you can run my soc triage tool without an api key, and that was kind of the point

i've been building a thing called triagelens. you give it security logs, it finds the suspicious stuff, maps it to mitre att&ck, scores the whole run 0-100, and writes a short analyst-style report. but the feature i keep coming back to isn't a detection. it's that you can run the entire thing with no api key, no account, and no config file. sounds small. it took me two wrong turns to get there.

here's what kicked it off. i showed an early build to a friend who's also grinding through security certs. i said "just clone it and run it, it's easy." about twenty minutes later he texts me asking where the api key goes. there was a .env step. the readme mentioned it somewhere near the bottom. by the time he found it he'd already lost interest. the tool worked. the first thirty seconds of using it didn't, and that's the part that decides whether anyone sticks around.

that annoyed me more than a real bug would have. the detections were the part i actually cared about, and nobody was getting far enough to see them because setup ate the curiosity first.

so i changed what happens by default. there are three ways to run the report-writing layer now, and the one that loads first needs nothing:

demo: rule-based text, no key, no network call. this is the default.