Profile
Manage your display name and profile information.
?
—
—
Free
This is how SARA will address you in conversations.
Linked to your Google account. Cannot be changed here.
SARA will respond in this language. Technical terms (CVEs, MITRE IDs, tool names) stay in English.
AI Model
Choose which AI model powers SARA's responses.
Loading...
Bring Your Own Model
Choose any LLM provider. SARA works with OpenAI, Claude, Gemini, Mistral, Groq, Ollama, or any OpenAI-compatible endpoint.
OmniSense Integration
Connect your SIRP OmniSense tenant to query live incidents, run agents, and execute response actions.
Prerequisites
1. A SIRP OmniSense tenant (e.g.,
https://your-company.sirp.io)2. Pro or Team plan on SARA Open
3. Either an API key or email + password (or both)
API key only: Recommended. Stateless, no session conflicts. Supports all features except multi-tenant switching.
Email + password: Enables multi-tenant switching and JWT-based features. May conflict with browser sessions.
Both: Best of both worlds. API key for data, credentials for admin features.
Email + password: Enables multi-tenant switching and JWT-based features. May conflict with browser sessions.
Both: Best of both worlds. API key for data, credentials for admin features.
What You Can Do
| Query incidents, alerts, cases | API key or credentials |
| View assets and risk scores | API key or credentials |
| Run agents (enrichment, analysis, triage) | API key or credentials |
| Execute actions (block IP, contain host) | API key required |
| Multi-tenant switching (MSSP) | Credentials required |
| Threat advisory feed ingestion | API key or credentials |
Your SIRP OmniSense instance URL (must be HTTPS)
To get your API key: OmniSense → Profile (bottom-left) → Profile Settings → API Key → Generate API Token
— or —
Stored encrypted. Used for JWT authentication and multi-tenant switching.
Switch between tenants you have access to. All queries will use the selected tenant's data.
-
Total Open
-
P1 Critical
-
P2 High
-
P3 Medium
-
P4 Low
Enabled Apps & Actions
Apps and actions available on your connected OmniSense tenant. Click to expand.
Loading capabilities...
SARA's Capabilities
What SARA can do for you — automatically selected based on your question.
🔍
IOC Enrichment
Paste an IP, hash, domain, or URL — SARA enriches via VirusTotal, AbuseIPDB, GreyNoise, and OTX with verdict and confidence score.
📧
Phishing Analysis
Paste a raw email with headers — SARA runs 25+ checks: SPF/DKIM/DMARC, header anomalies, URL deception, Base64 decoding, and generates a Sigma rule.
🚨
Alert Triage
Paste an alert (JSON, CEF, syslog) — SARA parses fields, maps MITRE, assesses risk, and produces a 10-section triage report with verdict.
🛡️
CVE & Threat Intelligence
Ask about any CVE, threat actor, or campaign — SARA searches KB + web for CVSS, EPSS, KEV status, impact, and detection guidance.
📐
Detection Engineering
Ask for Sigma, YARA, KQL, or SPL rules — SARA generates detection rules with field explanations, false positive guidance, and MITRE context.
🔗
URL & Article Analysis
Paste a URL to a security advisory, blog, or report — SARA scrapes, extracts IOCs, and produces a threat advisory brief.
⚡
OmniSense Tenant PRO
Query live incidents, run agents, view assets, execute response actions, check SOC metrics — all through natural language.
Investigation Skills
Skills transform SARA into a specialist. When active, SARA uses an agent loop with tools instead of the standard pipeline — investigating step by step like a senior analyst.
Loading skills...
How Skills Work
- Standard mode — SARA runs a fixed pipeline: analyze → enrich → respond in one shot
- Skill mode — SARA uses an agent loop: call tools → examine results → decide next step → iterate up to 12 times
- Each skill defines: investigation steps, preferred tools, output format, and hard rules
- Activate from the welcome screen (skill pills) or here
- Deactivate to return to standard mode
SARA's Memory
SARA remembers your preferences, corrections, and investigation patterns to personalize responses across sessions.
Add a Memory
Stored Memories (0)
Loading...
How Memory Works
- Preferences — "I prefer EPSS over CVSS" → SARA prioritizes EPSS in CVE analysis
- Corrections — "10.0.0.0/8 is our internal range" → SARA won't flag as malicious
- Expertise — "I'm a senior SOC analyst" → SARA adjusts detail level
- Context — "We use CrowdStrike + Splunk" → SARA references your stack
- Patterns — "I always check SPF/DKIM first" → SARA learns your workflow
- Memories decay if not accessed — confidence drops 20% per week
- Thumbs-down feedback with a comment auto-creates a correction memory
Privacy & Data
Your data, your control. SARA stores conversations to provide chat history — you can delete them anytime.
