Which tools does OwlSOC connect to?

At launch: Microsoft Sentinel, Microsoft Defender (Endpoint and Office), and AWS Security Hub. If your alert sources matter and aren't on that list — AWS GuardDuty, Entra ID, others — tell us and we'll scope it. We add connectors against real pilot demand, not a roadmap slide.

How does the 30-day pilot work?

You pay £495 up front, we kick off on a Monday, and within 48 hours of the OAuth grant OwlSOC is investigating live alerts from one environment of your choice. At the end of week 4 we run a joint review. If you don't believe OwlSOC earns its keep, you ask for a refund. By email. No form, no clause about why. We've designed it so saying "no" is genuinely easy.

What data does OwlSOC actually access?

Only what's needed to investigate an alert: the alert itself, the surrounding logs from your security tools, and the identity/device/network signals required to reason about the event. Read-only by default. We don't read mail content, files, or anything outside the security signal scope. Our access is exactly what you grant when we onboard, and it's auditable from your side.

Where is my data stored? Do you train models on it?

UK / EU residency, encrypted in transit and at rest. We don't train any model on customer data, ours or any third party's, and that's a contractual commitment from every sub-processor in our pipeline. Investigation happens against your data without learning from it. We're happy to walk your security or procurement team through the DPA and the architecture before you sign.

Does OwlSOC take actions automatically?

No. OwlSOC investigates and recommends. Humans approve. The product can execute approved actions on your behalf (e.g. revoke a session, isolate a device), but only after a human in your team approves the specific action and only on the write scopes you've granted. Everything is logged; reversible actions can be undone, and the few that can't are flagged before approval.

What if OwlSOC gets an investigation wrong?

It will. So will any analyst. We've designed the report so every claim is sourced. Your team can see the exact log line behind any line of the timeline, and disagree with the verdict. Confidence scores are conservative; ambiguous cases are flagged "needs review" rather than miscalled. We track agreement rate per customer and review weak cases as part of the monthly summary.

How long does setup actually take?

Most pilots run their first investigations within 48 hours of the OAuth grant. The slowest part is usually getting the OAuth grant approved on your side. Once we're connected, baselining takes a few hours and the queue starts moving. The 4-week pilot is structured around that: week 1 connect, weeks 2–3 investigate, week 4 review.

What happens after the 30-day pilot?

Either you ask for a refund at the week-4 review (one email, no clauses) or you continue on the tier that fits, whether that's Standalone, Core, or Compliance, billed monthly with no minimum term. We don't auto-roll pilots into annual contracts. If you want one for procurement reasons, we'll do that; if you don't, you don't have to.

Can I cancel anytime after the pilot?

Yes. Monthly billing, no minimum term, cancel by email with notice for the next billing cycle. We can turn OwlSOC off and revoke our access in under an hour.

Night Watch · investigating around the clock

Every alert, investigated.
Typically in under two minutes.

OwlSOC is an AI Security Operations Center that plugs into the tools you already run: Microsoft Sentinel, Defender, AWS. It gives your team an analyst-grade report on every alert, 24/7. No agents. No rip-and-replace. You approve every action.

Start your £495 pilot See a sample investigation

30-day refundable·Live in 48h of access·Read-only first

Alert stream · illustrative

looping sample

A-49281med[sign-in]Impossible travel · admin@constellation→ investigated·

A-49282low[mailflow]OAuth grant to unrecognised app→ investigated·

A-49283high[edr]Encoded PowerShell on WS-2104→ investigated·

A-49284low[aws]IAM key rotation overdue→ investigated·

A-49285med[m365]Mass file download · SharePoint→ investigated·

A-49286info[sentinel]Defender ingest healthy→ investigated·

A-49287high[identity]MFA fatigue pattern detected→ investigated·

A-49288med[aws]New region access · eu-west-2→ investigated·

A-49281med[sign-in]Impossible travel · admin@constellation→ investigated·

A-49282low[mailflow]OAuth grant to unrecognised app→ investigated·

A-49283high[edr]Encoded PowerShell on WS-2104→ investigated·

A-49284low[aws]IAM key rotation overdue→ investigated·

A-49285med[m365]Mass file download · SharePoint→ investigated·

A-49286info[sentinel]Defender ingest healthy→ investigated·

A-49287high[identity]MFA fatigue pattern detected→ investigated·

A-49288med[aws]New region access · eu-west-2→ investigated·

The problem

You can't hire your way out of this. And ignoring it isn't a plan.

Security teams aren't short on alerts. They're short on hours, on people, and on a way to investigate every alert the moment it fires, whether that's 3am on a Sunday or 11am on a Tuesday.

