Autonomous AI SOC

Six local AI models.
Seven autonomous jobs.
Zero cloud dependency.

XDRagon Monitor runs a fully autonomous SOC layer on your own hardware. Local LLM models classify threats, correlate events, detect beaconing, and write your morning briefing — around the clock, without sending a single byte of your telemetry to any external service.

6
Local SOC Models
7
Autonomous Jobs
2 min
Classification Cycle
07:00
Daily AI Briefing
Two Layers. One Brain.

Two-layer AI architecture

XDRagon Monitor separates on-demand analysis from continuous autonomous operations. The on-demand layer responds to analyst queries in real time. The autonomous layer runs scheduled jobs independently — even when no one is watching the dashboard.

Layer 1 — On-Demand
Analyst-triggered AI capabilities
Six specialised capabilities available when an analyst interacts with an alert, an incident, or the RAG search interface. Each uses the most appropriate model for the task.
Alert explanation and context enrichment
Full incident analysis on demand
C2 beaconing drill-down for a given IP
pgvector semantic search across history
NIS2 / compliance gap explanation
Remediation plan generation
Layer 2 — Autonomous
Background jobs running without analyst input
Seven scheduled jobs run automatically at defined intervals. They classify new events, correlate across sources, detect beaconing patterns, cluster alerts into incidents, generate the daily briefing, and keep the built-in PKI healthy.
Alert classification — every 2 minutes
Orphan alert clustering — every 5 minutes
Cross-source correlation — every 10 minutes
C2 beaconing scan — every 15 minutes
Incident auto-clustering — every 30 minutes
Morning briefing generation — daily at 07:00
Certificate rotation check — daily at 03:00
AI PROCESSING PIPELINE

From raw event to recommended action

AI pipeline from raw event to recommended action
Local LLM Models

Six specialised models.
All running on your hardware.

Every model is a purpose-built Ollama Modelfile — the qwen2.5:7b-instruct base tuned with a task-specific system prompt, temperature, and context window. A separate embeddings model, nomic-embed-text, powers pgvector semantic search and RAG. All inference runs locally.

Classifier
soc-alert-classifier
Alert Classifier
Structured JSON classification of every new alert — severity, attack type, and confidence. Low temperature keeps output deterministic for the high-frequency autonomous pipeline.
qwen2.5:7btemp 0.1ctx 20482 min cycle
Correlator
soc-correlation-engine
Correlation Engine
Builds incidents from alert patterns across network, DNS, and endpoint sources. The largest context window of the six, so it can reason over whole attack chains at once.
qwen2.5:7btemp 0.2ctx 819210 min cycle
Summary
soc-customer-summary
Customer Summary Writer
Translates technical findings into a non-technical summary a business owner can act on — what happened, how serious it is, and what to do — without jargon or acronyms.
qwen2.5:7btemp 0.5ctx 2048On-demand
NL Filter
soc-nl-filter
Natural-Language Filter
Turns plain-English questions into validated, structured JSON filters. Powers natural-language search across the platform — the model never emits raw SQL.
qwen2.5:7btemp 0.1ctx 1024On-demand
Briefing
soc-daily-briefing
Daily Briefing Writer
Synthesises the past 24 hours of classified and correlated activity into a structured morning briefing — top threats, anomaly trends, and recommended priority actions.
qwen2.5:7btemp 0.4ctx 4096Daily 07:00
24/7. No Staff Required.

Works while you sleep.

Seven scheduled jobs run continuously in the background — no analyst input required. Your security posture is assessed, correlated, and reported around the clock.

01
Alert Classification every 2 min
Pulls all unclassified alerts from the database, sends each to the classifier model, and writes severity score, attack type, and confidence back. Keeps the threat queue current even during high-volume attack periods.
02
Orphan Alert Clustering every 5 min
Sweeps for alerts that arrived without an incident context and clusters them against related activity, so nothing sits unreviewed outside an incident thread.
03
Cross-Source Correlation every 10 min
Examines recently classified events across network, DNS, and endpoint sources. Groups related events into incident threads and updates the correlation graph automatically.
04
C2 Beaconing Detection every 15 min
Runs statistical interval-regularity analysis over outbound connection timing per source/destination pair. Periodic, machine-like communication patterns are flagged as likely command-and-control beaconing.
05
Incident Auto-Clustering every 30 min
Groups correlated alerts into unified incidents using multi-dimensional similarity — source overlap, MITRE tactic, target overlap, and timing — and merges duplicates into already-open incidents instead of creating new ones.
06
Daily Morning Briefing 07:00 daily
Summarises the past 24 hours of threat activity into a structured written briefing — top incidents, anomaly trends, new external services, and recommended priority actions for the day.
07
Certificate Rotation Check 03:00 daily
Checks every certificate in the built-in PKI and automatically rotates any nearing expiry — mTLS sensor connections keep working without manual certificate management.
Background Job Monitor — illustrative view
Alert Classifier
running
Orphan Alert Clustering
2 min ago
Cross-Source Correlator
in 4 min
C2 Beaconing Scan
in 9 min
Incident Auto-Cluster
in 21 min
Cert Rotation Check
tonight 03:00
Morning Briefing
tomorrow 07:00
AI Morning Briefing
MORNING BRIEFING

Daily AI morning briefing — your SOC in 60 seconds

Daily AI morning briefing interface
Seven Rules. Zero Noise.

