All features

Mobula · Shadow Analyst

Your best analyst,
looking over every shoulder.

Shadow Analyst quietly learns how your senior analysts close cases, turns those into reusable patterns, and offers them to whoever opens the next matching alert - with one click to replay the same steps.

7
Seed cases learned
4 min
Median close
1 click
To replay
Cases / CASE-2026-0042
HIGHCASE-2026-0042
Encoded PowerShell spawned from Office macro on FINANCE-W11
01

It recognizes the case before the analyst does

Open a matching alert and the suggestion panel shows exactly why this looks like work the team has already solved - vector similarity, shared MITRE technique, same asset and source - alongside the canonical steps the seniors took.

MobiEncoded PowerShell → LSASS access on a workstation
Score 92% · 7 seed cases · median close 4 min
Close
#1#2#3
Why this pattern matched
Vector similarity0.92 cosine
Same MITRE techniqueT1059.001
Same asset categoryworkstation
Same source integrationSysmon
Steps
1.
Open & triage case
Case opened
2.
Hash reputation - VirusTotal
Enrichment
3.
Pull user context from Active Directory
Enrichment
4.
Isolate host
Playbook
5.
Disable the source account
Response
6.
Set disposition: True Positive - Contained
Disposition
Pattern context
Status
active
Confidence
88%
MITRE
T1059.001, T1003.001
Assets
workstation
Integrations
Sysmon, VirusTotal, AD
Contributors
4 analysts
Replay allReplay step-by-step
Not relevantDismiss
02

One click replays the whole investigation

The replay engine walks the canonical steps live. Enrichment runs on its own; anything that touches the environment - isolating a host, disabling an account - pauses for a human Confirm, Skip, or Abort. Nothing fires without a person in the loop.

Pattern Replay
Close
AWAITING CONFIRMMode: Step-by-step · 3 executed · 0 skipped
1
Open & triage caseDone
Case opened
2
Hash reputation - VirusTotalDone
Enrichment
3 / 68 engines flagged · first seen 6 days ago
3
Pull user context from Active DirectoryDone
Enrichment
Finance OU · standard user · no privileged groups
4
Isolate hostPaused
Playbook
Will quarantine FINANCE-W11 via the EDR connector.
5
Disable the source accountPending
Response
6
Set disposition: True Positive - ContainedPending
Disposition
Paused before Playbook · Isolate host
ConfirmSkipAbort
03

Every pattern is auditable before it teaches anyone

Admins review what the extractor learned in a single board. Patterns start Shadowed and auto-promote to Active once they have enough healthy outcomes - and you can rename, boost, lock, or retire any of them.

Automation / