AI triage and investigation for AWS Security Hub

When a finding lands in AWS Security Hub, OwlSOC reads it, pulls the surrounding signals, and works it like an analyst would. It correlates related events, resolves the affected entities, maps the activity to MITRE ATT&CK, and writes an evidence-linked timeline where every claim cites a source log or pivot ID. You get a plain-language verdict and a recommended action, not a higher-priority queue.

It runs on every finding, not a sample. A mid-sized AWS estate can fire hundreds of findings a day across config drift, IAM, and threat detections, and most teams triage by gut feel under load. OwlSOC investigates each one and tells you which ones actually warrant attention.

Standard deterministic triage runs on every finding. It scores the finding and applies repeatable rules; the default verdict is "uncertain — needs review" rather than a guess. This is the baseline on every alert.

The AI investigation is a separate step included in the paid tiers. It produces a calibrated confidence percentage, a root-cause narrative, and a hedged verdict: likely true positive, likely false positive, or uncertain — needs review. It never returns "confirmed threat". Confidence is deliberately conservative, and ambiguous cases are flagged for a human rather than miscalled.

OwlSOC investigates and recommends; a human approves. For a Security Hub finding it will tell you what it thinks happened, how confident it is, and the action it would take, but it does not act on its own.

Containment is human-approval-gated and write-grant-gated. An action only runs after someone on your team approves the specific action, and only on the write scopes you have granted. Everything is logged. Reversible actions can be undone; the few that cannot are flagged before you approve. By default OwlSOC is read-only and takes no action at all.

AWS Security Hub is the supported AWS connector. It aggregates findings from across your AWS security tooling, so connecting it read-only gives OwlSOC a single, normalised view to investigate against.

Other AWS sources are scoped on request, not shipped. If a source such as AWS GuardDuty matters to you and you want it investigated directly rather than via Security Hub, tell us and we will scope it. We add connectors against real pilot demand, not a roadmap slide.

The output is built to be checked, not trusted blindly. Your team can open any line of the timeline and see the exact log or finding behind it, disagree with the verdict, and follow the reasoning in the client portal. OwlSOC can also export case reports (incl. PDF) to support your own SOC 2, ISO 27001, or GDPR reporting.

Setup is light. Connection is read-only by default, there are no agents to install, and most pilots run their first investigations within about 48 hours of access. It starts with a £495, 30-day fully-refundable pilot, then from £495 per month per monitored environment, billed monthly with no minimum term.