SOCFortress handles the full server-side installation of Talon. There is one step that must be completed by the client: generating and adding a personal Claude OAuth token. This article explains the split of responsibilities and walks through every step of the process.
Talon is an automated AI SOC analyst built by SOCFortress. It integrates with the CoPilot stack, pulling raw events from your Wazuh/OpenSearch SIEM, enriching them with threat intelligence, and writing structured investigation reports back into CoPilot.
Because Talon uses the Claude Code API to power its AI analysis, each deployment requires a Claude OAuth token tied to a Claude account. SOCFortress cannot generate this on the client's behalf — the token is personal to the account holder and must be created and added by the client.
The Claude OAuth token (sk-ant-oat01-...) is tied to an individual Anthropic account and authorises API usage billed to that account. SOCFortress completes all infrastructure work, but the Claude account and token must belong to the client.
sk-ant-oat01-...
talon
.env
claude setup-token
/opt/talon/.env
SOCFortress completes the following steps before handing over to the client. No action is required from the client for any of these.
/opt/talon
npm install && npm run build
~/.config/nanoclaw/mount-allowlist.json
bash siem/setup.sh
siem/.env
bash mysql/setup.sh
mysql/.env
bash copilot-mcp/setup.sh
copilot-mcp/.env
bash wazuh-mcp/setup.sh
wazuh-mcp/.env
bash velociraptor-mcp/setup.sh
api.config.yaml
bash mempalace/setup.sh
CONTAINER_RUNTIME=docker ./container/build.sh
talon.service
/health
After SOCFortress completes the installation, the client needs to complete one task: generate a Claude OAuth token and add it to the .env file.
You need an active Claude account (claude.ai). A free account is sufficient to generate the token; however, a Claude Pro or Team subscription is recommended for production SOC workloads.
Repository is cloned to /opt/talon and the Node.js application is compiled.
git clone https://github.com/taylorwalton/talon.git /opt/talon cd /opt/talon npm install && npm run build
The root .env is created with all fields. The OAuth token placeholder is left for the client to fill in (Step 13).
# /opt/talon/.env CLAUDE_CODE_OAUTH_TOKEN=YOUR_TOKEN_HERE # ← client fills this in HTTP_API_KEY= # WEBHOOK_URL=... # CREDENTIAL_PROXY_HOST=127.0.0.1
Security policy controlling which host directories can be mounted into agent containers.
Setup scripts are run for each integration and credentials are populated in their respective .env files: OpenSearch/SIEM, MySQL/CoPilot DB, CoPilot REST API, Wazuh, Velociraptor, and MemPalace persistent memory.
The agent Docker container is built and the talon.service systemd unit is installed and enabled. The service will start but Talon will not be able to run investigations until the OAuth token is added.
SSH onto the Talon VM, generate your personal Claude OAuth token, and add it to the .env file. Full instructions are in the next section.
Restart the service and confirm the health endpoint responds and the token is recognised.
systemctl restart talon curl http://localhost:3100/health
Your OAuth token authorises API calls on your Anthropic account. Treat it like a password — never share it or commit it to version control.
Connect to the VM that SOCFortress provisioned for you. The Talon application is installed at /opt/talon.
cd /opt/talon
Run the following command. You will be prompted to log in to your Claude account in a browser. Once authenticated, the token will be printed to your terminal.
# Log into your account claude # Then generate setup-token claude setup-token
The output will look like:
Your Claude OAuth token: sk-ant-oat01-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Copy this token and add it to your .env file.
Copy the full token — you will need it in the next step.
Open the .env file with any editor:
nano /opt/talon/.env
Find the line that reads CLAUDE_CODE_OAUTH_TOKEN=YOUR_TOKEN_HERE and replace the placeholder with your token:
CLAUDE_CODE_OAUTH_TOKEN=YOUR_TOKEN_HERE
CLAUDE_CODE_OAUTH_TOKEN=sk-ant-oat01-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # Optional: webhook endpoint for the 15-minute SOC alert digest # WEBHOOK_URL=https://your-endpoint.example.com/talon-digest # WEBHOOK_SECRET=optional-bearer-token # Required: API key for all HTTP channel requests (except /health) HTTP_API_KEY= # Optional: restrict the credential proxy to loopback only (default: 0.0.0.0) # CREDENTIAL_PROXY_HOST=127.0.0.1
Save and close the file (Ctrl+O, then Ctrl+X in nano).
Ctrl+O
Ctrl+X
systemctl restart talon systemctl status talon # confirm it is running
CLAUDE_CODE_OAUTH_TOKEN
HTTP_API_KEY
WEBHOOK_URL
WEBHOOK_SECRET
CREDENTIAL_PROXY_HOST
0.0.0.0
Once the service is restarted with a valid token, use these commands to confirm everything is working:
# Health check (no auth required) curl http://localhost:3100/health # Set your API key export TALON_API_KEY="your-http-api-key" # Test SIEM connectivity curl -s -N -X POST http://localhost:3100/message \ -H "Content-Type: application/json" \ -H "x-api-key: $TALON_API_KEY" \ -d '{"message": "Check cluster health", "sender": "test"}'
which claude
mempalace-data
systemctl status talon
/opt/talon/logs/talon.error.log
Reach out via the SOCFortress service desk or on Discord. For token-specific issues, contact Anthropic support at support.anthropic.com.
Was this article helpfu?
Thank you for voting
You are related to multiple companies. Please select the company you wish to login as.