How Your Data Is Used
✓
Conversations — stored to provide chat history. You can delete individual chats from the sidebar or all history below.
✓
Credentials — OmniSense and LLM API keys are encrypted at rest (Fernet). Never stored in plaintext.
✓
IOC queries — IOCs you submit are enriched and stored for your reference in the observable database.
✗
Not used for training — your conversations are never used to train or fine-tune AI models.
✗
Not shared — your data is not shared with third parties. LLM providers process queries but do not retain them.
Delete All Conversations
Permanently delete all your saved conversations from both your browser and the server. This cannot be undone.
Delete Account
Remove your account and all associated data permanently — conversations, settings, API keys, integrations.
Billing & Plans
Upgrade your plan to unlock more messages, full enrichment, and OmniSense connectivity.
Current Subscription
Plan
-
Billing cycle
-
Status
-
Renews on
-
Your Plan
Current usage and rate limits for your account.
-
Queries this hour
- / -
-
Used this hour
-
Remaining
-
Hourly limit
Message Breakdown
Total messages sent across all sessions.
-
Total messages
-
Today
API Access
Programmatic access to SARA's intelligence. Use API keys to integrate with your SOAR, SIEM, or custom tools. View full API documentation →
Your API Keys
Loading...
New API Key Created
Copy this key now — it won't be shown again.
Quick Start
All endpoints require the
x-api-key header.
POST /api/v1/chat/completions OpenAI Compatible
Drop-in replacement for OpenAI API. Works with any OpenAI SDK, LangChain, or SOAR integration.
curl -X POST https://sara-open.sirp.io/api/v1/chat/completions \
-H "x-api-key: YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{"model":"sara","messages":[{"role":"user","content":"What is CVE-2024-3400?"}]}'
Response format (OpenAI)
{
"id": "chatcmpl-abc123",
"object": "chat.completion",
"model": "sara",
"choices": [{"index":0,"message":{"role":"assistant","content":"..."},"finish_reason":"stop"}],
"usage": {"prompt_tokens":150,"completion_tokens":200,"total_tokens":350}
}
Python SDK example
from openai import OpenAI
client = OpenAI(base_url="https://sara-open.sirp.io/api/v1", api_key="YOUR_KEY")
r = client.chat.completions.create(model="sara", messages=[{"role":"user","content":"..."}])
print(r.choices[0].message.content)
POST /api/v1/chat SARA Native
SARA's native format with mode, sources, and detected IOCs.
curl -X POST https://sara-open.sirp.io/api/v1/chat \
-H "x-api-key: YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{"message": "What is CVE-2024-3400?"}'
Response format
{
"response": "CVE-2024-3400 is a critical...",
"mode": "threat_intel",
"sources": ["Knowledge Base", "NVD"],
"iocs_detected": [],
"remaining_this_hour": 499,
"hourly_limit": 500
}
POST /api/v1/enrich
IOC enrichment — up to 20 IOCs per request.
curl -X POST https://sara-open.sirp.io/api/v1/enrich \
-H "x-api-key: YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{"iocs": [{"value": "8.8.8.8", "type": "ip"}]}'
POST /api/v1/analyze
Alert, email, or CVE analysis. Types: alert, email, cve, auto.
curl -X POST https://sara-open.sirp.io/api/v1/analyze \
-H "x-api-key: YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{"content": "EventID=4625 ...", "type": "alert"}'
Rate Limits: Pro: 200 req/hr (3 keys) | Team: 500 req/hr (10 keys)
Auth:
Multi-turn: Use
Auth:
x-api-key: sara_... header on every requestMulti-turn: Use
{"messages": [...]} for conversation context
Connectors
Create custom webhook actions and connect external AI agents. Connectors start in dry-run mode for safety.
Loading...
New Connector
Configure your connector's endpoint, triggers, and authentication.
Basics
Webhook: calls an HTTP endpoint. A2A Agent: routes queries to an external AI agent.
Connection
Encrypted at rest. For basic auth, use format: username:password
Triggers & Target
Comma-separated phrases that activate this plugin in chat.
Use {target}, {reason}, {user} as variables. They'll be substituted at execution time.
Agent Configuration
Comma-separated keywords that this agent can handle. SARA matches these against user queries.