Alba is live
Autonomous Investigation Layer for Multi-SIEM SOCs and MSSPs

Investigate assigned alerts with evidence.
Keep your SIEM. Keep your LLM.

Alba processes assigned alerts through your existing security stack, follows entity trails, enriches evidence, classifies with confidence, and recommends or executes customer-approved actions according to policy.

Policy mode
Recommend · Approval-gated · Auto-action
Evidence chain
Logged end-to-end
Human review
Configurable
Tenant scope
RBAC enforced
Response actions
Customer-approved only
Scope a Paid Pilot → See How It Works
alba analyst — alert #555833
alba > analyze 555833 --depth 1
 
[1/7] Fetching alert from case management...
[2/7] Extracting IOCs: 12 IPs, 3 domains, 2 hashes
[3/7] Enriching via threat intelligence (400+ feeds)...
     2 suspicious • 0 malicious
[4/7] History: Rule fired 47x, 94% FP rate (30d)
[5/7] SIEM depth=1: 14 queries → 10 follow-up
     Discovered: 4 hosts, 2 users, 6 IPs
[6/7] Memory: 3 similar past investigations found
[7/7] Generating analysis...
 
✓ Classification: True Positive — HIGH confidence
   ▶ Isolating compromised endpoint via EDR...
✓ Endpoint isolated • Incident ticket created
✓ Posted to case management • Tagged • Indexed
   62.1s total • 24 SIEM queries • 3,156 tokens
Multi-tenant SOC Control Plane
Alba SOC Dashboard — multi-tenant overview
“We went from a 6-person overnight rotation to 2 analysts plus Alba. Our MTTR dropped from 38 minutes to under 4. The accuracy improvement alone justified it — our analysts used to misclassify about 1 in 5 alerts under fatigue. Alba hasn't missed one in three months.”
VP
VP of Security Operations
Global MSSP
89%
Reduction in MTTR
97.6%
Classification Accuracy
4x
More Alerts Processed
Cross-customer Threat Intelligence
Alba Threat Intelligence — dark web entity graph
Tenant-scoped RBAC
Full audit logging
BYO data residency
GDPR-ready data flows
SOC 2 Type II in progress
<90s
Average investigation time
30+
Investigation & response tools
400+
Threat intel feeds supported
0
Vendor lock-in required
Human-Governed Autonomy

Autonomy where approved.
Human control where required.

Alba runs in recommend-only, approval-gated, or policy-approved auto-action mode — per customer, per action class. Every query, enrichment step, classification, and response action is logged for audit.

01 · Policy Mode
Configurable autonomy
Recommend-only, approval-gated, or auto-action — selectable per action class and per customer tenant.
02 · Evidence Chain
Every step logged
SIEM queries, enrichment results, classification reasoning, and response actions written to a tamper-evident audit log.
03 · Safety Gates
Five gates before any action
Classification, confidence threshold, alert age, allow/deny lists, and risk ceilings — an action runs only when all five clear.
04 · Tenant Scope
RBAC at every query
Customer-scoped query execution enforced through tenant mappings, role-based access control, and audit logging.
05 · Response Actions
Customer-approved only
Response capabilities are enabled per-customer. Above-ceiling actions escalate to a human instead of executing.
The Problem

Most AI SOC tools were built for
someone else's business model.

The category was built for enterprise SOCs with full-stack commitments. MSPs and MSSPs operating across mixed customer stacks have different constraints — and most platforms work against them.

  • Built for one stack at a time

    Most AI analysts are tightly coupled to a specific EDR, SIEM, or productivity-suite license. If your customers run mixed stacks, you're operating multiple platforms — or asking customers to migrate.

  • Pricing models built for enterprise SOCs

    Per-investigation, per-SCU, or platform-bundled pricing scales with alert volume — the opposite of what an MSP needs as customer count grows. Your margin shouldn't move when alert volume does.

  • Triage assistants, not investigators

    Many AI SOC products stop at real or not real. They don't pivot across the SIEM, follow entity trails, or close the response loop — that work still falls to your analysts.

  • Multi-tenancy as a services overlay

    Where MSP support exists, it's often a services wrapper around a single-tenant product. Onboarding tenant 47 becomes a project, not a config change.

Five questions to ask any AI SOC vendor

1. Stack freedom
Works with my customers' SIEMs and LLMs without forcing migration?
2. Evidence depth
Multi-pass investigation, or stops at triage?
3. Response governance
Executes actions under policy gates, or recommends only?
4. Tenant model
Multi-tenant by architecture, or services-wrapped?
5. Cost model
Pricing scales with my margin, or against it?
Compare by operating model. Not by slogan.
Capabilities

Not a copilot.
A full autonomous analyst.

