Case-first · Enrichment before agents · Approve ≠ execute

VIGIL EYE

Detections that prove they got quieter

Human-gated rule changes with measured false-positive drop. Enrichment and risk attach before agents reason. Containment stays two-tier HITL — Approve is not Execute.

CLOSED-LOOP
Detection eng
FP → Apply → Measure
Human-gated rule changes that prove quieter
ENRICHED
Before Agents
TI · KEV · EPSS · Risk
Decision-ready context on ingest
2-TIER
HITL Governance
Approve ≠ Execute
Policy veto before containment
CASE-FIRST
Lifecycle
Alert → Case → Plan
Evidence packs auditors can defend
Trusted by industry leaders

Organizations we protect

Enterprise teams across hiring, manufacturing, cloud, and fintech rely on Vigil Eye for proactive security operations.

Partnership channel

Sales & Marketing Partner

Our strategic partner extends Vigil Eye reach through enterprise sales, channel development, and market activation.

STCaviAuthorized strategic partner

Platform differentiators

What sets the console apart

Beyond the governed agent pipeline — natural-language SIEM, closed-loop detection, proactive hunt, and a knowledge base that compounds with every shift.

Natural-language SIEM

Ask AI

Analysts query the SIEM in plain English. Curated tools gather real evidence; containment is proposed only — humans Approve & run under policy.

Governed chat · HITL proposals · per-provider model settings

Closed-loop detection

Detection engineering

Recurring false positives become concrete rule changes. Operators review the proposal; validated apply includes rollback if the ruleset fails.

Human-gated apply · FP-reduction math · effectiveness ledger

Proactive coverage

Threat hunt engine

Scheduled hunts target MITRE coverage gaps and surface operator-ready reports in Threat Lens — threats that never tripped a rule.

6-hour cadence · MITRE-gap focus · Threat Lens reports

Institutional memory

Knowledge base

Prior analyst verdicts and approved tuning notes inject into new cases automatically — so shift changes do not erase SOC expertise.

Full-text search · auto-inject on ingest · admin browser

Differentiator · Closed-loop detection

False positive → quieter ruleset

The fame wedge: detections that prove they got quieter — with humans on the apply gate and an effectiveness ledger after the change ships.

01

Surface the noise

Rolling false-positive rates flag noisy rules before analysts drown in repeats.

FP pattern detection

02

Propose the change

Detection engineering drafts a concrete rule change with expected FP-reduction math.

Human-reviewed proposal

03

Apply with gates

Operators Approve; validated apply writes the ruleset and rolls back if validation fails.

Approve ≠ auto-deploy

04

Measure the drop

Post-apply effectiveness tracking records whether false-positive rates actually fell.

Effectiveness ledger

Containment stays separate: agents propose, Tier-1 approves, Tier-2 executes — under the same policy allowlist. Ask AI proposals follow that path too.

Shipped capabilities

Decision-ready before agents reason

Threat intel (including KEV and EPSS), behavioral baselines, context, and a composite risk score attach on ingest — then a governed agent pipeline, Ask AI, and closed-loop detection engineering advance cases under human approval gates.

Multi-provider threat intel

Reputation feeds plus CISA KEV and FIRST EPSS enrich entities on ingest — before any agent reasons.

Behavioral baselines

Rolling 30-day alert-frequency baselines flag unusual agents, IPs, and users with z-score signals.

Composite risk score

A 0–100 score with explainable boosters — TI, anomaly, off-hours, asset tier, KEV, and EPSS.

Alert context dimensions

Asset tier, privileged identity, historical sightings, and time-of-day context attach to every case.

Two-tier human governance

Approve plan is not execute. Policy guardrails veto dangerous actions before containment runs.

Chat-proposed containment

Ask AI can propose block, isolate, and related actions; Approve & run re-checks policy before execution.

Rule tuning & effectiveness

Noisy rules surface as advisory proposals; post-apply measurement tracks whether false-positive rates actually drop.

Evidence packs

Every case carries entities, timeline, enrichment, plans, approvals, and actions — audit-ready.

Operator console

Dashboard, Executive, Triage, Investigations, Threat Lens, Attack Map, Detection Eng, Compliance, Reports, and Settings — plus Ask AI on every page.

Enterprise sign-in

SSO-ready operator access with multi-factor authentication for production SOC deployments.

Attack Map

Live geographic threat visualization for SOC and executive situational awareness.

Self-hosted resilience

Runs in your environment. Dead-letter queues and fail-open enrichment keep the pipeline moving.

VIGIL CASE STREAM

VIGILANT AGENTIC OPS // PROTOCOL: THREAT-EYE
CASES OPEN
24
TRIAGE
Seconds
HITL GATES
2-Tier
Incoming Signal
Threat Detected
PowerShell Execution
THREAT ID
TH-INIT
SEVERITY
Critical
SOURCE
Scanning...
TARGET
SENSITIVE-DB-04
MITRE
T1059.001
RISK SCORE
CALC
AUTO-ANALYSIS IN PROGRESS

VIGIL

EYE
First-pass verdict (Tier 1)
VIGIL TRIAGE
Related activity (Tier 2)
VIGIL CORRELATE
Evidence packs (Tier 2)
VIGIL INVESTIGATE
Response plans (Tier 3)
VIGIL STRATEGY
Policy advisory (Tier 3)
VIGIL GOVERNANCE
Approved execution (Tier 4)
VIGIL RESPONSE
Digests & KPIs
VIGIL REPORTING
PROTOCOL: SILENT WATCH SYSTEM: VIGILANT ANALYSIS: BEHAVIOR CORRELATION TARGET: ZERO TRUST STATUS: OPERATIONAL AI AGENTS: ACTIVE PROTOCOL: SILENT WATCH SYSTEM: VIGILANT ANALYSIS: BEHAVIOR CORRELATION TARGET: ZERO TRUST STATUS: OPERATIONAL AI AGENTS: ACTIVE
Case Stream

Operator console

What your team actually uses

One console for triage, investigations with HITL, threat posture, Attack Map, Detection Eng, reporting — and Ask AI available on every page as a governed assistant.

