TheSOCanalystthatprovesitswork.
The autonomous SOC analyst for Splunk. It writes its own SPL, grounds every verdict in real events, and contains the threat.
The autonomous SOC analyst for Splunk. It writes its own SPL, grounds every verdict in real events, and contains the threat.
One alert in, a contained incident out. Argus runs a real plan, act, observe, re-plan loop against live Splunk, proves the verdict, then closes the loop with a gated response and a new detection.
See it liveArgus takes the notable, recalls its own past cases and active blocklist, then declares the leading hypotheses it will test before it runs a single query.
planningIt writes SPL on the fly and runs it through the Splunk MCP Server, the only way Argus ever touches Splunk.
queryingIt reads the result rows, confirms or refutes each hypothesis, and decides the next query. No hardcoded paths.
pivotingIt files a grounded report, contains the threat through a gated response, and installs a detection so it cannot recur.
hardeningFrom the analyst's alert to a contained incident and a fresh detection, the whole Argus architecture in a single view.
A full plan → act → observe → re-plan loop, run autonomously as a single agent or a four-specialist team — and it proves every claim it makes.
Every verdict links to the exact SPL Argus ran and the exact events it saw. Click any conclusion in the report to drill down to the query and the rows behind it.
Argus declares its leading theories up front and marks each confirmed or refuted as evidence lands — so it tests alternatives instead of just confirming the first guess.
Before and during every case Argus recalls its own past investigations and active blocklist — a repeat-offender indicator surfaces its prior verdict instantly, the way a veteran analyst would remember it.
Every technique ID is checked against a pinned ATT&CK v19.1 catalog of 858 techniques; hallucinated IDs are dropped, and the incident's tactics render as an ordered kill-chain.
An explainable 0–100 score from verdict, confidence, severity, kill-chain breadth, live threat-intel and case history — built for real triage and prioritization, not just a severity label.
After a confirmed true positive, Argus writes a new SPL detection for the attack pattern and installs it as a scheduled Splunk correlation search — so the SOC auto-alerts if it ever recurs.
The bottleneck in the SOC isn't detection — it's the slow, manual, unprovable investigation that comes after the alert fires.
A Tier-1 analyst spends 30–60 minutes manually pivoting across Splunk to triage a single notable — and still has to write up why it's a threat.
Alert queues grow faster than analysts can work them, so real attacks sit in the backlog right next to the false alarms nobody had time to clear.
When an AI finally flags something, you can't act on a verdict you can't audit — every conclusion needs the exact query and the exact events behind it.
One agent or a coordinated team, investigate-only or all the way to containment. Same engine, same grounded report — runs on the Anthropic API or AWS Bedrock.
One autonomous analyst that plans, queries, and proves — the core Argus loop.
Four specialists — auth, network, endpoint, threat-intel — investigate in parallel.
Close the loop: contain the threat and leave a new detection behind.
Submit an alert and watch the agent plan, run its SPL, mark its hypotheses, and reach a grounded verdict in real time — then drill into any claim to see the exact query and events behind it.
Argus only ever reads Splunk through the Splunk MCP Server — every query is auditable, and every conclusion links straight back to the events it saw. Nothing is asserted that the data can't prove.