Pain · 0101

Alerts pile up faster than humans can read them.

A mid-sized estate fires hundreds of alerts a day across identity, endpoint, mail, and cloud. Most get a glance, a tag, and a close. The one that mattered is still in the queue.

Hundredsalerts / day on a normal estate

Pain · 0202

Attackers do their best work between 2am Saturday and 6am Sunday.

An overnight token-theft becomes a Monday-morning incident. By the time anyone's looked, the dwell time is already measured in days, not minutes.

~63hFri evening to Mon morning, uncovered

Pain · 0303

A real 24/7 SOC team costs more than the rest of your security budget.

Five analysts on shift pattern, a lead, a manager, the tooling on top. North of £500k a year before you investigate the first alert. Most teams can't justify it. Most go without.

£500k+fully-loaded SOC team / year

“The breach that hurts you isn't the one you missed. It's the one you triaged in nine seconds at 4pm on Friday.”

How it works

Plugged into the tools you already run. Live in days, not quarters.

Nothing to migrate, no agents to roll out. OwlSOC reads from your existing security stack and gives your team the investigation depth of a 24/7 SOC, without the headcount.

Step

Connect

Read-only, in minutes.

OAuth into Microsoft Sentinel, Defender, or your AWS security stack. No agents to push. No endpoints to install. Nothing in your traffic path.

Sentinel · Defender · AWS
Read-only by default
~30 min onboarding

Step

Investigate

Every alert. Automatically.

The moment an alert fires, OwlSOC triages it automatically and, on every alert, runs the AI investigation a human analyst would: pulls the relevant logs, correlates the signals, resolves the entities. Typically under two minutes, around the clock.

Triggered on every alert
Cross-source correlation
Baseline-deviation signals

Step

Report

Analyst-grade. Evidence-linked.

You get a plain-language verdict, a chronological timeline, MITRE ATT&CK mapping, the affected entities, and a recommended next action. Each claim is tied back to the source log.

Plain-language verdict
MITRE ATT&CK mapped
Every claim linked to evidence

Step

Approve

You stay in control.

OwlSOC recommends. Humans decide. A human approves or rejects every containment action; execution then runs through a write connector only on the scopes you’ve granted. Full audit trail. Reversible actions undo in one click; the few that can’t be are flagged before you approve.

Human-in-the-loop
Write-grant gated
Undo on reversible actions

Typical pilot timeline·kickoff Monday, first investigations Tuesday, end-of-week summary report

See it on a real-world scenario

A sample investigation. Pick one and see what your team would get.

These are synthetic alerts, shown in the same shape as the product reports them: the same verdict, timeline, MITRE mapping, evidence chain, and recommended actions your team would see when OwlSOC is watching your tenant. Pick a scenario.

Sample alerts

Illustrative data. The alerts, entities, IPs and tenants are synthetic. The investigation format and depth match what your team sees when OwlSOC is connected to your real Sentinel / Defender / AWS.

investigation / A-49281

AI investigationSynthetic sample

MediumP2Microsoft Sentinel · Identity Protection·fired 2026-06-05 11:42 UTC

Impossible travel for privileged account

Likely true positive

94% confidence · investigated in 01:47 (illustrative)

Why: Multiple independent signals converge: the phishing click, the token issuance, and the geographically impossible replay form a coherent AiTM chain with no plausible benign explanation.

The calibrated confidence and written narrative come from AI investigation, a separate optional step. Standard triage gives you a score and an “uncertain — needs review” default until a human or the AI confirms it.

A privileged admin account signed in from London at 11:42 UTC and from Singapore at 13:08 UTC. That journey isn't physically possible in 86 minutes. The second session reuses a refresh token issued earlier the same day and bypassed MFA via the existing token. The pattern matches recent adversary-in-the-middle (AiTM) phishing campaigns targeting the Microsoft 365 admin role. Containment recommended.

Root-cause hypothesisThe investigation's primary explanation

Adversary-in-the-middle phishing campaign captured a refresh token, which was then replayed from a different geography to access the admin account without triggering MFA.

