Self-hosted. Verifiable. In your perimeter.

A SOC that remembers.

Warlog turns alerts into approved actions. Context stays attached. Judgment stays human. Proof stays signed. Memory compounds privately.

Talk to us Read the paper

Four moves. One loop.

01 · INGEST One case.

Signals land in one model.

02 · PROPOSE Context first.

Past decisions surface before action.

03 · DECIDE Approval stays human.

One screen. Clear tradeoffs.

04 · COMPOUND Memory compounds.

The next case starts ahead.

Less drift. Less risk. More memory.

The Gap

Detection is not enough.

The stack sees the event. The wrong action is still one click away.

09:14:02SEV 1Azure AD / GraphService principal crm-sync calling Graph from an unknown ASN.

09:20:11SEV 3Email SecurityThree finance users received OAuth consent prompts for an unknown app.

09:22:45SEV 1Exchange / O365A fourth finance user created a mailbox forwarding rule to an external address.

Matched Playbook 142Anomalous ASN + OAuth phishing + External forwarding rule→ Action: Disable Principal

But crm-sync runs month-end billing. Shut it down, and revenue stops.

Your analyst knew the exception. The system did not. The missing fields are simple: service owner, dependency, rollback, approver.

SOAR Rule matched. Playbook fired.

Fast automation. Thin context.

match · disable principal · revoke sessions · execute

AUTONOMOUS AGENT Strong narrative. Weak control.

It sounds right. It still acts blind.

high confidence · disable principal · executing

For the analyst, the gap is context. For DevSecOps, it is change control. In both cases, speed without service awareness turns an alert into an outage.

Why this happens

Tools everywhere. Memory nowhere.

Detection lives in one place. Decisions die in another.

Without memory, automation repeats old mistakes.

The Engine

Each approved decision makes the next one safer.

Warlog correlates the signals, brings back the last validated exception, adapts the response to the service at risk, and keeps approval explicit.

INGEST

09:14:02 · Azure AD · crm-sync from unknown ASN

09:20:11 · Email Sec · OAuth consent prompts

09:22:45 · Exchange · external forwarding rule created

L0 · SUBSTRATE

Three signals. One live incident. Identity and email events resolve to the same crm-sync case.

L2 · DOCTRINE

Approved judgment comes back. The last valid exception returns with owner, dependency, and rollback context.

L1 · FABRIC

Response adapts before it runs. Revoke tokens. Stop forwarding. Keep billing live.

L3 · FRONTLINE

One proposal. Explicit approval. Impact, evidence, rollback, and action stay together.

Resolved approved · logged · reversible

Revenue pathuninterrupted

Attack pathcontained

Proofattached

Memoryretained

warlog os / investigation Live product

Watch a capability get built, then used. A critical alert lands with no playbook. One click asks the AI to draft the investigation method for the technique; the analyst approves the questions, the log queries, and the detection logic; it deploys. The same alert reopens as a guided workflow, the agent works the steps, and a fully documented incident is escalated in under two minutes. No free-form text written by hand.

Why it compounds

Approved memory makes response adaptive.

Warlog does not just store the case. It reuses validated decisions, keeps execution bounded, and gets sharper as similar incidents return.

L3 · FRONTLINEDecision Surface

AI drafts. Humans decide. Control stays explicit.

L2 · DOCTRINEAdaptive Memory

Approved decisions compound. Exceptions, owners, dependencies, and safe paths return when patterns repeat.

L1 · FABRICSafe Execution

Actions adapt before delivery. Dry-run, blast radius, and rollback checks shape execution.

L0 · SUBSTRATEShared Model

The stack resolves to one model. Signals, actions, and proof land on shared objects.

The Model

What we publish. What we deploy.

Two things. Cleanly separated. The contract is open. The runtime is self-hosted.

What we publish

warlog-spec

The open contract. Apache 2.0.

github.com/3noP/warlog-spec

What we deploy

Warlog OS

The self-hosted runtime. In your perimeter.

Commercial. Operator-led.

Warlog speaks the standards your team already speaks. 9 categories

The problem is not missing standards. The problem is that they stop at tool boundaries. Warlog joins them.

OCSFECSSigmaMITRE ATT&CKSTIX / TAXIIOASIS CACAONIST CSFDORA+ 1

Three guarantees hold it together.

CANONOne incident shapeAlert, action, connector, and KB point to the same model.Shared model

OUTBOXSafe deliveryActions run once, in order, with retries that stay safe.Execution guarantee

PROOFSigned historyWho approved what, why, and what happened next.Audit guarantee

warlog_spec / __init__.py · Apache 2.0 → View on GitHub

from warlog_spec import (
    AlertCanonical,      # shared alert record
    ResponseActionSpec,  # reviewed action contract
    Outbox,              # safe delivery layer
    AuditChain,          # signed proof trail
    Connector,           # tool integration boundary
)

pip install warlog-spec · Open schemas. One operational record. · any language, same proof trail

Keep the stack you already run.

