Frequently asked questions
Common questions from analysts, SOC leads and security buyers.
Does SOCPilot replace my SIEM or EDR?
No. SOCPilot sits beside the existing security stack and reads from it. Customers continue to operate their SIEM, EDR and identity providers.
Will SOCPilot take action without an analyst?
No. High-impact actions (isolate, disable, rotate, block) always require human approval. Read-only mode is the default for new deployments.
How is customer data isolated?
Per-tenant encryption keys, row-level security on every table, and per-integration scoped credentials. Cross-tenant access is impossible at the database layer.
What happens to my data if we cancel?
Hard-delete on schedule per the customer's retention configuration. Exports remain available until the cancellation date.
Can analysts override the model?
Always. Every verdict is shown with its underlying evidence so analysts can override. Overrides feed back into triage learning.
Is SOCPilot SOC 2 / ISO 27001 audited?
SOCPilot is built around SOC 2 Type II and ISO 27001 controls and exposes audit-ready evidence packs. The current attestation status is on the Security page.