Alba is live
Autonomous alert investigation for multi-SIEM SOC and MSSP teams

Real investigations, not just triage.
Your SIEM. Your LLM. No migration.

Point Alba at the alerts assigned to your team and it works them inside the stack you already run — pulling context, chasing every entity lead across the SIEM, weighing the evidence, and reaching a confidence-scored verdict. It then proposes a response, or carries one out within the limits each customer sets.

Autonomy mode
Recommend · Approve · Auto-action
Audit trail
Every step recorded
Human oversight
Tunable per action
Tenant isolation
RBAC on every query
Response actions
Enabled per customer
Request a Paid Pilot → See How It Works
alba analyst — alert #555833
alba > analyze 555833 --depth 1
 
[1/7] Fetching alert from case management...
[2/7] Extracting IOCs: 12 IPs, 3 domains, 2 hashes
[3/7] Enriching via threat intelligence (400+ feeds)...
     2 suspicious • 0 malicious
[4/7] History: Rule fired 47x, 94% FP rate (30d)
[5/7] SIEM depth=1: 14 queries → 10 follow-up
     Discovered: 4 hosts, 2 users, 6 IPs
[6/7] Memory: 3 similar past investigations found
[7/7] Generating analysis...
 
✓ Classification: True Positive — HIGH confidence
   ▶ Isolating compromised endpoint via EDR...
✓ Endpoint isolated • Incident ticket created
✓ Posted to case management • Tagged • Indexed
   62.1s total • 24 SIEM queries • 3,156 tokens
Multi-tenant SOC Control Plane
Alba SOC Dashboard — multi-tenant overview
Threat Intelligence & Dark Web Monitoring
Alba Threat Intelligence — dark web entity graph
Tenant-scoped RBAC
Full audit logging
BYO data residency
GDPR-ready data flows
SOC 2 Type II in progress
<90s
Average investigation time
30+
Investigation & response tools
400+
Threat intel feeds supported
0
Vendor lock-in required
Governed Autonomy

Automated where you allow it.
Held for a human where you don't.

Each customer decides how far Alba goes on its own — surface a recommendation, wait for sign-off, or act automatically — set per class of action. And nothing happens off the record: queries, enrichment, classifications, and responses all land in the audit trail.

01 · Autonomy Mode
Configurable autonomy
Recommend-only, approval-gated, or auto-action — selectable per action class and per customer tenant.
02 · Audit Trail
Every step logged
SIEM queries, enrichment results, classification reasoning, and response actions written to a tamper-evident audit log.
03 · Safety Gates
Five gates before any action
Classification, confidence threshold, alert age, allow/deny lists, and risk ceilings — an action runs only when all five clear.
04 · Tenant Isolation
RBAC at every query
Every query runs inside the requesting customer's boundary — scoped by tenant mapping, gated by role-based access control, and written to the audit log.
05 · Response Actions
Enabled per customer
Response capabilities are enabled per-customer. Above-ceiling actions escalate to a human instead of executing.
The Problem

Most AI SOC tools were built for
someone else's business model.

The category was built for enterprise SOCs with full-stack commitments. MSPs and MSSPs operating across mixed customer stacks have different constraints — and most platforms work against them.

  • Built for one stack at a time

    Most AI analysts are tightly coupled to a specific EDR, SIEM, or productivity-suite license. If your customers run mixed stacks, you're operating multiple platforms — or asking customers to migrate.

  • Pricing models built for enterprise SOCs

    Per-investigation, per-SCU, or platform-bundled pricing scales with alert volume — the opposite of what an MSP needs as customer count grows. Your margin shouldn't move when alert volume does.

  • Triage assistants, not investigators

    Many AI SOC products stop at real or not real. They don't pivot across the SIEM, follow entity trails, or close the response loop — that work still falls to your analysts.

  • Multi-tenancy as a services overlay

    Where MSP support exists, it's often a services wrapper around a single-tenant product. Onboarding tenant 47 becomes a project, not a config change.

Five questions to ask any AI SOC vendor

1. Stack independence
Works with my customers' SIEMs and LLMs without forcing migration?
2. Depth of investigation
Multi-pass investigation, or stops at triage?
3. Response controls
Executes actions under policy gates, or recommends only?
4. Multi-tenancy
Multi-tenant by architecture, or services-wrapped?
5. Pricing structure
Pricing scales with my margin, or against it?
Judged by how it operates. Not how it's sold.
Capabilities

Not a copilot.
A full autonomous analyst.

Alba doesn't wait for you to ask questions. It triages the queue, investigates alerts end-to-end, and posts its analysis. Then it learns from the outcome.

Layer 01 The Investigation Engine Ingest, enrich, investigate, classify.