On-prem Next to your stack.

No shared SaaS. No pooled telemetry.

BYO Bring your tools.

Keep your SIEM, models, and intel.

Tenant Hard boundaries.

Data, keys, and workflows scoped to your org.

Doctrine Private learning.

Only your team sees the patterns it creates.

See it running.

Warlog alert queue with normalized severity, per-row technique tags, AI scores, and status from triage to escalated. — **The queue, already worked.** Every signal normalized to one severity scale, mapped to its technique, and scored. Escalations, true positives, and SLA breaches surface before anyone opens a row.

Warlog investigation cases list showing active and resolved counts, average MTTR, SLA breaches, and per-case severity, status, and priority. — **Cases from detection to closure.** Active and resolved counts, average MTTR, and SLA breaches tracked live. Every case carries its severity, status, priority, and linked alerts.

Warlog case investigation IDE: notebook with checklist and narrative, attack path, blast radius, scope, and L1 handoff package. — **One incident, one container.** Notebook, attack path, blast radius, scope, and the L1 handoff package live in a single typed case, promoted to an incident when the threat is confirmed.

Warlog learning loop showing doctrines moving through proposed, active, and retired lanes with the alerts each one governs. — **Judgment compounds.** A closed case proposes a doctrine; a human ratifies it; it governs the next matching alert until the team contradicts it. Proposed, active, retired, with the alerts each one governs.

Warlog governance surface: AI proposal review queue with a generated JSON investigation manifest, its rationale, backing knowledge, and approve or reject controls. — **Governance, not a black box.** The AI proposes a new capability as a reviewable JSON manifest: generated steps, queries, and detection logic, with its rationale and backing knowledge. The expert approves or rejects.

Warlog knowledge base article with groups, software, kill-chain position, detection analytics, D3FEND mitigations, a coverage read, and remaining gaps. — **Knowledge that scores itself.** Each technique carries its groups, software, kill-chain position, detection analytics, and D3FEND mitigations, with a live coverage read and the gaps that still need closing.

Warlog visual playbook builder: typed action catalog where enrichment auto-executes and containment requires approval, wired into a node flow. — **Response, authored and gated.** A visual playbook of typed actions: enrichment auto-executes, containment requires approval. Force-password-reset, revoke-sessions, and check-lateral-movement wired into one reviewable flow.

FAQ

Straight answers.

Is Warlog self-hosted?

Yes. Warlog OS runs entirely inside your perimeter — your environment, your keys, your data. No shared SaaS, no pooled telemetry.

Is Warlog open source?

The warlog-spec contract is open source under Apache 2.0 and free to use in any language. Warlog OS, the runtime, is commercial and operator-led.

Does Warlog take autonomous or destructive actions?

No. The AI proposes; a human approves. No destructive action runs without an explicit human signature, derived from the type system rather than a UI toggle.

Which tools does Warlog work with?

Bring your own stack: SIEM (Splunk, Elastic, Sentinel, Chronicle), identity, threat intel, and model providers. Connectors include CrowdStrike, Okta, AWS, Azure, and PAN-OS.

How is it different from SOAR or an autonomous SOC?

SOAR matches rules without a model of the service; autonomous agents act on confident guesses. Warlog keeps approved decisions as doctrine and enforces an explicit human approval gate, so response stays fast and service-aware.

How do I start with Warlog?

Through the design-partner program: three teams, founder-led rollout, a 12-month prepay, and lifetime preferred pricing. It begins with a 30-minute fit call.

The Program 3 teams · founder-led

Three teams. One window.

We deploy in your environment. You shape the product. Design partners keep their pricing for life.

For Teams that own their response.

Internal SOCs, MSSPs, and self-hosting teams with a security owner and a platform owner.

Not for Trial shoppers and autonomy buyers.

If you want a 15-minute SaaS trial or destructive actions without approval, this is not the product.

What you get Real deployment. Real product input.

Founder-led rollout, three live integrations, tenant-safe baseline, roadmap influence, lifetime preferred pricing.

What you bring Two owners. Direct feedback.

A 12-month prepay, two owners who can decide and act, endpoint access during setup, and the truth when something breaks.

Early. Real.

Join now for leverage. Wait for polish.

Live now

Substrate · canonical model

Capability registry · typed actions

Factory · generated detections and playbooks

Governed KB · grounded memory

Proof chain · signed audit trail

Passive feedback capture · learn from analyst behavior

Loss measurement · see where doctrine leaks

Deeper governance · automate curation

Git-based authoring · review playbooks like code

3 teams only

Request a call.

30-minute fit call. 7-day decision. Then we close.

Start here Read the paper

Open by design

The model is open.

Use warlog-spec with any language, any runtime, same contract.

$pip install warlog-spec

View on GitHub → Read the whitepaper eno@warlog.io