Coming soon.

Agents

Five agents.
One queue.

Each agent owns a chunk of the SOC's work and writes into a shared case fabric. They cite their sources, log every tool call, and stop at human-in-the-loop gates when the action is irreversible.

Feed Triage

From feed entry to alert in under a minute.

Pulls every fresh feed entry, classifies it against your tech stack and brand, decides whether it's a real alert. The boring 80% of an analyst's day, gone.

Why it pays for itself: Without triage you read 800 entries to find the 6 that matter. With triage you read the 6.

Inputs

• Raw feed entries (CISA KEV, abuse.ch, dshield, MISP, OTX…)
• Your declared tech stack and brand keywords
• Past triage feedback (analyst thumbs)

Outputs

• Alerts with severity, category, reasoning, recommended action
• IOCs extracted from the entry, linked to the alert
• Triage run record with cost, model, duration, FP rate trend

Runtime

Rolling 24h windows · single pass per entry · cost-bounded

Investigation

Pivots through actor, asset, IOC and prior cases — autonomously.

On any alert worth investigating, this agent pulls in adjacent IOCs, looks up the threat actor, scans your asset graph for matches, checks if a prior case touched the same indicators, and writes a final assessment.

Why it pays for itself: Investigations are where junior analysts burn 3 hours guessing. The agent runs the same playbook in minutes and shows its work.

Inputs

• A single alert
• Your asset inventory
• Org-wide IOC and case history

Outputs

• Final assessment (severity, confidence, attribution)
• Trace of every tool call the agent made (auditable)
• Linked findings the SOC can promote into a case

Runtime

Up to 6 tool calls · 5 read-only tools · plan-then-act gate optional

Threat Hunter

Weekly hypothesis sweeps against active actor clusters.

Picks an active threat-actor cluster, pulls their TTPs, looks for evidence those TTPs are visible in your environment (alerts, exposures, IOC overlap), and surfaces 1–4 hunt findings. If you're clean against this actor, that's a valid outcome too.

Why it pays for itself: Most hunts skip because nobody has time to plan one. The agent runs one anyway.

Inputs

• Active actor inventory (MITRE + your enrichment)
• Your alerts, exposures, IOCs

Outputs

• Focus actor, confidence, summary
• 1–4 hunt findings with MITRE technique mapping
• Full reasoning trace per iteration

Runtime

Weekly schedule + ad-hoc 'Run hunt now' · max 6 iterations

Brand Defender

Catches typosquats and impersonations the day they register.

Permutes your primary domains, resolves candidates, scores similarity, watches certificate transparency. When a hit lands, the agent drafts the takedown — and stops, asking for analyst approval before sending.

Why it pays for itself: Phishing infrastructure is registered hours before it's used. Catching it on registration costs you nothing; catching it after a customer clicks costs you a lot.

Inputs

• Your domains and brand keywords
• CT-log stream (opt-in) + daily permutation sweeps

Outputs

• Suspect domain rows with similarity, evidence, screenshot
• Drafted takedown ticket (registrar / hosting / abuse contact)
• Audit trail of every typosquat ever caught

Runtime

Daily sweeps · CT-log streaming · plan-then-act gate on takedown

Case Copilot

Keeps the case timeline fresh as you work.

When you escalate alerts into a case, this agent reads the linked findings on demand and rewrites the case summary and recommended actions. You write less; you stay current.

Why it pays for itself: Half the IR pain is 'what's the latest?' The agent answers it without anyone retyping.

Inputs

• Case state
• All linked alerts, findings, comments

Outputs

• Case summary that mirrors current evidence
• Suggested next steps with citations
• Full run trace — every rewrite auditable

Runtime

One-click refresh · idempotent · analyst comments stay authoritative