TimelineChronological · source IDs surfaced where available

08:14Sign-in from London office (10.0.4.22) — MFA satisfied

↳ SigninLogs · CorrelationId 7f3a…

11:42Sign-in from London (10.0.4.22) — refresh token issued

↳ SigninLogs · TokenIssuerType=AzureAD

13:01Phishing landing page resolved by user (m365-admln.co)

↳ Defender for Office · UrlClickEvents

13:08Sign-in from Singapore (45.77.x.x) — same refresh token replayed

↳ SigninLogs · IPAddress=45.77.214.108

13:08OwlSOC picked up the alert · investigation started

13:09Correlated phishing click → token issuance → token replay

13:10Verdict: likely true positive · containment recommended

MITRE ATT&CK mappingTechnique attribution for downstream reporting

T1566.002Initial Access

Phishing — Spearphishing Link

T1539Credential Access

Steal Web Session Cookie

T1078.004Persistence

Valid Accounts — Cloud Accounts

EvidenceSource-linked · pivot IDs back to your console

Refresh token issued from London office IP 10.0.4.22 at 11:42 UTC

tool: SigninLogs · pivot: CorrelationId 7f3a…

User resolved phishing landing page m365-admln.co at 13:01 UTC

tool: UrlClickEvents

Same refresh token replayed from Singapore IP at 13:08 UTC, bypassing MFA

tool: SigninLogs · pivot: IPAddress 45.77.214.108

Affected entities4 resolved · linked across sources

admin@constellation.io

Global Administrator · Tier-0

refresh_token · 0xA31F…

Issued 11:42 · replayed 13:08

45.77.214.108

Singapore · DigitalOcean · first-seen tenant

m365-admln.co

Lookalike domain · registered 4 days ago

Unresolved questionsFlagged for analyst follow-up

Whether other accounts in the tenant received the same phishing lure

Containment actionsHuman approval required · action trail

Recommendations only. Execution happens via a write connector once a human approves, and only if your tenant has granted that write scope. The API enforces this, not the UI.

Revoke all sessions → admin@constellation.io

Forces every active token to re-authenticate. Recommended first.

reversiblerequires human approval

Audit logged

Block domain → m365-admln.co

Block the AiTM landing-page domain at the mail and proxy layer.

reversiblerequires human approval

Audit logged

Disable account → admin@constellation.io

Stronger response if you can't reach the user in the next 15 minutes.

non-reversiblerequires human approval

I understand this action is non-reversible.

Audit logged

This is a sample. See it running against your alerts. Start with a 30-day refundable pilot.

Start your pilot

What you get

The depth of a 24/7 SOC team. Without the headcount.

Six things every investigation gives your team. Packaged so a non-specialist can act on it, and a specialist can audit the reasoning.

Core capability

An AI investigator on every alert

Every alert is triaged automatically. With AI investigation on, OwlSOC works the case like a tier-2 analyst: pulls the relevant logs, builds a chronology, attributes techniques, and writes a plain-language verdict. Typically under two minutes.

investigation_run.logillustrativerunning

[00:00:04] picked up alert A-49283 (Defender, high)

[00:00:11] correlating across 4 sources…

[00:00:28] decoded PS payload → harvester family Atlas-7

[00:01:02] entity graph resolved · 4 entities linked

[00:01:24] MITRE attribution complete

[00:01:32] verdict: likely true positive · containment suggested for review

Evidence-linked

Every claim traces back to the source log.

No black-box assertions. Each line of the timeline cites the exact event, table, and identifier. Your team audits the reasoning instead of trusting it.

MITRE ATT&CK

Technique attribution, on every finding.

OwlSOC maps each step in the attack chain to ATT&CK tactics and techniques. Useful for incident response, audit, and reporting to leadership and regulators.

Adaptive baseline

Knows what's normal for you.

Learns the rhythms of your estate: who logs in from where, which tools run when. So it tells a benign anomaly from a real one without drowning you in noise.

Human-in-the-loop

You approve every action.

OwlSOC recommends and explains. Your team approves, and only on the write scopes you’ve granted. Reversible actions can be undone in one click; the few that can’t are flagged before approval.

Client portal

One place for the whole picture.

A live view of open investigations, the queue, recent decisions, and an export-ready audit trail. Built for the security lead, not the analyst. Analysts get the depth too.

Connects to

Microsoft SentinelMicrosoft DefenderAWS Security Hub

More scoped on request

Why OwlSOC

You have three options. Most teams talk themselves out of the right one.

OwlSOC is built for the team that already runs Sentinel, Defender, or AWS and wants the depth and coverage of a 24/7 SOC team, without the cost, the migration, or the multi-year contract.