Alba doesn't wait for you to ask questions. It triages the queue, investigates alerts end-to-end, and posts its analysis. Then it learns from the outcome.

Layer 01 Investigation Core Ingest, enrich, investigate, classify.

Autonomous Alert Triage

Processes your entire alert queue automatically. Fetches context, extracts IOCs, enriches via your threat intelligence platform, runs SIEM queries, and classifies with confidence scores.

Multi-Pass SIEM Investigation

Doesn't stop at the first query. Discovers entities in SIEM results, follows trails across hosts, users, and IPs. Iterates until every lead is exhausted.

Threat Intelligence Enrichment

Every IOC enriched through your threat intelligence platform — OSINT, commercial, and proprietary feeds. MITRE ATT&CK mapping. Dark web monitoring. Per-IOC depth scoring.

EDR & Identity Context

Microsoft Defender integrated today; major EDRs adapter-ready. Pull endpoint telemetry, device timelines, and identity-context signals into the investigation flow.

Phishing Investigation in Chat

Phishing isn't a separate product — the chat agent, EDR, and TI tools handle suspect emails in the same investigation flow as everything else. Headers, URLs, attachments, sender reputation.

Layer 02 Control & Governance Policy-gated execution. Full audit chain.

Alert-Specific Remediation

Every investigation produces a tailored response plan. Alba executes it through five safety gates (classification, confidence, age, allow/deny, risk ceiling) against an 18-action catalog spanning EDR, case management, and threat intelligence — or hands the plan to the analyst with one-click approval.

Automation Policies

Customer-tunable rules for the repeat patterns. JSON conditions, configurable actions (close, tag, comment, assign, escalate), full audit trail. Run unattended on the high-confidence long tail.

Full Transparency & Debug

Debug mode exposes every query Alba runs against your SIEM. Full audit trails. Structured logging with timing and cost metrics. You see exactly what Alba did and why.

Layer 03 Operating Leverage Memory, search, ChatOps, the flywheel.

Investigation Memory

Alba remembers every investigation. False positive rates per detection rule. IOC prevalence across customers. Historical context that makes every new analysis smarter.

Cross-Customer TI Flywheel

Confirmed true-positive IOCs are pushed back into the AlbaCyber Threat Exchange with TLP marking, scoring, and provenance labels. Every confirmed TP your tenants see makes every other tenant smarter.

Detection Rule Auditing

Automatically audits every detection rule across your SIEM. Finds broken syntax, silent encoding failures, case sensitivity issues. Auto-generates corrected rules and validates them end-to-end.

Semantic Investigation Search

Search thousands of past investigations by meaning, not just keywords. "Have we seen this attack pattern before?" Answers in milliseconds, with cross-customer anonymization.

Interactive Chat & Slack Bot

Natural language interface via web UI or Slack with RBAC-gated tools. Real-time streaming. Ask "search for lateral movement in the last 24h" and watch Alba work.

How It Works

From alert to answer
in under 90 seconds.

Alba runs a 17-step investigation pipeline for every alert. Here's the path from raw alert to classified, contextualised outcome.

01

Ingest & Extract

Fetch alert from your case management platform. Parse alert context, source content, and detection query. Extract IOCs from text with junk filtering. Deduplicate.

Case mgmt connectors IOC Extraction Alert Pipeline
02

Enrich & Correlate

Every IOC is enriched through your threat intelligence platform. Cross-referenced against investigation history for prevalence. Detection rule exceptions are pre-analyzed for syntax bugs.

Threat Intelligence Historical Context Detection Analysis
03

Investigate (Multi-Pass)

Run alert-type-specific SIEM queries against your existing platform. Extract new entities from results. Follow the trail: discovered hosts, users, IPs feed follow-up queries. Repeat until exhausted or depth limit.

SIEM connectors Multi-Pass Depth Entity Trailing
04

Analyze & Classify

Full context sent to your chosen LLM for analysis. Executive summary, evidence chain, MITRE mapping, confidence score. If prior analysis exists, Alba states agreement or disagreement.

Any LLM Local or Cloud Swap at Runtime
05

Respond & Remediate

For confirmed threats: isolate hosts via your EDR, block IPs at the firewall, disable compromised accounts in your identity provider, create incidents in your ITSM. Each action is configurable: autonomous, approval-gated, or recommend-only.

Any EDR Any Identity Provider Any ITSM Playbooks
06

Remember & Improve

Post analysis to case management. Tag and close the alert. Store the outcome for future context. Index the investigation for semantic recall. Notify your team. The next investigation is already smarter.

Case Management Investigation Memory Semantic Index ChatOps
Decision Architecture

Compare AI SOC tools
by operating model, not by slogan.

