Quick Start Guide

Prerequisites

Supported Operating Systems

• macOS Tahoe or later
• Ubuntu 24.04

Architecture: The macOS installer runs natively on Apple Silicon Macs. The Linux installer is x86_64 only and does not support ARM/AArch64 (running Ubuntu inside an ARM virtual machine on an Apple Silicon Mac will not work).

Hardware

| Resource | Free (Min / Recommended) | Enterprise (Min / Recommended) | | :--- | :--- | :--- | | CPU | 8 cores / 16 cores | 8 cores / 16 cores | | RAM | 8 GB / 16 GB | 32 GB / 64 GB | | Disk | 5 GB / 12 GB | 20 GB / 50 GB |

Docker: Must be installed and your user must be a member of the docker group.

Before You Begin

Have the following ready before starting installation:

• LLM API key — An API key from Anthropic or OpenAI. We recommend using one of three frontier models: claude-opus-4.5 or claude-sonnet-4.5 from Anthropic, or gpt-5.2 from OpenAI. If you're self-hosting a model instead, you'll need its endpoint URL.
• Data source credentials — API keys or credentials for at least one of the following. You can always add more connectors later.
  • A SIEM (e.g. Splunk, Elastic, Sentinel) — lets Crogl search your logs and alerts, pull telemetry directly into investigations, and run threat hunts across historical data.
  • A case management system (e.g. Jira, ServiceNow) — lets Crogl read and update cases, attach investigation findings as it works, and keep your ticketing system in sync without manual handoffs.
  • An enrichment tool (e.g. VirusTotal, CrowdStrike) — lets Crogl look up IPs, domains, and file hashes to add reputation, threat intel, and endpoint or identity context to every alert it triages.

1. Download Crogl

Download the installer for your platform from your download page.

2. Run the Installer

Open a terminal, navigate to the folder where you downloaded the installer, and run:

macOS

bash ./crogl-installer-macos.sh --start

Linux

bash ./crogl-installer-linux.sh --home "$HOME/crogl-test" --start

3. Trust the Certificate (macOS only)

On macOS, Crogl needs to add a self-signed certificate to your system trust store. You'll be prompted twice: once in the terminal, once via a macOS system dialog.

Enter your Mac password at both prompts to proceed.

4. Create Your Credentials

The installer will prompt you to create a username and password. You'll need these to sign in to Crogl. Store them somewhere safe before continuing.

5. Save Your Credentials and Startup Key

When installation completes, the terminal will display a startup key. This is critical and not recoverable. Save it and the credentials from step 4 somewhere secure before closing your terminal. A password manager is strongly recommended.

6. Open Crogl and Sign In

The installer will display the URL for your Crogl instance when it finishes. Open that URL in a browser. On macOS, fully quit and reopen your browser first to pick up the updated certificate trust.

Sign in with the credentials you created in step 4, then follow the setup steps to configure an LLM and connect Crogl to your environment.

7. What to Do Next

Once you've signed in and configured Crogl to use your LLM and at least one connector, you're ready to go. Use natural language to ask Crogl to triage or investigate alerts, or use one of the built-in skills. The pills (oval buttons below the chat) are shortcuts to run a skill:

• Investigate alert — Vendor-agnostic alert triage built around the MITRE ATT&CK framework. Works across EDR, network, identity, and cloud log sources to investigate and prioritize alerts, regardless of which tool generated them.
• Threat hunt — Investigate a threat advisory by URL, ID, or free-text description. Crogl researches the threat, generates a hunt plan tailored to your environment, and executes the hunt interactively with you.
• Create a skill — Guides you through creating a new skill or updating an existing one. Use it to extend Crogl with specialized knowledge about your team's workflows or new tool integrations — all in chat, no code required.
• Incident report — Assemble the findings, timeline, and remediation steps from an investigation into a structured report ready to share with stakeholders.

You can also ignore the pills entirely and just describe what you want to do. Crogl will decide which skill to use.

What's a Skill?

A skill is a reusable workflow you can ask Crogl to run. Each one packages up the steps, the data sources, and the judgment needed to do a specific job — like triaging an alert or running a threat hunt. The four pills under the chat bar are all skills.

The skills that ship with Crogl cover the common shape of SOC work, but every environment is different. Skills help Crogl understand your naming conventions, your tools, your escalation paths, your reporting format. That's where Create a skill comes in: it lets you turn any workflow into a reusable Crogl skill, just by describing it in plain language. No code, no query language.

Why building your own pays off:

• Crogl adapts to your environment. A custom skill captures the specific data sources, query patterns, and language your SOC actually uses. The more your skills reflect how your team really works, the better Crogl performs on the next investigation.
• Repeatable work gets faster and more consistent. Anything an analyst does more than twice becomes a one-line invocation that produces the same output across analysts and shifts.

Building one is just a conversation. Run Create a skill and describe the workflow you want: what triggers it, what data it should pull, what decisions it should make, and what output you want. Crogl will draft the skill, run it with you, and save it once you're happy with the result. You can edit skills you create by clicking the wand icon in the left-hand navigation bar.

Try this now. Pick something you do regularly and can describe in a few sentences — your standard alert triage template, your weekly hunt routine, or the report your manager asks for every Friday — and build it as your first skill.