How evidence-backed triage works
Every verdict ships with the signals behind it: source context, entities, related activity, confidence, risk and what is missing.
Every alert SOCPilot processes is reviewed against six dimensions before a verdict is shown. The analyst sees all of them — there is no opaque "trust me" score.
What goes into a verdict
- Source context — which sensor, integration and rule produced the alert, and what its historic precision looks like in this workspace
- Affected entities — user, host, IP, domain, key or service, with current risk score
- Related activity — correlated alerts, prior investigations, baseline patterns and adjacent timeline events
- Confidence — the model's confidence in the verdict, expressed as a number, not a label
- Risk score — the blast radius if the verdict is correct
- Missing evidence — explicit list of signals that would have improved confidence but were not available
What you see on an alert
The alert detail view shows the verdict, the confidence number, the recommended decision, and an evidence panel. Each evidence row includes the raw reference so analysts can pivot back to the source tool.
Override is always available
Analyst decisions are recorded against the alert and the investigation. The model uses overrides as feedback (see false-positive learning).
- False positive learning
Analysts can teach SOCPilot which alerts are false positives, duplicates or expected — every suppression is explainable and auditable.
- What is SOCPilot?
An AI investigation layer for security teams — not a replacement for analysts.
- Working an investigation
Cases unify correlated alerts, evidence, notes, handoffs and the decision trail.