Five dimensions matter when an MSP or enterprise SOC is choosing what to put in front of a customer. Most platforms in this category were architected for a different buyer — here's how the archetypes fall out.

Platform-bundled copilots

AI assistants tightly coupled to a specific EDR or productivity-suite license. The copilot is a feature of the bigger platform purchase.

Standalone AI SOC analysts

Independent triage and investigation tools. Typically priced for the enterprise SOC; multi-tenancy is a services wrapper.

MDR with AI overlay

Service-led offerings that compete for the customer relationship rather than through it.

Decision dimension Platform-bundled
copilots		 Standalone
AI SOC analysts		 MDR with
AI overlay		 Alba
Stack freedom
Works with any SIEM, any LLM, no platform lock-in
Evidence depth
Multi-pass SIEM investigation, entity-trail following, full audit chain
Response governance
Policy-gated execution, configurable autonomy
Tenant model
Multi-tenant by architecture, not by services overlay
Cost model
Predictable, no per-alert or per-investigation tax
Strong fit Partial Weak / off-category
Built for MSSPs

One platform.
Every customer. Every SIEM.

Alba was built from day one as a multi-tenant SOC platform. Customer isolation isn't bolted on — it's the architecture.

  • Customer-Scoped SIEM Queries

    Customer-scoped query execution is enforced through tenant mappings, RBAC, and audit logging. Every SIEM query is validated against customer-specific index patterns before it runs.

  • Cross-Customer Intelligence (Anonymized)

    Investigation memory tracks IOC prevalence across all customers. Analysts see "IOC seen across 3 customers" — never names or details.

  • Mixed SIEM Support

    Every customer on a different SIEM? No problem. One Alba instance handles all of them through unified query abstraction. No rip-and-replace required.

  • RBAC Per Analyst, Per Customer

    Analysts only see customers they're assigned to. Admins see everything. Tool permissions are enforced at execution time, not the UI.

  • Automatic Queue Processing

    Configure which customers get automated analysis. Alba processes the queue, restores the previous alert owner, and tags completion. Zero manual intervention.

Customer Tenants — Live
Customer Alpha — SIEM A 12 alerts/hr
Customer Bravo — SIEM B 8 alerts/hr
Customer Charlie — SIEM C 23 alerts/hr
Customer Delta — SIEM D 5 alerts/hr
Customer Echo — SIEM A 17 alerts/hr
All tenants isolated • 65 alerts/hr processed • 94% auto-classified
Architecture

Open. Modular.
Swap anything.

Every layer is independently replaceable. Switch your LLM. Change your SIEM. Add a case management platform. Nothing breaks.

AI Engine
Local / Self-Hosted LLMs
GPU Inference Endpoints
Cloud AI Providers
Enterprise AI Platforms
Your SIEM
OpenSearch — current
Sentinel-class — adapter-ready
Security event streams
Plugin-based adapters
Intelligence
Your Threat Intel Platform
Investigation Memory
Semantic Search Index
MITRE ATT&CK
Endpoint & Identity
Microsoft Defender — current
Major EDR — adapter-ready
Identity provider context
Plugin-based adapters
Case & Ticketing
IRIS — current
ServiceNow — roadmap
Custom webhooks
REST API adapters
Channels
Web UI
Chat Bots (Slack / Teams)
REST / WebSocket API
Custom Interfaces
Pricing

Predictable per-endpoint pricing.
No alert tax. No SCU meter.

No per-alert software fee. Throughput is modeled to your infrastructure, SIEM load, LLM choice, and policy — not metered against your margin.

Self-Hosted

Your Infrastructure

Deploy Alba on your own hardware. Run local LLMs for complete data sovereignty. Nothing leaves your network.

  • No per-alert software fee
  • All investigation & response tools
  • Investigation memory & semantic search
  • Multi-tenant MSSP support
  • Single-command deployment
  • Community support
Scope a Pilot →
Managed

We Run It For You

Fully managed Alba deployment. We handle infrastructure, updates, and scaling. You handle investigations.

  • Everything in Self-Hosted
  • Cloud LLM providers included
  • Managed infrastructure
  • SLA-backed uptime
  • Priority support
  • Custom integrations
Scope a Pilot →
Enterprise

Full Partnership

Custom deployment, dedicated support, and joint development of industry-specific capabilities.

  • Everything in Managed
  • Custom LLM fine-tuning
  • Industry threat reporting
  • Dedicated account team
  • Custom tool development
  • On-site deployment option
Talk to Us →
Get Started

Scope a paid pilot.
14 days · 1 SIEM · 3 rules · clear scorecard.

A structured 14-day proof-of-value against your environment, scoped to one SIEM and three detection rules, with a defined scorecard agreed up front. Demo first if you'd rather see it run before you scope.

Scope a Pilot → Request a Demo