Capabilities
AlphaSOC identifies malicious behaviors, data exfiltration, and policy violations by analyzing structured telemetry across identity, cloud, application, network, and endpoint sources. The platform produces high-fidelity OCSF detection findings in real time and supports retrospective detection, custom rule creation via Sigma, and broad interoperability with your security stack.
Platform Coverage
AlphaSOC is data source agnostic and supports a wide range of environments and log formats:
| Category | Examples |
|---|---|
| Identity | Auth0, Entra ID, Okta |
| Cloud | AWS CloudTrail, AWS EKS, AWS Lambda, GCP Audit, Azure Activity |
| Application | GitHub, Google Workspace, Slack, Atlassian, Confluence, Jira, 1Password |
| Network | Cloudflare, Palo Alto Networks, Zscaler, Zeek, Suricata, Corelight |
| Endpoint | CrowdStrike, Microsoft Defender, SentinelOne |
Telemetry is normalized to OCSF upon ingestion and analyzed consistently across all supported formats. For the full list of supported data origins, see the Data Origins page.
Detection Categories
AlphaSOC combines behavioral analysis, threat intelligence, and active scanning to identify both known and novel threats. Detection categories include:
- Command and control (C2): Beaconing, callbacks, domain fluxing.
- Data exfiltration: DNS tunneling, ICMP tunneling, anomalous uploads.
- Cryptomining: Traffic to mining pools or abused VPS infrastructure.
- Phishing and malware: Lookalike domains, newly registered infrastructure, Certificate Transparency monitoring.
- Policy violations: Potentially unwanted programs, outdated browsers, proxy avoidance tools.
- Protocol abuse: Use of cleartext protocols (e.g. FTP, Telnet) and atypical port usage (e.g. SSH over port 443).
- Anonymizing circuits: Tor, I2P, Freenet.
- Low-prevalence destinations: Domains or IPs contacted by only one host across all AlphaSOC deployments, often a hallmark of targeted campaigns.
- Identity threats: Unusual logins, permission escalation, credential misuse across identity providers and application platforms.
- Configuration drift: Changes toward insecure states, bulk exports, public sharing of sensitive resources.
Each detection is scored for severity based on risk and confidence, and enriched in real time with threat intelligence and contextual metadata to support informed triage.
Six Dimensions of Scoring
AlphaSOC processes telemetry using six dimensions of scoring to reveal both known and unknown threats:
- Active fingerprinting: Scans destinations in real time to identify C2 infrastructure and mining pools.
- Reputation scoring: Gathers live reputation data using third-party APIs, sandboxing engines, and threat blocking providers.
- Prevalence analysis: Flags rare behaviors and destinations within your environment and across all AlphaSOC customer environments.
- Time series modeling: Detects beaconing, login spikes, long-lived sessions, and exfiltration patterns.
- Feature classification: Identifies DNS tunneling, DGAs, encoded payloads, and protocol misuse.
- Intelligence correlation: Matches observed activity against curated and third-party threat intelligence feeds updated hourly.
For a detailed technical breakdown of each scoring dimension, see the Architecture page.
Anomaly Detection
Beyond rule-based detection, AlphaSOC continuously analyzes telemetry for behavioral outliers and environmental deviations:
- Time-based anomalies: Unexpected session durations, beacon intervals, or access times.
- User and identity outliers: Unusual logins across application platforms, sudden permission changes, or rare user-agent strings.
- Resolver and network deviations: New outbound DNS resolvers or rare ASNs.
- Global rarity: Destinations queried by only one host across the entire customer base.
The system highlights behavioral deviations that signal stealth operations such as command-and-control beaconing, credential misuse, or lateral movement, commonly seen in red teaming and targeted APT activity.
Correlation and Escalation
AlphaSOC aggregates and correlates individual detection events across identities, endpoints, and timeframes to surface meaningful security outcomes:
- Micro-detections that may seem benign in isolation are clustered and scored together.
- Incident modeling highlights coordinated patterns such as lateral movement, multi-stage phishing, or long-tailed command-and-control.
- Enriched OCSF detection findings contain context (asset roles, user identity, rule references, threat category) to reduce false positives and accelerate triage.
This approach delivers high-confidence, noise-resistant OCSF detection findings that drive more effective SOC workflows.
Custom Detections with Sigma
AlphaSOC supports detection-as-code using the Sigma rule format. Threat hunters deploy custom rules via version control (e.g. GitHub) and CI/CD pipelines without translating to vendor-specific query languages.
- Extend managed detection logic with environment-specific rules.
- Tune severity and scoring per rule.
- Create private, shareable, or community-based rules.
- The Sigma community repository contains thousands of rules for Windows, macOS, Linux, cloud platforms, and applications.
Rules are processed alongside managed detections (aligned to MITRE ATT&CK) and mapped to the same OCSF detection finding pipeline.
Managed Detections
AlphaSOC maintains a library of managed detections aligned to MITRE ATT&CK, covering known threat actor tactics, techniques, and procedures. Managed detections are continuously updated and require no configuration. They run alongside custom Sigma rules within the same scoring pipeline.
For a complete list of managed detections, see the Detections page.
Retrospective Detection
AlphaSOC stores normalized telemetry in a customer-specific data lake, enabling:
- Delayed detection of threats via updated rules or indicators.
- Forensics and post-incident reconstruction.
- Threat hunting over long time ranges.
This capability is included in both SaaS and on-premise deployments.
Integration and Finding Delivery
OCSF detection findings are delivered to your existing security stack:
| Destination Type | Examples |
|---|---|
| SIEM | Google SecOps, Microsoft Sentinel, Splunk ES |
| SOAR | Cortex XSOAR, Splunk SOAR, Tines |
| Data Lake | Databricks, Security Lake, Snowflake |
| Ticketing | Jira, ServiceNow, Linear |
| Agentic AI | Claude, Copilot, OpenAI |
Findings are available via REST API (pull or push), native integrations, and the AlphaSOC Web Console. Supported formats include OCSF and JSON, with custom formats available on request.
Summary
AlphaSOC provides:
- Detection across identity, cloud, application, network, and endpoint telemetry sources.
- OCSF normalization and six dimensions of scoring using a patented scoring stack.
- Behavioral and anomaly detection for novel, low-prevalence threats.
- Managed detections aligned to MITRE ATT&CK, continuously updated.
- Detection-as-code with Sigma rules deployed via version control and CI/CD.
- Correlation and escalation to produce high-confidence OCSF detection findings.
- Integration with SIEM, SOAR, data lake, ticketing, and agentic AI platforms.
- Retrospective detection via a customer-specific data lake.
Need help integrating AlphaSOC into your environment? Contact us.