Autonomous Alert Triage

Processes your entire alert queue automatically. Fetches context, extracts IOCs, enriches via your threat intelligence platform, runs SIEM queries, and classifies with confidence scores.

Multi-Pass SIEM Investigation

Doesn't stop at the first query. Discovers entities in SIEM results, follows trails across hosts, users, and IPs. Iterates until every lead is exhausted.

Threat Intelligence Enrichment

Every IOC enriched through your threat intelligence platform — OSINT, commercial, and proprietary feeds. MITRE ATT&CK mapping. Dark web monitoring. Per-IOC depth scoring.

EDR & Identity Context

Microsoft Defender integrated today; major EDRs adapter-ready. Pull endpoint telemetry, device timelines, and identity-context signals into the investigation flow.

Phishing Investigation in Chat

Phishing isn't a separate product — the chat agent, EDR, and TI tools handle suspect emails in the same investigation flow as everything else. Headers, URLs, attachments, sender reputation.

Layer 02 Controls & Oversight Policy-gated execution. Full audit chain.

Alert-Specific Remediation

Every investigation produces a tailored response plan. Alba executes it through five safety gates (classification, confidence, age, allow/deny, risk ceiling) against an 18-action catalog spanning EDR, case management, and threat intelligence — or hands the plan to the analyst with one-click approval.

Automation Policies

Customer-tunable rules for the repeat patterns. JSON conditions, configurable actions (close, tag, comment, assign, escalate), full audit trail. Run unattended on the high-confidence long tail.

Full Transparency & Debug

Debug mode exposes every query Alba runs against your SIEM. Full audit trails. Structured logging with timing and cost metrics. You see exactly what Alba did and why.

Layer 03 Compounding Leverage Memory, search, ChatOps, the flywheel.

Investigation Memory

Alba remembers every investigation. False positive rates per detection rule. IOC prevalence across customers. Historical context that makes every new analysis smarter.

Cross-Customer TI Flywheel

Confirmed true-positive IOCs are pushed back into the AlbaCyber Threat Exchange with TLP marking, scoring, and provenance labels. Every confirmed TP your tenants see makes every other tenant smarter.

Detection Rule Auditing

Automatically audits every detection rule across your SIEM. Finds broken syntax, silent encoding failures, case sensitivity issues. Auto-generates corrected rules and validates them end-to-end.

Semantic Investigation Search

Search thousands of past investigations by meaning, not just keywords. "Have we seen this attack pattern before?" Answers in milliseconds, with cross-customer anonymization.

Interactive Chat & Slack Bot

Natural language interface via web UI or Slack with RBAC-gated tools. Real-time streaming. Ask "search for lateral movement in the last 24h" and watch Alba work.

How It Works

From alert to answer
in under 90 seconds.

Alba runs a 17-step investigation pipeline for every alert. Here's the path from raw alert to classified, contextualised outcome.

01

Ingest & Extract

Fetch alert from your case management platform. Parse alert context, source content, and detection query. Extract IOCs from text with junk filtering. Deduplicate.

Case mgmt connectors IOC Extraction Alert Pipeline
02

Enrich & Correlate

Every IOC is enriched through your threat intelligence platform. Cross-referenced against investigation history for prevalence. Detection rule exceptions are pre-analyzed for syntax bugs.

Threat Intelligence Historical Context Detection Analysis
03

Investigate (Multi-Pass)

Run alert-type-specific SIEM queries against your existing platform. Extract new entities from results. Follow the trail: discovered hosts, users, IPs feed follow-up queries. Repeat until exhausted or depth limit.

SIEM connectors Multi-Pass Depth Entity Trailing
04

Analyze & Classify

Full context sent to your chosen LLM for analysis. Executive summary, evidence chain, MITRE mapping, confidence score. If prior analysis exists, Alba states agreement or disagreement.

Any LLM Local or Cloud Swap at Runtime
05

Respond & Remediate

For confirmed threats: isolate hosts via your EDR, block IPs at the firewall, disable compromised accounts in your identity provider, create incidents in your ITSM. Each action is configurable: autonomous, approval-gated, or recommend-only.

Any EDR Any Identity Provider Any ITSM Playbooks
06

Remember & Improve

Post analysis to case management. Tag and close the alert. Store the outcome for future context. Index the investigation for semantic recall. Notify your team. The next investigation is already smarter.

Case Management Investigation Memory Semantic Index ChatOps
How to Evaluate

Judge these tools by how they operate,
not by how they're marketed.

Five dimensions matter when an MSP or enterprise SOC is choosing what to put in front of a customer. Most platforms in this category were architected for a different buyer — here's how the archetypes fall out.

