A multi-agent AI SOC platform with an MSSP operating layer. Ingests alerts from 11 SIEM adapters, runs a 7-stage pipeline (LLM + deterministic rules) per alert, produces a MITRE-mapped verdict plus policy-gated remediation, and exposes an analyst UI with native SIEM search, a Detection Engineering workbench, a Security Intelligence operating layer, and an Admin Control Plane. Tenant-safe by default; every destructive action audit-logged. Runs on-prem — nothing leaves the box by default.
3-minute 30-second captioned walkthrough of every module and new feature. Generated from a demo environment.
Eight-slide briefing for technical review — architecture, pipeline, AI, security, integrations, resilience, workflows, economics. Navigate with ← / → arrows inside the frame.
Thirty-six-slide auto-playing captioned walk through the product, with keyboard navigation. Each slide explains what you're looking at and which feature it demonstrates.
Opens in a new tab. 7s per slide, ←/→ to navigate, P to pause.
Click any tile below to open full-size. 36 images at 1680×1050 @ 2× density.
Jump to gallery ↓What the platform does, organized by concern. Every surface is tenant-safe by default and audit-logged for destructive actions.
Seven stages per alert: Triage (MITRE mapping) → Threat Intel (VT/AbuseIPDB/TAXII/CVE) → Knowledge (RAG over history) → Forensics (timeline + campaign) → Investigator (LLM verdict) → Remediation (policy-gated) → Validation (post-action re-check). Learning runs async to generate Sigma rule candidates. Typical end-to-end: 60-90s.
Built-in search tab with field-aware DSL (severity:critical AND source:wazuh), visual filter builder, right-side schema panel, cursor-paginated infinite scroll, SQL pushdown into JSONB for sub-100ms first page, and saved searches with private / tenant / global visibility. Timechart and top-value aggregations share the same filter state. OpenSearch Dashboards remains available as a second tab for log-scale exploration.
Closes the loop Alert → Verdict → Rule. Per-rule TP/FP/escalation rate, noisy-rule ranking by fp_rate × log(1+hits), explainable tuning recommendations with evidence, replay against historical alerts, MITRE coverage with gap detection, candidate-rule review queue (LearningAgent output), immutable rule versioning with one-click rollback, and Sigma import with structural validation.
IOCs move from "enrich and show" to scored + prioritized + correlated. Threat score 0-100 with explainable components (source confidence, sighting volume, confirmed TPs, freshness, lifecycle overrides). Lifecycle states: active / stale / expired / suppressed / trusted. Campaign severity + confidence (confirmed / probable / unknown). Feed sync health, hunt-suggestion generation, intel ⇄ rule coverage gaps, per-tenant threat landscape.
Single choke point for tenant isolation. Every query scoped server-side from the JWT; client-supplied tenant parameters are ignored. Cross-tenant admin access is explicit, role-gated, audit-logged, and surfaced via UI banner. Per-tenant white-label branding (logo, display name, primary color, report footer) flows into every report payload and PDF export. Per-tenant per-action policy overrides with effective-policy visualization. MSP-of-MSP tenant hierarchy via parent-child wiring.
Not just settings — governance. Worker lifecycle (start / stop / restart / restart-all) with confirm dialogs + audit. Aggregated system alerts across 6 categories. Cost dashboard (tokens + USD per day, per tenant, top drivers). Active session list with one-click revoke. Runtime config editor with type validation. RabbitMQ queue depth. Policy editor showing effective policy per tenant.
KPI strip with click-through to filtered investigations. Per-tenant comparison with grades A-D. Alert-lifecycle funnel. SLA breach root-cause analysis (backlog / slow investigation / escalation delay). Data coverage per source. Automation coverage. Decision-engine metrics. Dashboard narrative that summarizes "what changed" vs the previous period, plus z-score alert-volume anomaly detection. Reports carry executive-ready narrative on every type; scheduled delivery via cron + email; PDF export with tenant branding; QoQ / YoY period comparison with graceful fallback when history is insufficient.
Evidence chain: SHA-256 hash-chained custody per investigation. Audit log covers every authentication, authorization, config change, policy override, cross-tenant access, rule rollback, IOC override, session revoke, and remediation action. Search telemetry for SLO tracking. Email delivery log — no silent failures. Per-agent tracing via Langfuse when configured. Compliance / Audit report type exports the audit trail with event-type summary and narrative.
Representative module captures from a demo environment. Click to enlarge.