7 AI-enriched alert rules

Beyond raw Suricata alerts, the smart alerting layer applies context-aware rules to detect patterns that require cross-source reasoning. Each rule fires with an AI-written summary explaining why it triggered.

Geo-blocked IP Alert
Fires when traffic originates from a country on your geo-block list or a designated high-risk region. Enriched with reverse-DNS, ASN, and threat feed context.
New External Service
Detects when an internal host initiates a connection to an external service that is new to your environment. Useful for catching shadow IT and early-stage C2 communication.
Anomalous Upload Volume
Triggers when outbound data volume from a single host deviates sharply from its own rolling behavioral baseline. Flags potential exfiltration before it completes.
Honeypot Interaction
Near-zero false positives — no legitimate user has any reason to touch a decoy, so every interaction is treated as a high-severity event, enriched with attacker profiling and the full session transcript.
DGA Domain Detected
Fires when the DGA detector scores a queried domain above the threshold. Alert includes the domain, entropy score, and which internal hosts queried it.
Sigma Rule Match
Endpoint agent matched a Sigma detection rule. Alert includes the matched rule name, process lineage, and correlated network events from the same host.
One Place To Decide

The AI SOC Hub

Every AI capability reports into a single operations hub. It shows what the AI already handled and what is waiting for your decision — with one-click Confirm, Dismiss, or Escalate on each item, and a transparency log recording every autonomous action the system took on your behalf.

Handled by AI
What the system already did
Routine work the autonomous layer completed on its own — visible at a glance, fully logged, and reviewable at any time.
Alerts classified and prioritised automatically
Related alerts clustered into incidents
Duplicate noise grouped before it reaches you
Every action written to the transparency log
Waiting For You
Decisions that stay human
Anything requiring judgement queues for a person. Each item is a one-click decision with the AI's reasoning attached.
Confirm — accept the AI's assessment
Dismiss — mark as noise and record why
Escalate — promote to an incident for investigation
Top-risk focus cards keep the queue short
Beyond Classification

AI that investigates, hunts, and explains

The autonomous layer does more than sort alerts. These capabilities run investigations, test your own defenses, and explain their reasoning — all on local models, all under your control, with nothing leaving your network.

Investigation Agent
Click Investigate on any AI incident and the agent runs a multi-step autonomous investigation — gathering context, checking IP reputation, classifying against MITRE ATT&CK, and writing a structured analyst note — with each step streamed live as it completes.
LLM Threat Hunting
Describe a hypothesis in plain language and the hunting engine turns it into a guarded, validated query with an interpreted result. Ready-made hunt templates cover lateral movement, beaconing, exfiltration, and more — and any hunt can be saved as a scheduled daily or weekly job.
Natural-Language Search
One search bar across three sources: events, behavior (UEBA), and the network graph. Ask "show lateral movement through 10.0.0.5 last night" — the model emits only a structured, validated query, never raw SQL. Graph results include pivot IP, hop count, and centrality.
AutoPilot Mode
Five named operating profiles — Calm Watch, Active Watch, Elevated Watch, Discovery Mode, and Expert Mode — set the platform's automation level in one click, with an impact preview before switching. Nothing changes without your review unless you explicitly choose a profile that allows it.
Explainable AI
Every ML detection comes with a plain-language SHAP explanation of the features that drove it. Mark a detection as a false positive with a reason, and the feedback loop learns from it — proposing tuning adjustments that are applied only after your review.
AI Red Team Mode
Run MITRE-mapped attack simulations — slow scans, beacon jitter, DNS tunneling — against your own deployment. A detection gap report shows which scenarios your current configuration caught and where the blind spots are, so you can close them before a real attacker finds them.
Private by Design.

Everything stays on
your infrastructure.

Unlike cloud-based AI SOC services, XDRagon Monitor processes every piece of your telemetry locally via Ollama. All AI inference and analysis runs locally — your telemetry never leaves your network. The only optional exception: threat-feed enrichment sends the single IP or domain being checked (never alert context or topology), and it can be disabled entirely for air-gapped operation.

Local Inference Only
All LLM inference runs on your hardware via Ollama. No API calls to OpenAI, Anthropic, or any other external AI provider — even when the platform is air-gapped.
No Telemetry Exfiltration
Threat feed lookups are one-way IP enrichment requests — only the queried IP/domain leaves your network, never the full alert context or network topology.
Air-Gap Compatible
All AI capabilities function with zero internet connectivity. Threat feed enrichment can be disabled. The platform operates in fully isolated network environments.
Model Customisation
Each Ollama Modelfile is editable. Security teams can tune system prompts, swap base models, or deploy organization-specific fine-tuned models.
Deterministic Scheduling
Background job intervals are configurable. Every job execution is logged with start time, duration, alerts processed, and outcome — full auditability for compliance.
GPU-Accelerated
Supports NVIDIA CUDA and Apple Metal (MPS). GPU acceleration shortens classification cycles substantially, enabling higher-frequency analysis on busy networks.
ARCHITECTURE CHOICE

Local AI vs cloud AI — why it matters for your data

Comparison of local AI and cloud AI architectures

Start your AI-powered SOC today.

Deploy XDRagon Monitor and have six local AI models running on your hardware within the hour.