All features

Mobula · Mobi AI Analyst

Not a chatbot.
An analyst that
does the work.

Mobi is native to the platform. It knows your live alerts, your customer history, your playbooks, and every help article. Ask it anything in plain language - it doesn't just answer, it acts.

5
Knowledge domains
40+
Actions it can take
Plain
No commands needed
Mobi / AI Analyst
Show me the open critical alerts from the last 6 hours and escalate any that haven't been touched.
You
Found 3 open critical alerts in the last 6 hours:
  • Ransomware staging - FIN-DB-03 (untouched 2h 14m)
  • Kerberoasting - DC-01 (untouched 1h 47m)
  • Brute force VPN - p.alvarez (assigned to m.chen)
Escalating the 2 untouched alerts now and notifying the on-call analyst.
Mobi
Escalated FIN-DB-03Escalated DC-01Notified on-call
Who's on call right now?
You
s.okonkwo is on call until 08:00. I've already sent her a Slack ping with both alert links.
Mobi
01

Mobi has full context. Always.

Mobi isn't a wrapper around a generic LLM. It has live read access to every corner of your Mobula tenant - alerts, cases, customers, playbooks, team schedules, and the full product documentation. When you ask a question, it answers from your data, not from a training set.

Mobi Knowledge Index / Live access
Alerts & cases4,821 alerts · 312 open cases
Customers14 tenants · 47 contacts
Playbooks38 playbooks · 214 steps
Case history1,200+ closed cases · full notes
Platform docsAll help articles · all workflows
Example cross-domain answers
Q: Have we seen this IP before?
A: Yes - flagged in 3 prior cases, last in CASE-2025-118. Same customer.
Q: Which playbook should I run for ransomware?
A: PB-014 Ransomware Response · 8 steps · last run by s.okonkwo on 2026-05-12.
Q: What does Acme Corp expect for SLA?
A: 4-hour response SLA. Primary contact: Dan Meyer via WhatsApp.
Q: How do I add a custom detection rule?
A: Settings > Detection Rules > New Rule. I can walk you through it or open the page.
02

It doesn't just answer. It does.

Most AI assistants give you information and leave you to act on it yourself. Mobi closes the loop. Tell it to run a playbook, escalate an alert, draft a customer message, or assign a case - it does it, then confirms.

Mobi / Action session
Run the ransomware playbook on FIN-DB-03 and draft a WhatsApp update for Acme.
You
Running PB-014 Ransomware Response on FIN-DB-03 now.
Mobi
Isolated FIN-DB-03 from networkSnapshot takenFortiEDR kill signal sentStep 4/8 - Evidence collection...
Playbook running. Here's the draft WhatsApp for Dan at Acme - matched to his usual style:
Hey Dan - we caught a ransomware attempt on one of your servers tonight. Contained before any encryption. Isolation and evidence collection running now. Will update with the full picture by morning.
Mobi
Send it.
You
Sent via WhatsApp to Dan Meyer (Acme Corp). Logged to comms history.
Mobi
WhatsApp sentLogged to comms
03

Everything Mobi can do, in plain language.

No commands, no menus. Just describe what you need. Mobi maps your intent to one of 40+ actions across alerts, cases, customers, playbooks, and the platform itself.

Mobi Action Palette
Say something like...What Mobi doesDomain
"Show me all unassigned criticals"Queries live alert queue, filters by severity and assignment statusAlerts
"Escalate this to the CISO"Updates severity, logs decision, triggers escalation notificationsAlerts
"Run the ransomware playbook"Executes PB-014 step by step, confirms each action, reports backPlaybooks
"What playbook fits a phishing case?"Reads playbook library, ranks by relevance to the alert typePlaybooks
"Draft an update for Acme"Reads customer comms history, generates style-matched messageCustomers
"Who is the CISO contact at FinServ?"Looks up customer profile, returns contact with role and channelCustomers
"Summarise CASE-2026-041"Reads case notes, timeline, and verdicts - returns a tight summaryCases
"Have we seen this technique before?"Searches closed case history for matching MITRE techniquesCases
"How do I add a custom connector?"Looks up help docs, returns step-by-step with a direct linkPlatform
"Assign this to r.haddad"Updates case assignment, notifies the analyst, logs the changePlatform
04

Your team never needs to leave the platform to get help.

Mobi knows every help article, every setting, every workflow in Mobula. Junior analysts can ask how to do something and get a step-by-step answer with a direct link - or ask Mobi to just do it for them.

Mobi / Platform guide session - r.haddad
How do I create a suppression rule so this internal scanner stops alerting?
r.haddad
Easy one. Go to Detection Rules > Suppression > New Rule. Set the source IP to 10.0.4.22 and scope it to alert type "Port Scan". You can set an expiry or leave it permanent.

Or - I can create it for you right now. Want me to?
Mobi
Yes please.
r.haddad
Done. Suppression rule created for 10.0.4.22 (Port Scan). It will no longer alert. Logged under your name.
Mobi
Suppression rule createdRule ID: SUPP-0041
What's the difference between a suppression rule and a whitelist?
r.haddad
A suppression rule silences alerts matching a specific condition - the event still gets logged but never surfaces as an alert.

A whitelist tells the detection engine to treat the entity as known-good and skip evaluation entirely - nothing is logged for it.

For an internal scanner, suppression is usually better: you keep the logs for audit purposes, you just stop the noise.
Mobi

Native to the platform · acts on your data · plain language

The analyst that's always
there, always ready.

Mobi handles the routine, accelerates the complex, and teaches the junior - so your human analysts spend their time on what actually needs a human.

Book a POCSee all features
Mobula SOAR · Mobi reads only your tenant · no external data sent