Soarcery
Take the tourRequest a demo
The platform

One console. Three Watcher orders. A seal on every consequential move.

You ask the Familiar in plain English. Three orders of Watchers detect, respond, and record like a senior team, and every destructive action waits for a human seal. Autonomous where you trust it, sealed where it matters.

Request a demoSee solutions
Meet the Familiar
One plain-English console. Ask it to query the lake, narrate an inquiry, or propose a response, and it commands every plane below. The analyst asks instead of clicking.
Proposes, never disposes
Attack01 / DETECT

Watchers read the omens

The Attack order correlates the signals and names what is happening, then opens and builds the inquiry. No flowchart to pre-build.

Defend02 / RESPOND

Watchers cast Spells

The Defend order casts response Spells to contain, evict, and restore, under gated authority. Every conclusion carries its evidence on one trail.

Scholar03 / RECORD

Watchers keep the Scrolls

The Scholar order documents the inquiry, collects the seals, and keeps your ticketing in sync. Autonomous where you trust it, sealed where you do not.

investigation / SOC-4471
Reasoning
→ identity: pulled sign-in risk for j.rivera
→ endpoint: queried EDR for host LON-4471
→ email: extracted 2 URLs, 1 attachment
→ enrichment: 6 indicators resolved
→ correlating across 4 tools…
01 / Attack order · Detect

Watchers that reason, not flowcharts that break

Legacy SOAR makes you draw the investigation by hand and rebuild it every time a tool changes. The Attack order does the legwork instead: its Watchers read the omens, correlate the signals mapped to MITRE ATT&CK, and follow the thread the way a senior analyst would, opening and building the inquiry as they go.

  • Context across endpoints, identity, email, cloud, and tickets, in one inquiry.
  • Omens enriched automatically, with the evidence kept attached.
  • No prebuilt flowchart to maintain when your tools change.
02 / Scholar order · Record

Decisions you can replay and defend

Investigation is creative. The record should not be. The Scholar order documents the inquiry as it unfolds: explicit, repeatable decision logic renders the call, with the evidence and a confidence value attached, all on one Scroll. The seals it collects and your ticketing stay in sync.

  • The same inputs reach the same call, every time.
  • Every conclusion carries its evidence, never a bare verdict.
  • One trail end to end, ready to review, replay, or defend.
verdictcontested
evidence items14 attached
confidence0.62
decision logicdeterministic
replayableyes
Autonomy dial
Enrich and tagAuto
Quarantine emailAuto
Disable accountSeal
Isolate hostSeal
app.soarcery.ai/approvals
The Soarcery Seals queue: high-blast-radius Spells proposed by the Defend order, each waiting on an explicit human seal

Actual product. Demo data.

03 / Defend order · Respond

Spells, dialed to the trust you have

Response is where most teams hold back, and rightly so. The Defend order casts response Spells mapped to MITRE D3FEND, and you set the autonomy per use case: full speed where the risk is low and the call is clean, a Seal where the blast radius is real. Spells are reversible, so a confident automated cast never becomes a one-way door.

  • Block, isolate, reset, or escalate across the tools you already run.
  • A per-use-case autonomy dial, with a Seal on every destructive cast.
  • Reversible Spells, never a one-way door.
The org chart

Three Watcher orders, one inquiry.

Not a vague society of agents. A concrete division of labor: Attack detects, Defend responds, Scholar records. The Familiar commands all three.

Detect
Attack Watchers

Read the omens, correlate the signals, and name what is happening. They open and build the inquiry.

Owns
Omens
MITRE
ATT&CK
Respond
Defend Watchers

Cast response spells to contain, evict, and restore, under gated authority. Destructive casts pause at a seal.

Owns
Spells
MITRE
D3FEND
Record
Scholar Watchers

Document the inquiry, collect the seals, and keep your ticketing in sync: Jira, ServiceNow, Resilient.

Owns
Scrolls
Record
& sync
Attack detects Defend responds Scholar records every step
End to end

Omens in. Sealed response out.

The Familiar
Ask anything in plain English: query the lake, narrate an inquiry, propose a response. It oversees every plane below.
Proposes, never disposes
Plane 01
Keys
Your tools emit curated detections
omens
Plane 02
The Lake
Omens land, normalized and entity-indexed
by entity
Plane 03
Stitcher
Correlates omens that share an entity
builds
The case
Inquiry
One stitched, entity-linked timeline
worked by three orders of watchers
Detect
Attack Watchers

Read the omens, correlate the signals, and name what is happening. They open and build the inquiry.

Owns
Omens
MITRE
ATT&CK
Respond
Defend Watchers

Cast response spells to contain, evict, and restore, under gated authority. Destructive casts pause at a seal.

Owns
Spells
MITRE
D3FEND
Record
Scholar Watchers

Document the inquiry, collect the seals, and keep your ticketing in sync: Jira, ServiceNow, Resilient.

Owns
Scrolls
Record
& sync
Attack detects Defend responds Scholar records every step
Seals: propose and dispose
A watcher proposes; a human disposes. Every destructive or high-blast-radius cast stops here with its rationale and a reversible plan.
Human approves
on approve
Response cast
Contained, reversible, logged to the inquiry
Attack · Omens · ATT&CK
Defend · Spells · D3FEND
Scholar · Scrolls · Record and sync
Figure 1: the Soarcery loop. Omens in, sealed response out. The Familiar commands, the watchers act, the seal protects.
What makes it different

One verdict hides the truth. A spread shows it.

Most tools collapse a threat into a single score and move on. Soarcery surfaces a native, in-workflow multi-engine verdict spread inside the investigation, not a separate lookup. You see where engines agree, where they disagree, and how confident the call really is, right where the agent is working.

Disagreement is signal. Instead of averaging the engines into one number and losing the nuance, Soarcery keeps the spread intact and turns it into a control: a confidence spread value drives the escalation threshold, and the threshold is yours to set per use case.

See it on your alerts
file: invoice_q2.xlsmContested
sandboxmalicious
static_avmalicious
ml_modelsuspicious
reputationclean
confidence spread0.62 · escalate
Agreement

Engines agree, high confidence

A tight spread means the engines line up. Low spread, safe to auto-act within the threshold you set.

Contested

Engines split, contested

A wide spread means the engines disagree. The call is contested, so Soarcery escalates instead of guessing.

Drift

Spread tracked over time

Spread is recorded across investigations, so shifting agreement on the same indicator surfaces as drift you can act on early.

Connect your whole stack

Works with the tools you already run.

If it has an API, Soarcery works with it. Bring the stack you have, no rip-and-replace.

EDRSIEMEmailIdentityCloudTicketingNetwork
Catalog illustrative · anything with an API connects
Stop maintaining playbooks

Start asking the Familiar.

A 30-minute walkthrough on your real triage flow. See the three Watcher orders detect, respond, and record, with a Seal on every consequential move, on your own alerts.

Request a demo