/KEV lookups to detection rule generators and compliance gap analyzers
  • 15 open-source connectors for the security tools enterprises actually use: Splunk, Elasticsearch, Microsoft Sentinel, CrowdStrike, Qualys, Tenable, Snyk, Semgrep, SonarQube, GitHub Advanced Security, Jira, ServiceNow, Wiz, Orca, and Nessus
  • 9 expert skills โ€” reusable security analysis methodologies that encode how experienced practitioners actually approach vulnerability triage, threat modeling, detection engineering, compliance auditing, and more
  • Full i18n support, starting with English and Spanish

All of it is Apache 2.0 licensed. All of it runs in your environment. All of it is designed to be extended.

How It Works

OpenKai does not modify OpenClaw's source code. It operates as a pure overlay. The setup script symlinks OpenKai's extensions and agents into OpenClaw's plugin directories and writes a configuration overlay. OpenClaw's gateway loads everything at startup. The commander agent becomes available on whatever channels you have configured โ€” Slack, Discord, Microsoft Teams, or the built-in WebChat.

When a security team member sends a message like "triage the latest Qualys scan results and create Jira tickets for anything critical," the commander agent:

  • Parses the request and identifies the domains involved (vulnerability management + ITSM)
  • Delegates to the vulnerability analyst agent, which pulls data via the Qualys connector
  • Runs each finding through the risk scoring engine (CVSS ร— EPSS ร— KEV ร— asset context)
  • Eliminates false positives using the vuln-triage skill methodology
  • Hands critical findings to the Jira connector to create tickets
  • Returns a structured summary with risk scores, remediation steps, and ticket links

The entire flow is autonomous. No dashboard hopping. No copy-paste between tools. No manual triage spreadsheets.

Why Open Source Matters Here

Commercial agentic security platforms are emerging. Some are impressive. But they share a structural limitation: they are black boxes making security decisions on your behalf.

When a commercial platform triages a vulnerability as a false positive, you have to trust its reasoning. When it generates a detection rule, you cannot inspect the methodology. When it makes an IAM policy recommendation, you cannot audit the logic. You are outsourcing not just labor, but judgment โ€” to a system you cannot examine.

For security teams, this is backwards. Security is the one domain where auditability, transparency, and control are non-negotiable.

OpenKai takes the opposite approach:

  • Every agent prompt is readable. You can see exactly what instructions the vulnerability analyst follows when triaging findings. You can modify them for your environment.
  • Every tool is inspectable. The risk scoring formula, the NVD lookup logic โ€” no black boxes.
  • Every connector is open. The Splunk integration, the CrowdStrike API calls, the Jira ticket creation โ€” all visible, all modifiable, all contributable.
  • Every skill encodes methodology. The vuln-triage skill documents the exact classification taxonomy, scoring factors, and output format. A new analyst can read it and understand how the system thinks.

This is not just a philosophical preference. It has practical consequences. When a CISO asks "why did the system classify this CVE as low risk?" the answer is not "the vendor's model decided." The answer is in the code.

The Connector Economy

One of OpenKai's most important design decisions is making connectors first-class, open-source citizens.

Every enterprise has a different security stack. One uses Splunk and CrowdStrike. Another uses Elastic and SentinelOne. A third has a homegrown CMDB and a legacy Nessus deployment. No commercial platform can pre-build integrations for every combination.

OpenKai solves this with an open connector model. Each connector is a self-contained TypeScript plugin that authenticates with an external tool, registers tools that any agent can invoke, handles errors gracefully when not configured, and can be contributed by anyone in the community.

We ship 15 connectors today. But the real power is that any security engineer โ€” with an AI coding assistant โ€” can build a new connector in an afternoon.

We expect the connector library to grow rapidly. When a team at an energy company builds a connector for their OT monitoring platform, every other energy company benefits. When a financial services team contributes a connector for their GRC tool, the entire community levels up. This is the network effect that closed platforms cannot replicate.

Who This Is For

OpenKai is designed for enterprise security teams that:

  • Have the ambition to own their security platform rather than rent it from a vendor
  • Operate complex environments spanning IT and OT, cloud and on-premise, multiple business units
  • Are already using or evaluating AI coding assistants and understand that AI-assisted development changes what is possible
  • Value transparency and auditability in security decision-making
  • Want to move faster than vendor roadmaps allow

It is particularly well-suited for organizations in energy, manufacturing, pharmaceuticals, automotive, and critical infrastructure โ€” industries where OT security, regulatory compliance, and environmental specificity make one-size-fits-all platforms especially inadequate.

OpenKai is not a replacement for security expertise. It is a force multiplier for the expertise you already have. The security engineer who understands your environment still makes the strategic decisions. OpenKai handles the toil at machine speed.

What Comes Next

This is v0.1.0. It is a foundation, not a finished product. Here is what we are focused on next:

  • More connectors โ€” AWS Security Hub, Azure Security Center, GCP Security Command Center, Palo Alto, Fortinet, and more
  • Memory and learning โ€” persistent memory that lets agents learn from your environment over time
  • Workflow orchestration โ€” define multi-step security workflows as declarative pipelines
  • Expanded language support โ€” additional i18n localizations beyond English and Spanish
  • Community-driven skills โ€” a growing library of security analysis methodologies contributed by practitioners

Get Involved

OpenKai is Apache 2.0 licensed and available now at github.com/openkai-security/openkai.

If you build a connector, write a skill, or adapt OpenKai for your environment โ€” we want to hear about it. Open a pull request. File an issue. Start a discussion.

โ€œThe future of enterprise security is not buying better tools. It is building better capabilities. OpenKai is where that starts.โ€

At OpenGuardrails, our mission remains the same: Build Fearlessly โ€” We Secure Your AI. OpenKai extends that mission by giving security teams the open-source foundation to build AI-native security operations tailored to their own environment. Combined with our threat research and guardrails platform, we are building the security infrastructure the AI era demands.