DashboardSOC posture at a glance
ExecutiveLeadership KPIs and risk
TriageQueue and first-pass verdicts
InvestigationsCases, plans, HITL gates
Threat LensIntel, hunts, and posture
Attack MapLive geographic threats
Detection EngRule proposals & apply
ComplianceFramework posture
ReportsDigests and exports
SettingsConnectors, policy, KB
Ask AINL SIEM on every page
Detection LabGoverned response rehearsal
System Performance Analysis

HUMAN vs VIGIL

Bridging the definitive gap between traditional operations and agentic intelligence.

Vigil Eye // Next-Gen
Traditional SOC
RESPONSE VELOCITYCOVERAGE SCALEDETECTION PRECISIONGOVERNANCE CONTROLRESOURCE EFFICIENCYCASE CONTINUITY100%95%90%100%85%95%
Traditional SOC
VIGIL CORE
Triage Speed
Seconds
vs Hours/Days
AGENTIC
LIVE_DIAGNOSTICS
RT_SYNC_0x::SYNC_00

"VIGIL TRIAGE turns SIEM/XDR alerts into operator-ready cases in seconds — not hours of manual log diving."

SYSTEM_STABLE // THREAT_LEVEL: 0
Reliability
Zero Loss
DLQ Backed
REPLAYABLE
LIVE_DIAGNOSTICS
REL_DLQ_0x::SYNC_00

"Dead Letter Queues capture failed events for later replay so alerts are not silently dropped."

SYSTEM_STABLE // THREAT_LEVEL: 0
Governance
2-Tier
Approve ≠ Execute
HITL
LIVE_DIAGNOSTICS
CNS_DET_0x::SYNC_00

"Policy guardrails and human approval gates keep containment under operator control."

SYSTEM_STABLE // THREAT_LEVEL: 0
Architecture
Siloed Tools
Unified Case

Fragmented Point Solutions vs Case Evidence

CASE_EVIDENCE
0x0xA_PACK READY
TACTICAL_MANIFEST
ARC_0xA–OK

"Traditional SOCs juggle disconnected tools. Vigil Eye unifies alerts, entities, enrichment, and plans into one navigable case evidence pack for instant correlation."

Safety
Human Error
Guardrails

Risk of Fatigue vs Deterministic Policy

VETO_POLICY
0x0xB_UNIT_GUARD READY
TACTICAL_MANIFEST
SAF_0xB–OK

"Humans make mistakes when tired. Vigil Eye uses code-based policy guardrails to veto dangerous actions before they execute — and separates plan approval from execution."

Triage Speed
Hours / Days
Seconds

Manual Investigation vs Agentic SOC

INTEL_GATE
0x0xC_CLUSTER READY
TACTICAL_MANIFEST
TRG_0xC–OK

"VIGIL TRIAGE analyzes, enriches, and scores alerts in seconds, replacing hours of manual log diving — then hands off to the rest of the agent pipeline."

Reliability
Alert Drop-off
Zero Loss

Alert Fatigue vs Dead Letter Queues

PERSISTENCE
0x0xD_DLQ_STREAM READY
TACTICAL_MANIFEST
REL_0xD–OK

"In high volume, humans ignore alerts. Vigil Eye's DLQ architecture captures failed events for later replay so nothing silently disappears."

Noise Reduction
Queue Flood
Correlated

Noise Pollution vs Context Before Escalation

SIGNAL_PURE
0x0xE_CONTEXT READY
TACTICAL_MANIFEST
FP_0xE–OK

"Correlation, threat intel, and behavioral baselines land before escalation — so analysts spend time on high-value cases instead of raw alert floods."

Availability
8/5 Shifts
24/7/365

Shift Handovers vs Eternal Vigilance

UPTIME_CTRL
0x0xF_RUNTIME READY
TACTICAL_MANIFEST
AV_0xF–OK

"Attackers don't sleep. Neither does Vigil Eye. Continuous agentic coverage without shift handovers or holiday gaps — with humans still governing high-impact actions."

Memory
Fragmented
Case Memory

Human Context vs Structured Case Memory

CASE_MEMORY
0x0xG_EVIDENCE READY
TACTICAL_MANIFEST
MEM_0xG–OK

"Teams lose context over time. Vigil Eye keeps structured case evidence and entity history so similar incidents stay correlated across shifts."

Evolution
Yearly Training
Feedback Loop

Static Skills vs Analyst Feedback Loop

FEEDBACK
0x0xH_LEARNINGS READY
TACTICAL_MANIFEST
EVO_0xH–OK

"Traditional SOCs train annually. Vigil Eye captures analyst overrides and case outcomes into a structured feedback loop that improves future triage context."

Concurrency
Single Thread
7 VIGIL Agents

Serial Work vs Coordinated Pipeline

AGENT_ORCH
0x0xI_THREADS READY
TACTICAL_MANIFEST
CON_0xI–OK

"Humans work one task at a time. Vigil Eye orchestrates seven VIGIL specialists — triage, correlate, investigate, strategy, governance, response, and reporting — plus Ask AI, detection engineering, and threat hunt for the full SOC loop."

FAQ

Questions buyers ask first

Governance, residency, telemetry fit, and what a POC looks like — without a sales call.

No. Agents recommend and plan. High-impact containment requires two-tier human governance: Tier-1 approves the plan, Tier-2 executes. Ask AI proposals follow the same policy path — Approve & run, never auto-execute from chat.