How It Works

From raw alert to closed ticket in 62 seconds.

SocGenie works by running every security alert through a 14-step pipeline of specialist AI agents. Each agent handles one job — enrichment, MITRE ATT&CK mapping, timeline building, risk scoring — and passes the result to the next. A human approves every destructive action. End-to-end: raw alert to closed ticket in 62 seconds, median.

Start free trial See the pipeline ↓
[00:00.000] alert.intake → id=INC-2026-04817 sev=HIGH
[00:00.412] context.enrich → entra.user(j.patel) → mgr, dept, deviceCount=3
[00:02.118] attck.mapT1078.004 Cloud Accounts
[00:03.009] ioc.enrich → vt(ip)=malicious 72/89
[00:04.450] lateral.scan → 2 logins, 1 new geo
[00:08.201] edr.query → s1.host(JP-LT2) clean
[00:12.004] privilege.check → role=Member, no assumed roles
[00:16.901] timeline.build → 14 events, 4m 18s
[00:29.001] risk.score92% malicious
[00:41.812] narrative.write → 340 tokens
[01:02.094] hitl.gateawaiting human approval
Onboarding

Connect in three clicks.

No agents to install. No log shippers to configure. Just OAuth.

OAuth consent

Securely authorize SocGenie on your M365 or Google Workspace tenant with least-privilege API access. Four scoped service principals, secrets held in Azure Key Vault.

330+ compliance checks

Scanning begins immediately, mapping your environment against CIS, CISA SCuBA, EIDSCA, ORCA and Reddome's Core Security baseline.

Zero-touch deploy

90+ Intune policies and 60+ Conditional Access policies deploy via Terraform — code-as-infrastructure, auditable, reversible.

System architecture

The 14-step investigation pipeline

Every alert. Every tenant. Every step logged, every decision inspectable.
STEP 01Alert IntakeSeverity triage across all connected platforms
STEP 02Context EnrichmentUser + asset mapping from Entra ID and GWS Directory
STEP 03ATT&CK MappingTactical identification of adversary behaviour
STEP 04IOC EnrichmentVirusTotal, AbuseIPDB, Shodan, WHOIS
STEP 05Lateral MovementAnalysing hops between accounts and resources
STEP 06Email AssessmentDeep header and attachment analysis (Phish/BEC)
STEP 07EDR InterrogationSentinelOne and CrowdStrike tool calls
STEP 08Privilege AnalysisElevated-role abuse and shadow admins
STEP 09Timeline ReconMillisecond-by-millisecond event reconstruction
STEP 10Evidence AssemblyChain-of-custody packaging
STEP 11D3FEND MappingCountermeasure recommendations
STEP 12Risk ScoringImpact calculation, SocGenie algorithm
STEP 13Report NarrativeAI-written incident report
STEP 14HITL GateHuman approval required for destructive action
Three-tier AI SOC

Modeled after world-class SOCs.
Accelerated by agents.

01

Tier 1 · Blue Team Agent

60% auto-resolved

Auto-triage, false-positive elimination, IOC enrichment and ATT&CK mapping. Runs in under 90 seconds against every alert.

VirusTotalAbuseIPDBWHOISShodan
02

Tier 2 · Threat Assessor

Multi-source correlation, scope determination and escalation decisions based on business context and blast-radius.

CorrelationScope analysisBusiness context
03

Tier 3 · Forensics Agent

Full incident reconstruction, evidence collection for legal compliance, persistence hunting and narrative writing.

Timeline reconEvidence vaultSwarm escalation
Human in the loop

AI recommends. You decide.

Total automation of sensitive security actions is a bad idea. SocGenie gathers the evidence, prepares the fix, shows you the reasoning — and waits for your “yes.”

Slack Block Kit
Teams Adaptive Cards
PagerDuty on-call
SocGenie portal UI
SG
SocGenie · #soc-ops
Requesting approval on gated action
🚨 Session revocation — j.patel@contoso.co.uk
92% confidence malicious. Login from 41.203.64.12 (Lagos, NG).
ATT&CK T1078.004 · VT 72/89 malicious · blast radius: SharePoint + Teams.

Recommended: revoke tokens, disable account, snapshot mailbox.
✓ Approve all ✕ Reject Quarantine instead
Timeout: 15m → escalate to on-call · Full reasoning trail ↗

Watch it run on your tenant.

14 steps. 62 seconds. Your first investigation is free.

Start free trial See integrations