Built for evidence, approval, and control.
SOCPilot is designed to investigate alerts safely — with source-linked evidence, human approval for high-impact actions, and clear audit trails.
How SOCPilot operates by default.
The defaults are conservative on purpose. You can opt into more automation, but you start from a position of control.
Investigations run without write access by default. Containment and identity actions are opt-in per integration, environment, and role.
High-impact actions — host isolation, key rotation, account disablement — require named human approval. AI proposes; humans decide.
Integrations request only the scopes they need. We document each permission and show a one-click revoke at the source.
Every recommendation references the underlying log line, process tree, or identity event. No black-box verdicts.
Every approval, suppression, edit, and export is timestamped, attributable, and exportable for review.
Owner, Admin, SOC Lead, Analyst, Viewer, and Auditor — enforced at the database. Roles never live on user objects.
Security telemetry, treated as sensitive.
The telemetry SOCPilot processes is exactly the data attackers want. We treat it accordingly.
Security logs and identity events are handled as sensitive data. Access is scoped per workspace and per role.
API keys, webhook secrets, and integration credentials are not echoed back in the UI once stored. Rotation is one click.
AI provider keys, webhook signing, API key hashing, and integration execution run server-side, not in the browser.
Sample alerts and seeded investigations can be cleared from Settings → Data Retention. Demo mode never executes external actions.
Exports of investigations, audit logs, and compliance packs go through a request workflow with audit logging.
AI investigates. Humans approve impact.
SOCPilot uses AI to investigate alerts and draft narratives. It does not silently take action.
Every AI-generated triage verdict, narrative, or brief is labelled as a draft until a human reviews it.
Each recommendation references the evidence it relied on. If you can't see the evidence, it isn't a recommendation.
Containment, identity changes, and key rotation always need named human approval. Approvals are recorded.
When telemetry is missing for a verdict, the AI marks the gap. We don't silently fill blanks.
Suppression rules are visible, attributable, reversible, and logged. Nothing is quietly hidden from analysts.
Verified certifications and audits.
- SOC 2 Type II compliant. Audit completed January 2026. Scope covers the SOCPilot SaaS multi-tenant production environment.
- ISO 27001 — in progress. Stage 2 audit scheduled for August 2026. SOCPilot is not yet ISO 27001 certified.
- Penetration test. Annual test conducted by Kestrel Cyber in November 2025.
- PCI DSS / NIST CSF. Used for control mapping to support customer audits, not as SOCPilot certifications.
SOCPilot prepares evidence packs for review but does not guarantee your organization's compliance. Final certification is determined by your auditor, scope, and controls implemented across your environment.
The controls, stated plainly.
- TLS 1.3 in transit; AES-256 at rest via AWS KMS.
- Raw telemetry retained 30 days; investigation narratives 90 days; executive briefs and compliance packs 365 days.
- Automated hard delete at retention expiry; manual purge available via API.
- RBAC roles: Platform Admin, Tenant Admin, Security Engineer, SOC Analyst (Read/Edit), Executive (Read-only).
- SAML 2.0 and OIDC supported; MFA mandatory for Admin and Engineer roles.
- Immutable audit logs for Approve/Reject/Edit actions retained 180 days.
- Standard data residency: US-East-1. EU-Central-1 available for EMEA clients.
- Subprocessors: AWS, Pinecone, Anthropic (via private API).
Customer telemetry is not used to train models by default.
Automatic vs. human-approved.
- · Entity correlation
- · Timeline sequencing
- · Evidence collection
- · Brief generation
- · Escalating to Critical status
- · Updating downstream tickets in Jira / ServiceNow
- · Final case closure
Automation with brakes.
Every layer of automation has an off switch and an approval boundary.
AI proposes; humans decide. The default mode for new workspaces.
Per-action and per-role approval policies. Two-person sign-off available.
Pause all automated response and playbooks instantly from Settings → Security.
New integrations connect read-only. Write scopes require explicit opt-in.
If a vendor API isn't supported, SOCPilot produces step-by-step manual instructions instead of pretending.
Vulnerability reports, DPA requests, subprocessor list, and legal questions.
legal@socpilot.coSetup help, integrations, demo workspace questions, and pilot coordination.
support@socpilot.co