DomeSOC — the AI SOC that proves it isn't hallucinating
Every AI claim graded vs evidence<br>independent grounding gate · over-claim rate measured
25 live connectors · of 46 tiles<br>"live" = fires on a connected path
25 response actions · 7 domains<br>~23 execute through your connected tools
Exhibit · Grounding
The difference
Most "AI SOC" tools can't tell you when their AI is wrong.
DomeSOC can. An independent grounding gate reads every claim — from each investigation agent and the decision advisor — and grades it against the detection's actual evidence. Claims it can't support are flagged and stripped , and the analyst sees exactly what's proven, what's hypothesis, and what the AI over-reached on.
UPSTREAM GATE — PER-CLAIM VERDICTDET-7F3A
GroundedBeaconing — periodic callback 60s ± 2s · derived_evidence
GroundedDestination flagged malicious · abuseipdb 92/100
Unsupported"Exfiltration in progress" — no egress volume in evidence · stripped
GroundedSkeptic rebuttal: "no maintenance window" recognized as a rebuttal, not penalized · negation-aware
6 GROUNDED · 1 UNSUPPORTED flagged · recorded per component.
Grades, flags, and surfaces — it doesn't hide<br>The gate is independent of the AI it checks. Honest rebuttals ("no evidence of beaconing") are recognized as rebuttals, not penalized — so the flags you see are real over-reaches, not noise.
We measure our own over-claim rate<br>Every flagged claim is recorded per component and queryable. When we change a prompt, we measure whether over-claims went up or down — and only ship it if they didn't.
So you can trust the calls that matter<br>When the AI recommends isolating a host, you can see which claims are evidence-backed and which were stripped — before you, or your policy, act on it.
Exhibit · Investigation
Not a chatbot over your alerts
Every detection is worked by a team — then graded.
Four specialists investigate each detection in parallel, plus a devil's-advocate whose only job is to argue the benign case so nothing goes unchallenged. Their findings feed the decision advisor — and then the grounding gate grades every claim they made against the evidence.
INVESTIGATION — 4 SPECIALISTS + SKEPTIC · PARALLELSEV ≥ 2
Threat HunterBehavior → TTPs · kill-chain stage
Intel AnalystAttribution + IOC reputation — only where MISP / OTX / VirusTotal confirms
ForensicsBlast-radius + evidence-preservation priority
Skeptic ⚖Devil's advocate — argues the strongest benign / alternative case
AdvisorWeighs all five + per-tenant calibration into one recommendation, with a written rationale
Then every finding is graded by the upstream gate — the Skeptic's rebuttals recognized as rebuttals, not penalized.
Exhibit · Calibration
The moat
Threat intel says what attackers do in general. Calibration learns what's normal for you.
The gate's flags and your analysts' approve / dismiss decisions feed a per-tenant false-positive profile and entity reputation. The AI gets more precise on your environment — your noisy entities, your assets, your patterns. It's a mechanism that compounds with use, not a number we ask you to take on faith.
PER-TENANT CALIBRATION — THIS ENVIRONMENTMEASURED
reviewed alerts38
dismissed as false-positive11
entity 10.20.1.77 reputationdown-weighted ↓
FP profile measured on reviewed alerts · this environment only — not a benign-traffic rate.
Sequence · Pipeline
The loop, end to end
Ingest to contained — a full investigate → decide → ground → respond loop.
01<br>Investigate<br>Four specialist agents work the detection in parallel — plus a devil's-advocate that argues the benign case so nothing goes unchallenged.<br>Threat Hunter · Intel Analyst · Forensics · Skeptic
02<br>Decide<br>A decision advisor weighs the evidence, the per-tenant calibration, and the kill-chain context into a single recommendation with a written rationale.
03<br>Ground<br>Every claim — agents' and advisor's — is graded against the evidence. Unsupported claims are flagged and stripped before the decision is shown.
04<br>Respond<br>On your approval, or autonomously by your policy, containment executes through the tools you already own.
EndpointIdentityNetworkEmailCloudTicketingIntel
Exhibit · Controls
Trust & control
Built to be audited — and to keep a human in the loop until you say otherwise.
Tamper-evident<br>WORM evidence<br>Every decision and its evidence chain is hash-chained and sealed to S3 Object-Lock (compliance mode) on resolve — write-once, independently verifiable.
Per-action<br>Autonomy you dial<br>Three tiers — recommend-only, autonomous-above-threshold, full-autonomous — and you set the level independently for each response action.
No black box<br>Explained decisions<br>Every detection gets a written threat assessment; every action a plain-English reason, with the graded claims behind it.
Multi-tenant isolation · ADR-001Role-based accessMFA · SSO-ready~150k+ events/sec/core · load-tested (detection stage)
Exhibit · Integrations
Plugs into your stack
25 live connectors — they fire...