Comparison of options for handling security alerts: hiring a 24/7 SOC team, doing nothing, traditional MDR, and OwlSOC
Your options	Hire a 24/7 SOC team	Do nothing	Traditional MDR	OwlSOC
Typical cost	£500k+/year fully loaded	£0 up front; incident cost unbounded	Varies; often five figures/year	From £495/month per environment
Time to live	6–12 months to hire and ramp	n/a	Weeks to months (migration)	Within 48 hours of access
Alert coverage	Not every alert is investigated; depth and consistency vary by shift	Alerts triaged in seconds, or never	Covered, but triage SLAs often 30–60 min	Every alert triaged automatically; AI investigation on each, typically under 2 min
Works with your existing stack	Yes	Yes	Often requires migrating tooling	Yes; sits on top of Sentinel / Defender / AWS, read-only first
Contract	Permanent headcount	None	Commonly multi-year	Monthly, no minimum term; 30-day refundable pilot
Who approves actions	Your team	Nobody	Provider (varies by contract)	Your team; every action human-approved and logged, execution write-grant-gated
Visibility into the reasoning	Full	n/a	Usually summary-level	Full; in an AI investigation, every claim pivots back to a source log

Scroll the table sideways for all four options.

The better answer for most teams

OwlSOC. On top of the stack you already pay for.

No migration. No headcount. No multi-year contract. A 30-day refundable pilot, with first investigations running on your alerts within 48 hours of access at kickoff. If it doesn't earn its keep, you get your money back.

Start your £495 pilot See a sample investigation

< 2 min

Typical investigation latency

48 h

From access granted to live

£495

Pilot, fully refundable

Every alert

Triaged, not sampled

Pricing

Pick a tier. Every one starts with a refundable pilot.

SOC-as-a-service pricing, kept simple: priced per monitored environment, billed monthly, no minimum term. Start with a pilot. If OwlSOC hasn't earned its keep in 30 days, you get your money back. No discussion needed.

Pilot it for £495. Fully refundable for 30 days.

One environment, every alert investigated, a full report at week 4. If it doesn't earn its keep, ask for a refund. No questions, no clauses.

Pilots kick off on Mondays · book by Thursday to start next week

Start your pilot

Standalone

Cover one environment. Prove the value fast.

£495/mo · per environment

Billed monthly · no minimum term

AI investigation on every alert
Plain-language verdicts + confidence
Evidence-linked timelines
MITRE ATT&CK mapping
Read-only client portal
Email digest + summary reports
Email support

Start your pilot

Best for a single Sentinel / Defender / AWS tenant

Our recommended tier

Core

The full SOC capability, on your existing stack.

£1,495/mo · per environment

Billed monthly · no minimum term

Everything in Standalone, plus:
Multi-environment / multi-tenant
Per-environment baseline-deviation signals
Recommended actions with human approval
One-click approvals in product
Full audit trail + undo on every reversible action
Slack / Teams alerts + workflows
Priority support · 4-hour response

Start your pilot

Billed monthly · cancel by email

Compliance

For regulated industries and audited estates.

£2,995/mo · per environment

Billed monthly · no minimum term

Everything in Core, plus:
Audit-evidence packs to support your SOC 2 / ISO 27001 / GDPR reporting
Executive monthly investigation report
Regulatory-grade audit log export
Dedicated security architect · quarterly
Custom log retention up to 7 years
24/7 escalation channel

Talk to us

For regulated industries and audited estates

Not sure which tier? Tell us about your estate and we'll scope the pilot in a 20-minute call.

What we promise

Four things we'll put in writing.

Security tooling is famous for big promises and small print. We've tried to be specific, not aspirational. If anything below isn't true for your situation, we'd rather you knew before you signed.

You stay in control.

OwlSOC recommends; humans approve. Nothing reaches your environment without a green light from someone on your team, and only when you've granted that write scope. Reversible actions undo in one click; the few that can't be reversed are flagged and need an explicit extra confirmation.

Human-in-the-loop on every action
One-click undo on reversible actions
Non-reversible actions clearly flagged
Full audit log, export-ready

Your data, handled like data.

We read what we need to investigate the alert, nothing more. Read-only access by default. UK/EU data residency. We don't train models on customer logs, and every sub-processor in our pipeline is contractually bound by the same no-training commitment.

UK / EU data residency
Read-only by default
No model training, across every sub-processor
Encryption in transit and at rest
DPA available on request

No rip-and-replace.

OwlSOC sits on top of the Sentinel, Defender, and AWS tooling you already pay for. No agents pushed to endpoints. Nothing in your traffic path. You can switch us off in an hour.

Sits on existing stack
No endpoint agents
Off in under an hour, end of contract or not

30 days. Money back. No clauses.

Pilot OwlSOC for £495 across one environment for 30 days. If you don't believe it earns its keep, ask for a refund. We don't ask why. We don't have a clause about it.

