Detection, triage and expert response — AI-native, around the clock.
TL;DR. We run a 24/7 security operation where agents do the first 80–90% — ingestion, correlation, triage, containment proposals — and experts decide the rest. You get audit-grade incident evidence, not alert spam. EU-sovereign cloud or on-prem.
What this is about
A classic SOC scales with headcount and drowns in alerts. We invert it. Agents ingest logs across your defined sources, correlate against threat intelligence and your tenant baseline, score severity and propose containment. Humans approve the consequential actions and own the escalations. The bottleneck in regulated sectors is rarely "detect" — it's "prove". So every case produces evidence an auditor can read.
How we run it
Nova9 modules carry it: the Message Bus ingests and routes events at-least-once; the LLM Gateway runs detection and triage with governed models; Business and Endpoint Agents execute approved containment; Observability records every decision. Severity definitions and escalation ladders are explicit and in code. False positives don't eat your capacity because the triage layer learns against your baseline.
When it fits
Mittelstand and mid-cap organisations under NIS2/KRITIS pressure that can't staff a 24/7 SOC. Companies that need monitoring with provable evidence, not just a dashboard. Finance and healthcare suppliers where "show me the incident trail" is a real question.
What we don't do
We don't flood you with alerts and call it monitoring. We don't take destructive action without a human gate on consequential moves. We don't lock you in — the configuration and runbooks are yours under the clone model.
What you can hand off
-
24/7 monitoring over defined sources
Log ingestion across your agreed sources and data volume, risk-based prioritisation.
-
AI triage with human escalation
Agents triage to severity; experts own L3, audit, regulatory and executive communication.
-
SOAR containment
Isolate, block, disable, quarantine — proposed by agents, approved by humans on consequential actions.
-
Audit-grade incident evidence
Every case produces a traceable evidence bundle, not just a closed ticket.
-
Clone-ready runbooks
Severity definitions, escalation ladder and playbooks as code — yours to take in-house.
Engagement facts
| Coverage | 24/7 · AI-first with human-in-the-loop escalation |
|---|---|
| Scaling basis | Log sources + data volume per day |
| Deployment | EU cloud, on-premise or air-gapped |
| Escalation ladder | L1 triage → L2 root-cause → L3 audit/regulatory (DE/EU) |
| Evidence | Auditor-readable bundle per incident |
| Clone handover | Runbooks and config as code, from day 30 |
Asked before the briefing
-
Is this MDR or a full SOC?
It's a 24/7 AI-native security operation with detection, triage and human-approved response. You scale it by log sources and data volume, not by seats. -
Do agents take destructive action automatically?
Routine, low-risk containment is automated. Consequential actions — isolating a server, disabling an account — pass a human approval gate. -
Where does our data sit?
EU cloud, on-premise or air-gapped. No training on your data. Every token logged for audit. -
Can we move it in-house later?
Yes. Severity definitions, escalation ladders and playbooks are code. The clone handover gives your team a running operation.
A SOC that proves, not just detects.
We show the detection and triage flow against your log sources, and the evidence bundle an auditor would actually read.