Use case · Incident response

Contain fast. Improvise never.

When an inquiry becomes an incident, the first hour disappears into timeline assembly and console hopping. Soarcery's agents do that part in minutes: scope, evidence, and proposed containment, with the irreversible moves held at the gate for you.

Request a demoSee the platform
inquiry / INC-0231 / timeline
02:11Initial access: phishing link, finance workstation
02:19Credential used from new ASN
02:24Lateral movement attempt via SMB, blocked
02:31Host isolated by agentauto
02:32Account disable proposedat gate
timeline building1 approval waiting
The grind

The first hour goes to the wrong work.

The moves that end an incident are decisions. But the team spends the opening stretch on archaeology: what happened, in what order, on which machines, while the attacker keeps working.

Timeline archaeology

Reconstructing the sequence across SIEM, EDR, identity, and email by hand, under pressure, at whatever hour the incident chose.

One-way doors

Wiping a host or killing a session can destroy evidence or tip off the attacker. Done in a hurry, containment becomes its own incident.

The postmortem scramble

Two weeks later someone rebuilds who did what, when, and why, from chat scrollback and memory. The audit trail should have existed already.

How Soarcery runs it

Agents do the archaeology. You make the calls.

1

Escalate the inquiry

Any investigation can become an incident without switching tools. The thread, the evidence, and the verdict spread come along; nothing is re-gathered.

2

Scope the blast radius

Agents assemble the timeline and walk outward: which hosts, which accounts, which data was in reach. Every finding lands in the thread with its evidence cited.

3

Contain with gates

Low-regret moves can run autonomously within your thresholds. Irreversible or high-blast-radius actions queue for approval with the rationale attached, and either decision is recorded.

4

Remediate and recover

Resets, rebuilds, and re-enables run as gated steps on the same trail. When it is over, the record of the incident already exists, in order, with who approved what.

The part that matters

The postmortem writes itself while you work

Every agent finding, every human decision, and every action, taken or rejected, is appended to the inquiry as it happens. The incident record is not a document someone writes after. It is the working surface itself, replayable end to end.

  • Chronological trail with evidence attached to every entry.
  • Approvals recorded with who, when, and the rationale shown at the time.
  • The reasoning behind each conclusion is readable, not reconstructed.
app.soarcery.ai/inquiries
The Soarcery inquiries queue: threaded investigations with severity, status, assignee, and charter columns

Actual product. Demo data.

When it happens

Decide more. Dig less.

See an incident run end to end, gates included, on demo data.

Request a demoAll solutions