The modern SOC, defined.
Plain-English definitions for the terms we use across the platform and this site. No jargon for jargon's sake.
Agentic SOC
A security operations model where reasoning agents do the default investigation and response work, with humans supervising the contested and high-impact calls.
SOAR
Security Orchestration, Automation, and Response. Traditionally playbook-driven; Soarcery replaces the brittle playbooks with agents.
Verdict spread
The full set of per-engine verdicts and confidences for an indicator, kept intact instead of averaged into one score.
Confidence spread
A single value expressing how much the engines disagree. Drives the escalation threshold you set.
Autonomy dial
A per-use-case control for what runs automatically versus what requires human approval.
Human-on-the-loop
A model where automation acts within bounds and a human supervises and approves the consequential moves.
Enrichment
Adding context to an indicator, such as reputation, ownership, or related activity, to inform the verdict.
Indicator
An observable such as a file hash, URL, domain, IP, or account involved in an alert.
MTTR
Mean time to respond. A lagging measure of how fast a SOC contains threats.
Trigger
What starts a workflow run: manual, schedule, webhook, email, or form.
Run
A single execution of a workflow, with its own evidence and audit trail.
Reversible action
A response designed to be undone, so an automated step is never a one-way door.
Agentic SOAR
Orchestration, automation, and response where reasoning agents, not pre-built playbooks, investigate and drive the response, within human-set autonomy limits and with a full audit trail. The category Soarcery builds.
Agentic SOC analyst
An AI agent that works tier-1 alerts the way a human analyst would, then closes or escalates with evidence attached. In agentic SOAR it also executes the gated response.
Agent washing
Marketing a rules engine or a summarizer as an autonomous agent. The test is simple, ask what it did last week, who approved it, and where the trail is.
Approval gate
The queue where consequential actions wait for an explicit, recorded human decision, with the evidence and blast radius attached.
Reasoning trace
The readable record of how an agent reached a conclusion, the steps considered, the evidence weighed, and the dissent noted. One click on every Soarcery verdict.
Human-in-the-loop
A model where a human approves each action before it runs. Compare human-on-the-loop, where automation acts within bounds and humans supervise the consequential moves.
Receipt
Our word for the complete, replayable record of a case, every step, tool call, cost, confidence, and approver. If a vendor cannot show one, they are selling trust without evidence.
Familiar
The plain-English console at the heart of Soarcery. The analyst asks instead of clicking, and reasoning agents query the lake, narrate an inquiry, and propose a response. It commands every plane, and it proposes but never disposes, so destructive intent always routes to a Seal.
Watcher
An autonomous agent with an analytic specialty that owns a slice of the work. Watchers come in three orders, Attack, Defend, and Scholar, each with its own color, spine, and job.
Attack Watcher
The order that reads the omens, correlates the signals, and names what is happening. Attack Watchers own Omens, are organized by MITRE ATT&CK, and carry the orange spine.
Defend Watcher
The order that casts response spells to contain, evict, and restore under gated authority. Defend Watchers own Spells, are organized by MITRE D3FEND, and carry the teal spine. Destructive casts pause at a Seal.
Scholar Watcher
The order that documents the inquiry, collects the seals, and keeps your ticketing system in sync. Scholar Watchers own Scrolls, work by record and sync, and carry the purple spine.
Seal
The propose and dispose approval gate. A watcher proposes; a human disposes. Every destructive or high-blast-radius action stops at a Seal with its rationale and a reversible plan, so the AI is never above the law.
Omen
A detection, notable, or correlated signal that flows in from your tools. Omens land in the Lake as normalized envelopes and are owned by the Attack Watchers, organized by MITRE ATT&CK.
Inquiry
A stitched, entity-correlated timeline, which is the modern word for a case. Omens that share an entity are correlated into one Inquiry that the watchers work end to end.
Library
The shared catalog of reusable agent assets, made of Omens, Spells, and Scrolls. Each item carries its order's color so the relationship reads at a glance.
The Lake
The curated signal substrate. Storage plus an entity index where every Omen lands as a normalized, entity-indexed envelope, ready for correlation into an Inquiry.
Charter
A watcher's governance document. It sets the autonomy level from observe through enrich, propose, act with a seal on destructive moves, and fully autonomous, along with the guardrails it inherits.
Spell
An agent-run response playbook owned by the Defend Watchers and organized by MITRE D3FEND. A spell can contain, isolate, evict, or restore. Destructive spells stop at a Seal before they run.
Scroll
The external record of an Inquiry mirrored into a third-party ticketing system such as Jira, ServiceNow, or Resilient. Owned by the Scholar Watchers, who keep the Inquiry and the ticket from drifting.