Autonomous SOC

AI handles the grind. Humans make the call.

Q: What makes a SOC autonomous if humans still decide?

The autonomy is in the investigation work, not the decisions. AI enriches, correlates, and drafts response for every alert around the clock, which no human team can do at scale. Security Analysts then make the call on anything consequential. The model removes the grind and keeps the judgment.

Q: What is the iTDC?

iTDC stands for Intelligent Threat Defense Centre. It is the Saint Fox operating core where telemetry is triaged, correlated, and investigated by AI, then routed to Security Analysts for decisions. Human-In-Loop gates govern every action that can change your environment.

Q: Will AI automatically contain or remediate threats?

No. Saint Fox does not claim autonomous containment or remediation. AI proposes the action and assembles the evidence, but isolation, revocation, and shutdown require a named analyst to approve through a Human-In-Loop gate. This protects you from automated actions firing on false positives.

Q: How do you measure detection and response times?

We set MTTD and MTTR targets engineered for your environment, then measure against them continuously. The figures are reported to your leadership with the context behind each incident, so the numbers mean something rather than sitting in a dashboard.

Q: Does this replace our existing SIEM and EDR?

No. We operate on top of the telemetry you already produce. EDR, network, email, IAM, cloud, and AI application logs feed the iTDC. If you have gaps, we advise on coverage, but the goal is to make your existing investment work harder, not to rip and replace.

Q: Who are the people running the SOC?

Security Analysts and Principal Engineers. Analysts own the decisions and the Human-In-Loop approvals. Principal Engineers tune detections, build integrations, and lead complex investigations. We never refer to the team as operators, because the work is judgment, not button-pushing.

Q: How is the evidence used after an incident?

Every action carries a sealed timeline and proof. That package supports audit, cyber insurance claims, regulator questions, and internal post-incident review. Because it is captured as the work happens, there is no scramble to reconstruct what occurred weeks later.

Q: How is the service priced?

Pricing is scoped to your telemetry volume, the number of integrations, and the coverage hours you need. Most engagements begin with a SOC assessment to baseline the current state, then move to a managed retainer. Contact us for a tailored proposal.

Q: How long does onboarding take?

Telemetry connections and detection tuning typically take a few weeks, with the iTDC taking first watch on the highest-value sources early rather than waiting for full coverage.

Q: Where does the Autonomous SOC sit in VIGILE?

The iTDC lives in Implement, with Learn tuning it every week from live cases, hunts, and purple team findings. Validate sets its baseline and Enhance reports its evidence to the Board.

Saint Fox runs an Intelligent Threat Defense Centre where AI enriches, correlates, and drafts response for every alert. Security Analysts own the decisions. Human-In-Loop gates govern any action that can change your environment.

Pressure test your SOC See the operating rule

iTDC architectureAI + Human-In-Loop

Telemetry inEDRNetworkEmailIAMCloudAI AppsThreat Intel

Saint FoxiTDCAI SOC Core

Triage

Correlate

Investigate

Evidence

AnalystDecision owner

Human-In-LoopApprove isolationRevoke access

Evidence ledgerTimeline, actions, proof

AI detects. Human-In-Loop decides.

Every alert investigatedProactive Threat HuntingMTTR in minutes

An autonomous SOC uses AI to do the investigation work on every alert, then routes the decision to a named human. AI investigates. Security Analysts decide. Nothing consequential happens without a person in the loop.

Most SOCs drown in alerts. Analysts triage a fraction, the rest pile up, and real incidents hide in the noise. The fix is not another tool that adds alerts. It is an operating model where AI does the tireless enrichment and correlation, and people spend their judgment where it counts.

The operating rule

AI detects. Expert decides.

A fully autonomous SOC that contains threats on its own sounds appealing until an automated action takes down production at 3am for a false positive. Saint Fox draws a hard line through the workflow.

AI investigates

Tireless, around the clock

Enriches every alert with context
Correlates across all telemetry
Drafts the response playbook
Queues the recommended action

Human-In-Loop gate

A named analyst decides

Reviews the recommendation with full context
Approves, adjusts, or rejects
Owns the decision on record

Action taken

With sealed evidence

Isolation, revocation, or shutdown executes
Timeline and proof captured
Packaged for audit and review

What we deliver

A SOC that investigates everything

Twenty-four-seven operations staffed by Security Analysts and AI Agents, with named accountability for every consequential action.

Every alert investigated

AI enriches and correlates every signal, including the ones a human team never had time for. Nothing falls off the queue unreviewed.

Human-In-Loop gates

Isolation, revocation, and shutdown move through a named analyst. AI proposes, a human approves, the decision is logged.

MTTD and MTTR targets

Detection and response times engineered for your environment, measured continuously, reported to your leadership.

Agent assisted triage

AI drafts the investigation timeline, pulls related events, and suggests the response. Analysts review and act in minutes.