Platform-bundled copilots

AI assistants tightly coupled to a specific EDR or productivity-suite license. The copilot is a feature of the bigger platform purchase.

Standalone AI SOC analysts

Independent triage and investigation tools. Typically priced for the enterprise SOC; multi-tenancy is a services wrapper.

MDR with AI overlay

Service-led offerings that compete for the customer relationship rather than through it.

Evaluation dimension Platform-bundled
copilots		 Standalone
AI SOC analysts		 MDR with
AI overlay		 Alba
Stack independence
Works with any SIEM, any LLM, no platform lock-in
Depth of investigation
Multi-pass SIEM investigation, entity-trail following, full audit chain
Response controls
Policy-gated execution, configurable autonomy
Multi-tenancy
Multi-tenant by architecture, not by services overlay
Pricing structure
Predictable, scales with endpoints not alert volume
Strong fit Partial Weak / off-category
Built for MSSPs

One platform.
Every customer. Every SIEM.

Alba was built from day one as a multi-tenant SOC platform. Customer isolation isn't bolted on — it's the architecture.

  • Customer-Scoped SIEM Queries

    Every query runs inside the requesting customer's boundary — scoped by tenant mapping, gated by role-based access control, and written to the audit log. Each SIEM query is validated against that customer's index patterns before it runs.

  • Cross-Customer Intelligence (Anonymized)

    Investigation memory tracks IOC prevalence across all customers. Analysts see "IOC seen across 3 customers" — never names or details.

  • Mixed SIEM Support

    Every customer on a different SIEM? No problem. One Alba instance handles all of them through unified query abstraction. No rip-and-replace required.

  • RBAC Per Analyst, Per Customer

    Analysts only see customers they're assigned to. Admins see everything. Tool permissions are enforced at execution time, not the UI.

  • Automatic Queue Processing

    Configure which customers get automated analysis. Alba processes the queue, restores the previous alert owner, and tags completion. Zero manual intervention.

Customer Tenants — Live
Customer Alpha — SIEM A 12 alerts/hr
Customer Bravo — SIEM B 8 alerts/hr
Customer Charlie — SIEM C 23 alerts/hr
Customer Delta — SIEM D 5 alerts/hr
Customer Echo — SIEM A 17 alerts/hr
All tenants isolated • 65 alerts/hr processed • 94% auto-classified
Architecture

Open. Modular.
Swap anything.

Every layer is independently replaceable. Switch your LLM. Change your SIEM. Add a case management platform. Nothing breaks.

AI Engine
Local / Self-Hosted LLMs
GPU Inference Endpoints
Cloud AI Providers
Enterprise AI Platforms
Your SIEM
OpenSearch — current
Sentinel-class — adapter-ready
Security event streams
Plugin-based adapters
Intelligence
Your Threat Intel Platform
Investigation Memory
Semantic Search Index
MITRE ATT&CK
Endpoint & Identity
Microsoft Defender — current
Major EDR — adapter-ready
Identity provider context
Plugin-based adapters
Case & Ticketing
IRIS — current
ServiceNow — roadmap
Custom webhooks
REST API adapters
Channels
Web UI
Chat Bots (Slack / Teams)
REST / WebSocket API
Custom Interfaces
Pricing

Priced to come out ahead.
A flat per-endpoint fee, plus the AI it runs.

A small monthly fee per protected endpoint, plus a simple markup on the LLM usage Alba's investigation engine drives. Because Alba clears the queue your analysts can't, most teams spend less per resolved alert than they do today — even after the markup.

Self-Hosted

Your Infrastructure

Deploy Alba on your own hardware. Run local LLMs for complete data sovereignty. Nothing leaves your network.

  • Predictable per-endpoint pricing
  • All investigation & response tools
  • Investigation memory & semantic search
  • Multi-tenant MSSP support
  • Single-command deployment
  • Community support
Request a Pilot →
Managed

We Run It For You

Fully managed Alba deployment. We handle infrastructure, updates, and scaling. You handle investigations.

  • Everything in Self-Hosted
  • Cloud LLM providers included
  • Managed infrastructure
  • SLA-backed uptime
  • Priority support
  • Custom integrations
Request a Pilot →
Enterprise

Full Partnership

Custom deployment, dedicated support, and joint development of industry-specific capabilities.

  • Everything in Managed
  • Custom LLM fine-tuning
  • Industry threat reporting
  • Dedicated account team
  • Custom tool development
  • On-site deployment option
Talk to Us →
Get Started

Run a paid proof of value.
Two weeks · one SIEM · three rules · a scorecard you sign off.

A two-week proof of value run against your own environment — one SIEM, three detection rules, and a scorecard you agree to before it starts. Prefer to see it run first? Take the demo.

Request a Pilot → Request a Demo