And built an autonomous SoC that refuses to act on what it can't prove

MohammadKhubaib1 pts0 comments

DomeSOC — the AI SOC that proves it isn't hallucinating

Every AI claim graded vs evidence<br>independent grounding gate · over-claim rate measured

25 live connectors · of 46 tiles<br>"live" = fires on a connected path

25 response actions · 7 domains<br>~23 execute through your connected tools

Exhibit · Grounding

The difference

Most "AI SOC" tools can't tell you when their AI is wrong.

DomeSOC can. An independent grounding gate reads every claim — from each investigation agent and the decision advisor — and grades it against the detection's actual evidence. Claims it can't support are flagged and stripped , and the analyst sees exactly what's proven, what's hypothesis, and what the AI over-reached on.

UPSTREAM GATE — PER-CLAIM VERDICTDET-7F3A

GroundedBeaconing — periodic callback 60s ± 2s · derived_evidence

GroundedDestination flagged malicious · abuseipdb 92/100

Unsupported"Exfiltration in progress" — no egress volume in evidence · stripped

GroundedSkeptic rebuttal: "no maintenance window" recognized as a rebuttal, not penalized · negation-aware

6 GROUNDED · 1 UNSUPPORTED flagged · recorded per component.

Grades, flags, and surfaces — it doesn't hide<br>The gate is independent of the AI it checks. Honest rebuttals ("no evidence of beaconing") are recognized as rebuttals, not penalized — so the flags you see are real over-reaches, not noise.

We measure our own over-claim rate<br>Every flagged claim is recorded per component and queryable. When we change a prompt, we measure whether over-claims went up or down — and only ship it if they didn't.

So you can trust the calls that matter<br>When the AI recommends isolating a host, you can see which claims are evidence-backed and which were stripped — before you, or your policy, act on it.

Exhibit · Investigation

Not a chatbot over your alerts

Every detection is worked by a team — then graded.

Four specialists investigate each detection in parallel, plus a devil's-advocate whose only job is to argue the benign case so nothing goes unchallenged. Their findings feed the decision advisor — and then the grounding gate grades every claim they made against the evidence.

INVESTIGATION — 4 SPECIALISTS + SKEPTIC · PARALLELSEV ≥ 2

Threat HunterBehavior → TTPs · kill-chain stage

Intel AnalystAttribution + IOC reputation — only where MISP / OTX / VirusTotal confirms

ForensicsBlast-radius + evidence-preservation priority

Skeptic ⚖Devil's advocate — argues the strongest benign / alternative case

AdvisorWeighs all five + per-tenant calibration into one recommendation, with a written rationale

Then every finding is graded by the upstream gate — the Skeptic's rebuttals recognized as rebuttals, not penalized.

Exhibit · Calibration

The moat

Threat intel says what attackers do in general. Calibration learns what's normal for you.

The gate's flags and your analysts' approve / dismiss decisions feed a per-tenant false-positive profile and entity reputation. The AI gets more precise on your environment — your noisy entities, your assets, your patterns. It's a mechanism that compounds with use, not a number we ask you to take on faith.

PER-TENANT CALIBRATION — THIS ENVIRONMENTMEASURED

reviewed alerts38

dismissed as false-positive11

entity 10.20.1.77 reputationdown-weighted ↓

FP profile measured on reviewed alerts · this environment only — not a benign-traffic rate.

Sequence · Pipeline

The loop, end to end

Ingest to contained — a full investigate → decide → ground → respond loop.

01<br>Investigate<br>Four specialist agents work the detection in parallel — plus a devil's-advocate that argues the benign case so nothing goes unchallenged.<br>Threat Hunter · Intel Analyst · Forensics · Skeptic

02<br>Decide<br>A decision advisor weighs the evidence, the per-tenant calibration, and the kill-chain context into a single recommendation with a written rationale.

03<br>Ground<br>Every claim — agents' and advisor's — is graded against the evidence. Unsupported claims are flagged and stripped before the decision is shown.

04<br>Respond<br>On your approval, or autonomously by your policy, containment executes through the tools you already own.

EndpointIdentityNetworkEmailCloudTicketingIntel

Exhibit · Controls

Trust & control

Built to be audited — and to keep a human in the loop until you say otherwise.

Tamper-evident<br>WORM evidence<br>Every decision and its evidence chain is hash-chained and sealed to S3 Object-Lock (compliance mode) on resolve — write-once, independently verifiable.

Per-action<br>Autonomy you dial<br>Three tiers — recommend-only, autonomous-above-threshold, full-autonomous — and you set the level independently for each response action.

No black box<br>Explained decisions<br>Every detection gets a written threat assessment; every action a plain-English reason, with the graded claims behind it.

Multi-tenant isolation · ADR-001Role-based accessMFA · SSO-ready~150k+ events/sec/core · load-tested (detection stage)

Exhibit · Integrations

Plugs into your stack

25 live connectors — they fire...

evidence claim gate detection graded exhibit

Related Articles