Reviewer Agent

A second AI checks decision quality and chain of custody, so the work holds up under audit and incident review.

Sealed evidence

Every action carries a timeline and proof, packaged for audit, insurance, and post-incident review from day one.

A day in the iTDC

What the queue looks like, and what happens to it

A representative 24-hour window. AI clears the volume so analysts focus their judgment on what matters.

Critical

Escalated to a named analyst within minutes, every one reviewed.

High

AI triaged and enriched, analyst confirms the response.

312

Medium

Correlated and resolved with evidence, surfaced if patterns emerge.

2,487

Informational

Logged and contextualized, no analyst time spent on noise.

Representative volumes for illustration, not a claimed result. Actual figures depend on environment size and telemetry.

The business case

Autonomous changes the economics of detection

When AI does the volume work, two things move at once: detection gets faster, and the cost of covering every alert drops. You spend analyst time on judgment, not triage.

↓Hours to minutes

Mean time to detect drops

A human queue clears alerts one at a time. AI investigates thousands in parallel, enriching and correlating the moment a signal lands. Threats that used to sit unreviewed for hours surface in minutes, before they spread.

Every alert investigated, the whole queue top to bottom
Correlation across telemetry happens instantly
Critical findings escalate to a named analyst in minutes

↓Cost per alert

Coverage without linear headcount

Staffing a 24/7 SOC to manually review every alert means hiring against volume, and volume only grows. AI absorbs the repetitive enrichment and correlation, so analyst headcount scales with complexity rather than with raw alert count.

Analyst time spent on decisions while AI gathers the data
Round-the-clock coverage without round-the-clock staffing for noise
Predictable managed cost in place of an open-ended hiring race

Directional outcomes for the operating model, not a claimed result. Actual figures depend on your environment, telemetry volume, and current baseline.

Beyond the alert queue

Hunt ahead of threats. Respond when they land.

Detection catches what trips a rule. Two practices cover the rest: proactive Threat Hunting looks for what has not triggered yet, and DFIR takes over the moment an incident is confirmed.

Proactive

Threat Hunting

Hypothesis-driven hunts across your telemetry, with AI surfacing the anomalies and outliers a rule would miss. The goal is to find dwell-time intrusions and quiet, living-off-the-land activity before they become an incident.

Hunt campaigns mapped to current threat intel
AI surfaces anomalies, outliers, and rare behavior
Focus on dwell time and living-off-the-land activity
Every finding becomes a new detection

Explore threat exposure management ›

Reactive

Digital Forensics and Incident Response

When an incident is confirmed, DFIR takes over. The team contains it, reconstructs exactly what happened, and produces a forensic record that holds up for auditors, insurers, and regulators.

Rapid containment and eradication
Forensic timeline and root cause analysis
Evidence preserved with chain of custody
Recovery, then lessons fed back into detection

See incident response and DFIR ›

How the pipeline works

AI does the work. Analysts make the decisions.

Telemetry flows in from across your stack. AI ingests, triages, correlates, and investigates every alert, then proposes a verdict. Autonomy is set per action. Low risk and reversible work runs on its own. Consequential actions wait for a named Security Analyst. Every step is logged.

Telemetry in

Select a source to see what it feeds into the pipeline.

AI Pipeline runs on every alert, 24/7

Respond

isolate host, revoke session, block, contain

Response actions run only at the autonomy level you set. Anything consequential routes through the Human-In-Loop gate for a named analyst to approve before it executes.

Evidence ledger

inputs, reasoning, approvals, actions, tamper-evident

Every decision is written to a tamper-evident ledger: the inputs the AI saw, the reasoning, who approved, and what was done. This is the record your auditors and insurers ask for.

Learn

analyst feedback tunes detections

When an analyst corrects or confirms a verdict, that feedback tunes the detections. The pipeline gets sharper with every decision instead of drifting.

Autonomy is set per action

dialed up only as accuracy proves out, dialed down the moment a live breach is detected

Human-In-Loop on consequential actionsFull audit trail on every decisionMulti-tenant, hard data isolationWorks with your existing stack, no rip and replace

Every consequential action requires a named analyst to approve it.

Outcomes

What changes when AI does the grind

100%

Alerts investigated

Every signal enriched and reviewed, the whole queue top to bottom.

<15m

MTTR target

Mean time to respond, engineered for your environment.

24/7

Operations

Analysts and AI Agents on watch around the clock.

Ungated actions

No consequential action without a named human approval.

Planning targets, not claimed results. Actual figures depend on environment and integrations.

Autonomous SOC datasheetThe operating rule, the pipeline, autonomy levels, and the evidence model.

Download the datasheet

Pressure test your SOC workflow

Book a session with a Principal Engineer. We walk through a real alert end to end and show you where the gaps are.

Book a readiness call Browse all services ›