Autonomous AI SOC

Six local AI models.
Five autonomous jobs.
Zero cloud dependency.

T-SecOps runs a fully autonomous SOC layer on your own hardware. Local LLM models classify threats, correlate events, detect beaconing, and write your morning briefing — around the clock, without sending a single byte of your telemetry to any external service.

6
Local LLM Models
5
Autonomous Jobs
2 min
Classification Cycle
07:00
Daily AI Briefing
Architecture

Two-layer AI architecture

T-SecOps separates on-demand analysis from continuous autonomous operations. The on-demand layer responds to analyst queries in real time. The autonomous layer runs scheduled jobs independently — even when no one is watching the dashboard.

Layer 1 — On-Demand
Analyst-triggered AI capabilities
Six specialised capabilities available when an analyst interacts with an alert, an incident, or the RAG search interface. Each uses the most appropriate model for the task.
Alert explanation and context enrichment
Full incident analysis on demand
C2 beaconing drill-down for a given IP
pgvector semantic search across history
NIS2 / compliance gap explanation
Remediation plan generation
Layer 2 — Autonomous
Background jobs running without analyst input
Five scheduled jobs run automatically at defined intervals. They classify new events, correlate across sources, detect beaconing patterns, generate the daily briefing, and keep the vector store current.
Alert classification — every 2 minutes
Cross-source correlation — every 10 minutes
C2 beaconing scan — every 6 hours
Morning briefing generation — daily at 07:00
Vector store sync — every 30 minutes
Local LLM Models

Six specialised models.
All running on your hardware.

Every model is a purpose-built Ollama Modelfile trained with a security-focused system prompt. qwen2.5:7b serves as the primary reasoning backbone. Lighter models handle high-frequency tasks to preserve GPU headroom for complex analysis.

Primary
t-secops-analyst:latest
Core Threat Analyst
General-purpose security analyst model. Handles alert explanation, incident analysis, and remediation guidance. Strong contextual reasoning for complex multi-step investigations.
qwen2.5:7bOn-demandGPU
Classifier
t-secops-classifier:latest
Alert Classifier
High-throughput classification model optimised for speed. Assigns severity score, attack type, and confidence level to every new alert. Runs every 2 minutes.
qwen2.5:7bScheduled2 min cycle
Correlator
t-secops-correlator:latest
Event Correlator
Links related events across network, DNS, and endpoint sources into unified incident threads. Identifies attack chains and lateral movement patterns invisible in individual alerts.
qwen2.5:7bScheduled10 min cycle
Briefing
t-secops-briefer:latest
Morning Briefing Writer
Synthesises the past 24 hours of classified and correlated events into a structured narrative briefing. Highlights top threats, anomaly trends, and recommended priority actions.
qwen2.5:7bDaily 07:00Narrative
Compliance
t-secops-compliance:latest
Compliance Advisor
Specialised in NIS2, NIST CSF 2.0, and CIS Controls v8. Explains compliance gaps in plain language and generates context-aware remediation plans grounded in your actual telemetry.
qwen2.5:7bOn-demandCompliance
RAG
t-secops-rag:latest
RAG Search Model
Powers the pgvector semantic search interface. Accepts natural-language questions about past incidents and returns grounded answers from the vector-indexed alert history.
nomic-embed-textOn-demandpgvector
Autonomous Background Jobs

Works while you sleep.

Five scheduled jobs run continuously in the background — no analyst input required. Your security posture is assessed, correlated, and reported around the clock.

01
Alert Classification every 2 min
Pulls all unclassified alerts from the database, sends each to the classifier model, and writes severity score, attack type, and confidence back. Keeps the threat queue current even during high-volume attack periods.
02
Cross-Source Correlation every 10 min
Examines the last 30 minutes of classified events across network, DNS, and endpoint sources. Groups related events into incident threads and updates the correlation graph automatically.
03
C2 Beaconing Detection every 6 hours
Runs HDBSCAN clustering and XGBoost scoring over outbound connection logs. Assigns a beaconing probability score to each external IP, flagging periodic, low-jitter communication patterns.
04
Daily Morning Briefing 07:00 daily
Summarises the past 24 hours of threat activity into a structured written briefing — top incidents, anomaly trends, new external services, and recommended priority actions for the day.
05
Vector Store Sync every 30 min
Embeds newly classified alerts into the pgvector store using nomic-embed-text. Keeps the semantic search index fresh so RAG queries always reflect the current threat landscape.
Background Job Monitor
Alert Classifier
running
Vector Store Sync
2 min ago
Cross-Source Correlator
in 4 min
C2 Beaconing Scan
in 2h 14m
Morning Briefing
tomorrow 07:00
AI Morning Briefing
Smart Alerting Engine

7 AI-enriched alert rules

Beyond raw Suricata alerts, the smart alerting layer applies context-aware rules to detect patterns that require cross-source reasoning. Each rule fires with an AI-written summary explaining why it triggered.

Geo-blocked IP Alert
Fires when traffic originates from a country on your geo-block list or a designated high-risk region. Enriched with reverse-DNS, ASN, and threat feed context.
New External Service
Detects when an internal host initiates a connection to an external service not seen in the previous 30 days. Useful for catching shadow IT and early-stage C2 communication.
Anomalous Upload Volume
Triggers when outbound data volume from a single host exceeds 3 standard deviations from its 7-day baseline. Flags potential exfiltration before it completes.
Honeypot Interaction
Zero-false-positive alert. Any interaction with a honeypot sensor is an immediate high-severity event — enriched with attacker profiling and the full session transcript.
DGA Domain Detected
Fires when the DGA detector scores a queried domain above the threshold. Alert includes the domain, entropy score, and which internal hosts queried it.
Sigma Rule Match
Endpoint agent matched a Sigma detection rule. Alert includes the matched rule name, process lineage, and correlated network events from the same host.
C2 Beaconing Score ≥ 0.8
When the beaconing detector assigns a score ≥ 0.8 to an external IP, this alert fires with the regularity interval, byte variance chart, and process responsible for the connections.
Security Guarantees

Everything stays on
your infrastructure.

Unlike cloud-based AI SOC services, T-SecOps processes every piece of your telemetry locally. Your alert data, network logs, and endpoint events never leave your premises.

Local Inference Only
All LLM inference runs on your hardware via Ollama. No API calls to OpenAI, Anthropic, or any other external AI provider — even when the platform is air-gapped.
No Telemetry Exfiltration
Threat feed lookups are one-way IP enrichment requests — only the queried IP/domain leaves your network, never the full alert context or network topology.
Air-Gap Compatible
All AI capabilities function with zero internet connectivity. Threat feed enrichment can be disabled. The platform operates in fully isolated network environments.
Model Customisation
Each Ollama Modelfile is editable. Security teams can tune system prompts, swap base models, or deploy organisation-specific fine-tuned models.
Deterministic Scheduling
Background job intervals are configurable. Every job execution is logged with start time, duration, alerts processed, and outcome — full auditability for compliance.
GPU-Accelerated
Supports NVIDIA CUDA and Apple Metal (MPS). Classification cycle drops from ~40s to ~4s with GPU acceleration, enabling higher-frequency analysis on busy networks.

Start your AI-powered SOC today.

Deploy T-SecOps and have six local AI models running on your hardware within the hour.

Get Started Technical Architecture →