≤5s
Typical latency
85%
Tier-1 backlog reduced
84%
Auto-closure on benign alerts
Problems We Solve
Alert volume → queue growth
Most incoming alerts are benign, but still consume Tier-1 time.
Inconsistent decisions across shifts
Variance creates rework and SLA risk.
Handoffs & audits take too long
Evidence is scattered across tools.
Too few T2/T3 for escalations
Senior time gets pulled into triage instead of incidents.
How It Fits Your Day
Connect & start in Suggest (HITL)
Hook up SIEM (and EDR/email if desired). Models propose decisions; analysts approve/deny so the system learns your team's judgment.
Decide in seconds, within your thresholds
Decision Models return a label + confidence and show nearest similar alerts + prior outcomes. You pick the confidence minimum for auto-close. Alerts below the threshold stay human-reviewed.
Human review when confidence is low
Alerts that fall outside learned patterns are reviewed by analysts. Decision Models surface evidence, similar alerts, and prior outcomes to support confident human judgment.
Write-back & reporting
Decisions, confidence, evidence links, and actions write back to SIEM/SOAR/ITSM. Manager views track queue length, decision latency, auto-close %, and decision consistency across shifts.
Why Not Just More SOAR Playbooks?
SOAR playbooks are powerful for automating predefined steps - but they don't make decisions. They're deterministic, which means they follow fixed rules and can't adapt when new or ambiguous alerts appear. That leaves analysts to step in on every edge case.
Arcanna Decision Models close that gap. They learn from your analysts' prior choices and apply them consistently at machine speed. Instead of replacing playbooks, Arcanna sits one layer higher, answering the "is this benign or escalate?" question before any workflow kicks in.
- Playbooks automate steps – useful for consistent response actions, but blind to context.
- Decision Models make decisions – learn analyst judgment and generalize across new cases.
- Better together – Arcanna filters noise first, your SOAR handles response second.
KPIs & Consistency
≤5s
median
Queue length & time-to-decision
Alerts resolved faster; backlog shrinking over last 30 days
12%
of alerts
Escalation rate
Escalations routed to Tier-2/3 after decision thresholds are applied.
84%
routine alerts
Auto-close %
Benign alerts auto-closed under thresholds by source/use case/shift.
94%
alignment
Consistency index
Outlier escalations flagged for coaching; stable across shifts
Pilot Flow
Connect
≈30 min
Read-only; no workflow change.
HITL learning
7–10 days
Approve/deny Suggestions; calibrate thresholds.
Enable auto-close
scoped
Only where confidence is high.
Operationalize
Monitor KPIs; adjust thresholds; optional agent execution.