Fully refundable for 30 days
No minimum term, no auto-renew tricks
Cancel any time after, by email

How we know it works

Before we connect to anyone's tenant, we validate each release against a fixed set of real-world attack scenarios: adversary-in-the-middle token theft, encoded-PowerShell execution, OAuth consent abuse, mass exfiltration, and others. On that set, OwlSOC reaches the expected verdict — likely true positive, likely false positive, or needs review — and shows the sourced timeline behind it. It's a defined test set, not a promise about your environment. The 30-day pilot is the real test, on your own alerts.

On certification: OwlSOC is not yet SOC 2 or ISO 27001 certified. We're glad to share our current security posture, our sub-processor list, and our data processing agreement before you sign. Request the DPA.

Frequently asked

Questions a careful buyer asks before they sign anything.

If yours isn't here, ask and we'll add it. Better questions make for better answers.

OwlSOC is an AI-powered Security Operations Center (SOC) service that investigates security alerts from Microsoft Sentinel, Microsoft Defender and AWS. When an alert fires, OwlSOC pulls the relevant logs, builds an evidence-linked timeline, maps the attack to MITRE ATT&CK, and returns a plain-language verdict with a recommended action, typically in under two minutes, 24/7. A human on your team approves any action before it runs. It connects read-only with no agents to install, and starts with a £495 30-day refundable pilot. In practice it automates alert triage for Microsoft Sentinel, Defender and AWS: every alert is triaged and fully investigated rather than sampled.

An AI SOC uses AI to do the investigation work of a security operations center: triaging alerts, correlating logs across sources, and writing up findings at machine speed instead of analyst speed. The practical difference is coverage and latency. Every alert gets a full investigation in minutes, including at 3am on a Sunday, instead of a nine-second glance or a place in a queue. In OwlSOC's case the AI investigates and recommends; a human on your team approves any action before it touches your environment.

Most teams need 24/7 alert coverage; far fewer can justify a 24/7 team on payroll. For many teams, yes. Compared to hiring: a 24/7 in-house SOC team typically costs north of £500k a year fully loaded and takes months to staff; OwlSOC starts at £495 a month and is investigating within days. Compared to traditional MDR: OwlSOC sits on top of the Microsoft and AWS tooling you already run, so there is no migration and no multi-year contract, and your team keeps full visibility into every investigation's reasoning. If you already have analysts, OwlSOC does the first-pass triage so they only handle confirmed incidents.

Before we touch anyone's tenant, we validate each release against a fixed set of real-world attack scenarios: adversary-in-the-middle token theft, encoded-PowerShell execution, OAuth consent abuse, mass exfiltration, and others. On that set, OwlSOC returns the correct verdict with a fully sourced timeline. It's a defined test set, not a guarantee about your environment, which is exactly why the pilot exists. Thirty days on your own alerts, fully refundable, so the proof sits on your data rather than our slides.

A small, founder-led team with backgrounds in offensive security, detection engineering, and Microsoft and AWS security architecture. We've been on the wrong end of a 4am Slack message ourselves, and built the product we wished we'd had. OwlSOC Ltd is registered in the UK. On the intro call you meet the people building the product, not a sales rep, and we're glad to share our backgrounds and references.

See it on your alerts. Or your money back.

Start with a £495 30-day pilot. We're typically live in your environment within 48 hours of the OAuth grant, investigating every alert from day one. If it doesn't earn its keep, ask for it back.

20-minute scoping call·Live within 48h of access·30 days. Refundable.

Every alert, investigated.Typically in under two minutes.

Alerts pile up faster than humans can read them.

Attackers do their best work between 2am Saturday and 6am Sunday.

A real 24/7 SOC team costs more than the rest of your security budget.

Connect

Investigate

Report

Approve

Impossible travel for privileged account

An AI investigator on every alert

Every claim traces back to the source log.

Technique attribution, on every finding.

Knows what's normal for you.

You approve every action.

One place for the whole picture.

OwlSOC. On top of the stack you already pay for.

Cover one environment. Prove the value fast.

The full SOC capability, on your existing stack.

For regulated industries and audited estates.

You stay in control.

Your data, handled like data.

No rip-and-replace.

30 days. Money back. No clauses.

What is OwlSOC?

What is an AI SOC?

Is OwlSOC an alternative to hiring a SOC team or buying MDR?

Which tools does OwlSOC connect to?

How does the 30-day pilot work?

What data does OwlSOC actually access?

Where is my data stored? Do you train models on it?

Does OwlSOC take actions automatically?

How do you know it works before I connect it?

What if OwlSOC gets an investigation wrong?

How long does setup actually take?

What happens after the 30-day pilot?

Can I cancel anytime after the pilot?

Who is behind OwlSOC?

See it on your alerts. Or your money back.

Every alert, investigated.
Typically in under two minutes.