Meet us at #FIRSTCON26 in Denver — June 14–19.Book a booth meeting →

    Arcanna

    WHAT ARE DECISION MODELS?

    Understand how Arcanna's AI mimics human decision-making to deliver fast, consistent, and trustworthy SOC automation.

    Arcanna Decision Models system diagram

    AI models trained to make decisions like your best analyst. Predictably.

    Bespoke deep neural networks engineered to run on CPU alone, no GPU required. Each model captures the intuition, experience, and judgment (outcome) your analysts bring to every decision in the SOC. Grounded in your organizational knowledge, it learns directly from analysts decisions, then delivers instant predictions on new events with full explainability and confidence scores.

    Today

    Think of it like teaching a colleague everything you know about handling alerts. Except this colleague never sleeps, never forgets, can apply your expertise to thousands of alerts per second, and explains every decision it makes with full transparency.

    Future

    Soon, that colleague becomes an agentic system using MCP, A2A and LLMs or SLMs. To enable the agentic systems to make critical decisions, they use HITL workflows and grounding in Arcanna by querying organizational knowledge, historical decision patterns, and asset relationships for context. Decision Models learn to make predictable decisions from these HITL interactions, continuously.

    HOW DECISION MODELS WORK

    The human decision-making process is a complex cognitive function that involves several interconnected steps.

    Step 1 of 6

    System 2 Thinking (Intentional)

    When one of us needs to make a decision, we first gather relevant information to build the context, cues, and insights that help us make the best choice. Our brain identifies patterns and draws connections between the present scenario and similar situations we've encountered before. This more intentional kind of processing is known as "System 2" thinking and requires time and effort to go from raw data to informed opinion.

    System 2 Thinking (Intentional)
    Fig. 1: System 2 Thinking (Intentional)
    Step 2 of 6

    System 1 Thinking (Intuition)

    However, when we experience similar scenarios in the future, our intuition ("System 1," loosely) kicks in to help us make decisions in a split second.

    System 1 Thinking (Intuition)
    Fig. 2: System 1 Thinking (Intuition)
    Step 3 of 6

    Analysts in Alert Triage

    Similarly, every time a SOC analyst triages an alert, they are performing a "System 1" type of reasoning by very quickly scanning dozens of different data points, combining it with their knowledge and experience, and ultimately coming to a conclusion: is this malicious, benign, or do I need more information to decide?

    Analysts in Alert Triage
    Fig. 3: Analysts in Alert Triage
    Step 4 of 6

    Expert Analysts Creating Decision Models

    Our Decision Models aim to mimic this process at machine speed. When setting up new types of pipelines within Arcanna, someone with knowledge and expertise about how their organization handles certain types of scenarios (for example, triaging EDR alerts) comes in and builds a new Pipeline within Arcanna.

    Expert Analysts Creating Decision Models
    Fig. 4: Expert Analysts Creating Decision Models
    Step 5 of 6

    Decision Models at Scale

    Once the model has been deployed and trained (which can be accomplished in just a few minutes for initial training), it will start to mimic the intuition of the expert(s) who trained it, thereby allowing every alert that comes in to receive a decision in seconds.

    Decision Models at Scale
    Fig. 5: Arcanna Decision Models Mimicking Analyst Decisions at Scale
    Step 6 of 6

    Embedded in Your Workflows

    At this point, Decision Models can be embedded into your existing workflows to allow your entire SOC to benefit from (and improve upon) that expertise.

    Embedded in Your Workflows
    Fig. 6: Arcanna Decision Models Embed in Your Workflows

    HOW DO THEY HELP?

    01

    Speed at Scale

    Our Decision Models usually provide answers in 5 seconds or less, even if we're considering dozens of different data points across alerts and enrichment information. We can achieve these speeds because our models leverage a proprietary blend of traditional deep learning AI rather than GenAI.

    One of our global customers triages 200 alerts via Arcanna in the time it previously took them to triage one.

    02

    Trust

    Doing things quickly but incorrectly is an even worse situation than doing them slowly and correctly. Fortunately, because Decision Models learn from your analysts, you can feel confident that the predictions they make will be aligned with the reality of your organization.

    Each decision that Arcanna makes will have a confidence score that you can use to determine if you trust it.

    High Confidence Escalation
    High Confidence Escalation
    Outlier Detection
    Outlier Detection
    Rollback Model
    Rollback Model
    03

    Consistency

    As your team interacts with Decision Models, decisions are applied consistently across analysts, shifts, and experience levels. This is especially valuable for understaffed teams or environments with frequent handoffs.

    After deployment, one customer discovered that their team of 16 analysts was treating the same types of alerts very differently — an insight they were only able to quantify through Arcanna.

    04

    Evolution of Knowledge

    Any time your organization's reality changes (such as new threats, risks that can no longer be accepted, and new internal processes), updating traditional automation becomes a tightrope walk. Since Arcanna's Decision Models learn directly from the actions your team takes over time, they'll naturally evolve with you.

    Decision Layer Knowledge Base
    Decision Layer Knowledge Base
    05

    Improving SLAs

    When you can trust that your AI will make consistent decisions that are aligned with how your team would perform the same analysis, it becomes possible to enable an AI-first approach. Arcanna's Decision Models can be set up to automatically take actions on your behalf to dramatically improve response time.

    Several of our customers use this as a way to handle far more alerts and focus their efforts on the most important few.

    COMMON USE CASES

    Because Arcanna's Decision Models are highly flexible, there are many use cases we can support. We do, however, see certain ones appearing more frequently:

    Alert Triage

    Most customers have Decision Models for each type of technology they process (i.e. EDR, Firewall, Identity), though some also create Decision Models for ATT&CK Tactics.

    Alert Prioritization

    When an Alert Triage Decision Model flags an alert as malicious, it assigns the appropriate priority level (P0, P1, P2).

    Alert Routing

    Every vendor has their own way of describing certain data, and some omit critical fields entirely; this allows customers to automatically normalize everything at scale.

    Threat Hunting

    For sophisticated SOCs that have a hypothesis-driven threat hunting function, creating Decision Models for each hypothesis allows continuous analysis of activity for undetected threats.

    For deeper dives into real-world use cases, explore our blog.
    To understand why trustworthy AI matters in security operations, read our latest whitepaper.

    Reference: Daniel Kahneman, Thinking, Fast and Slow (New York: Farrar, Straus and Giroux, 2011), 20.