Trust center

Built for evidence, approval, and control.

SOCPilot is designed to investigate alerts safely — with source-linked evidence, human approval for high-impact actions, and clear audit trails.

Operating model

How SOCPilot operates by default.

The defaults are conservative on purpose. You can opt into more automation, but you start from a position of control.

Read-only investigation mode

Investigations run without write access by default. Containment and identity actions are opt-in per integration, environment, and role.

Human-approved response

High-impact actions — host isolation, key rotation, account disablement — require named human approval. AI proposes; humans decide.

Least-privilege integrations

Integrations request only the scopes they need. We document each permission and show a one-click revoke at the source.

Source-linked evidence

Every recommendation references the underlying log line, process tree, or identity event. No black-box verdicts.

Audit trails

Every approval, suppression, edit, and export is timestamped, attributable, and exportable for review.

Role-based access

Owner, Admin, SOC Lead, Analyst, Viewer, and Auditor — enforced at the database. Roles never live on user objects.

Data handling

Security telemetry, treated as sensitive.

The telemetry SOCPilot processes is exactly the data attackers want. We treat it accordingly.

Telemetry treated as sensitive

Security logs and identity events are handled as sensitive data. Access is scoped per workspace and per role.

Secrets not displayed after setup

API keys, webhook secrets, and integration credentials are not echoed back in the UI once stored. Rotation is one click.

Server-side processing for keys

AI provider keys, webhook signing, API key hashing, and integration execution run server-side, not in the browser.

Demo data can be removed

Sample alerts and seeded investigations can be cleared from Settings → Data Retention. Demo mode never executes external actions.

Controlled export workflows

Exports of investigations, audit logs, and compliance packs go through a request workflow with audit logging.

AI safety

AI investigates. Humans approve impact.

SOCPilot uses AI to investigate alerts and draft narratives. It does not silently take action.

AI outputs are drafts

Every AI-generated triage verdict, narrative, or brief is labelled as a draft until a human reviews it.

Recommendations point to evidence

Each recommendation references the evidence it relied on. If you can't see the evidence, it isn't a recommendation.

High-impact actions require approval

Containment, identity changes, and key rotation always need named human approval. Approvals are recorded.

Missing data is disclosed

When telemetry is missing for a verdict, the AI marks the gap. We don't silently fill blanks.

No black-box silent suppression

Suppression rules are visible, attributable, reversible, and logged. Nothing is quietly hidden from analysts.

Compliance posture

Verified certifications and audits.

  • SOC 2 Type II compliant. Audit completed January 2026. Scope covers the SOCPilot SaaS multi-tenant production environment.
  • ISO 27001 — in progress. Stage 2 audit scheduled for August 2026. SOCPilot is not yet ISO 27001 certified.
  • Penetration test. Annual test conducted by Kestrel Cyber in November 2025.
  • PCI DSS / NIST CSF. Used for control mapping to support customer audits, not as SOCPilot certifications.

SOCPilot prepares evidence packs for review but does not guarantee your organization's compliance. Final certification is determined by your auditor, scope, and controls implemented across your environment.

Cryptography, retention, access

The controls, stated plainly.

  • TLS 1.3 in transit; AES-256 at rest via AWS KMS.
  • Raw telemetry retained 30 days; investigation narratives 90 days; executive briefs and compliance packs 365 days.
  • Automated hard delete at retention expiry; manual purge available via API.
  • RBAC roles: Platform Admin, Tenant Admin, Security Engineer, SOC Analyst (Read/Edit), Executive (Read-only).
  • SAML 2.0 and OIDC supported; MFA mandatory for Admin and Engineer roles.
  • Immutable audit logs for Approve/Reject/Edit actions retained 180 days.
  • Standard data residency: US-East-1. EU-Central-1 available for EMEA clients.
  • Subprocessors: AWS, Pinecone, Anthropic (via private API).
AI / model policy

Customer telemetry is not used to train models by default.

By default, customer telemetry is used for contextual enrichment only and is not used to train underlying LLM/ML models. Training use is opt-in only and requires the Tenant Admin to enable Global Intelligence.
Authority boundaries

Automatic vs. human-approved.

Automatic
  • · Entity correlation
  • · Timeline sequencing
  • · Evidence collection
  • · Brief generation
Human approval required
  • · Escalating to Critical status
  • · Updating downstream tickets in Jira / ServiceNow
  • · Final case closure
Responsible automation

Automation with brakes.

Every layer of automation has an off switch and an approval boundary.

Recommendation mode

AI proposes; humans decide. The default mode for new workspaces.

Approval gates

Per-action and per-role approval policies. Two-person sign-off available.

Kill switch

Pause all automated response and playbooks instantly from Settings → Security.

Read-only defaults

New integrations connect read-only. Write scopes require explicit opt-in.

Manual execution fallback

If a vendor API isn't supported, SOCPilot produces step-by-step manual instructions instead of pretending.

Security & legal
Security disclosure & legal

Vulnerability reports, DPA requests, subprocessor list, and legal questions.

legal@socpilot.co
Customer support
Support & pilot questions

Setup help, integrations, demo workspace questions, and pilot coordination.

support@socpilot.co
See it for yourself

Investigate a real case in a sandbox.