Soarcery
Take the tourRequest a demo
Interactive tour · 3 minutes · no signup

Watch the SOC work a real case.

One phishing alert, end to end: the agent investigates and cites its evidence, you make the one call that needs a human, and the receipt shows everything. This is the product on demo data, not a video.

Skip to a live demo
1 / 6
Skip to demo
app.soarcery.ai/alerts
MediumUnusual login from new ASN, svc-backup · identity provider · 22m
CriticalLateral movement signal, web-01 to db-04 · EDR · 37m
HighPhishing: dropbox-share[.]cf received by 3 mailboxes · email security · just now
HighSuspicious outbound traffic to 203.0.113.45 · SIEM · 12m
LowFailed login burst, service-monitor · SIEM · 2h
alert inbox · demo data
Step 1 of 6 · The inbox

A reported phish just landed. So did everything else.

Three users reported the same message. In most SOCs this alert now waits in a queue behind a thousand others, and an analyst gets to it in hours if the shift is kind.

Here, an agent picked it up in seconds. Not just this one: every alert in this inbox gets a full investigation, including the ones that turn out to be nothing.

Why it matters: triage by sampling is how real incidents hide. Investigation that costs seconds instead of analyst-hours means nothing waits and nothing gets skipped.
app.soarcery.ai/alerts/AL-7418
Incoming alertPhishing: dropbox-share[.]cf received by 3 mailboxes
correlate by user + host + sender
Open inquiries checkedNo match on affected assets across 5 open inquiries.
INQ-201 lateral movementINQ-198 svc-backupINQ-191 login burst
no match: open a new inquiry
Inquiry openedINQ-204 · Suspected phish, 3 mailboxes affected · assigned to the triage charter
auto-correlation · demo data
Step 2 of 6 · The correlation

One incident, one story. Never three copies of the same work.

Before anyone investigates anything, the alert is checked against every open inquiry by the assets involved: users, hosts, senders. Three reports of the same phish become one case, not three tickets assigned to three people.

No open inquiry matches, so Soarcery opens one. Everything that happens next lives on this single thread.

Why it matters: duplicated investigation is the silent tax on every SOC. Correlation by asset, done before triage, is how the queue shrinks before a human ever looks at it.
app.soarcery.ai/inquiries/INQ-204
agtriage agent09:14:09
Pulled the reported message from all three mailboxes. Extracting sender, links, and attachments for enrichment.
email_security.get_message(3)412ms · ok
agtriage agent09:14:31
The link domain is rated malicious by most of the engine pool: threat intel · 38/72 engines: phishing domain age · registered 4 days ago blocklist · 4/4 IOCs matched
threat_intel.lookup(dropbox-share[.]cf)640ms · $0.0003
A young domain with a brand-shaped name, flagged by a broad majority of engines and matching every IOC on the blocklist, fits a credential-phish profile. The minority of engines reporting clean are reputation-based and lag new registrations, so their dissent is expected and does not weaken the call. Next: check whether any recipient actually clicked.
agtriage agent09:14:58
Checked auth and proxy logs for all three recipients: no one clicked the link. No credential entry, no new sessions from unfamiliar networks.
siem.search(recipients, 24h)1.2s · ok
inquiry thread · demo data
Step 3 of 6 · The investigation

The agent works the case and cites its sources.

This is the part legacy automation never did: the actual thinking. The agent pulls the message, enriches the indicators, reads the disagreement in the engine pool, and checks whether anyone clicked, the same steps a good analyst takes, in under a minute.

Every claim is pinned to a tool result you can open. Try the show reasoning toggle on the second message: nothing here asks for your trust, it shows you the work instead.

Why it matters: "the AI decided" is not a sentence you can take to an audit, a regulator, or your own gut at 2am. Reasoning you can read is the difference between automation you use and automation you babysit.
app.soarcery.ai/inquiries/INQ-204

Confirmed phish, three mailboxes affected

confidence: high
  • Sender domain registered 4 days ago, brand-impersonating name.
  • 38 of 72 intel engines rate the link malicious; dissenters are lagging reputation feeds.
  • All four extracted IOCs match a public blocklist.
  • No recipient clicked. No credential exposure observed.
Recommended: quarantine the message in all three mailboxes, block the sender domain, and file a P2 ticket to IT. Quarantine is reversible if the verdict changes.
agent finding · demo data
Step 4 of 6 · The finding

A conclusion you can read, not a score you have to trust.

The output of the investigation is a finding in plain language: what happened, the evidence for it, how confident the call is, and what to do about it. Stated confidence, listed evidence, named next steps.

Notice what it recommends and what it does not do: the consequential action waits. Quarantining mailboxes touches users, so it goes to the gate.

Why it matters: a single risk score hides the disagreement and the doubt. A finding with its evidence attached can be challenged, defended, and learned from.
app.soarcery.ai/approvals
AP-2031 · INQ-204medium riskexpires in 52m
email_security.quarantine_message(mailboxes: 3, reversible: true)

Confirmed phish with high confidence. Quarantine removes the message from all three inboxes before anyone clicks. Reversible: restoring the message takes one action if the verdict changes.

Approved by you · just now · recorded on the trail
approvals queue · demo data · this button is yours
Step 5 of 6 · The gate

One decision needed a human. It's yours.

Ninety seconds of work happened without you. This is the moment that should not: an action that touches three users' mailboxes waits for explicit approval, with the evidence and the blast radius in front of you.

You set where this line sits, per use case. Teams start with everything gated, watch the agent be right, and dial up autonomy at their own pace. Go ahead, approve it.

Why it matters: autonomy is not a switch, it is a dial you control. The gate is how an agentic SOC earns trust instead of demanding it.
app.soarcery.ai/inquiries/INQ-204 · trail
09:14:02Alert received: phishing reported by 3 userssource: email security
09:14:06Correlated against 5 open inquiries, no match. INQ-204 opened.deterministic: correlation rules, not a model call
09:14:31Indicators enriched: 38/72 engines malicious, domain age 4 days, 4/4 IOC matchesthreat_intel.lookup · 640ms · $0.0003
09:14:58Click-through check: no recipient clicked, no credential exposuresiem.search · 24h window
09:15:12Finding posted: confirmed phish, confidence highevidence and reasoning attached
09:15:38Quarantine approved by a human at the gateAP-2031 · identity recorded · reversible action
09:15:40Message quarantined in 3 mailboxes. Sender domain blocked. P2 ticket filed.3 actions · all reversible · inquiry closed
98salert to closed
6tool calls cited
1human decision
100%of it on the trail
the audit trail · exportable · demo data
Step 6 of 6 · The receipt

Every step. Every source. Every decision. One trail.

This is what we mean by receipts. The whole case, from the alert landing to the mailboxes cleaned, is one replayable record: what ran deterministically, what the agent reasoned, what it cost, and which human approved the action that mattered.

Hand it to an auditor. Replay it after an incident review. Or just read it with your coffee, because the case closed in 98 seconds and nobody on your team touched a console.

Why it matters: when a vendor says "autonomous," ask to see this page. If they cannot show you the trail, what they are selling is trust without evidence.
That was one alert

Yours arrive by the thousand.
Bring one and watch it think.

A 30-minute walkthrough on your real triage flow, with the same receipts at the end. Technical, not a pitch.

Book a demo on your alerts Open the live sandbox

Prefer to read the architecture first?