How evidence-backed triage works

Every verdict ships with the signals behind it: source context, entities, related activity, confidence, risk and what is missing.

Last updated 4/21/2026

Every alert SOCPilot processes is reviewed against six dimensions before a verdict is shown. The analyst sees all of them — there is no opaque "trust me" score.

What goes into a verdict

  • Source context — which sensor, integration and rule produced the alert, and what its historic precision looks like in this workspace
  • Affected entities — user, host, IP, domain, key or service, with current risk score
  • Related activity — correlated alerts, prior investigations, baseline patterns and adjacent timeline events
  • Confidence — the model's confidence in the verdict, expressed as a number, not a label
  • Risk score — the blast radius if the verdict is correct
  • Missing evidence — explicit list of signals that would have improved confidence but were not available

What you see on an alert

The alert detail view shows the verdict, the confidence number, the recommended decision, and an evidence panel. Each evidence row includes the raw reference so analysts can pivot back to the source tool.

Override is always available

Analyst decisions are recorded against the alert and the investigation. The model uses overrides as feedback (see false-positive learning).

Related articles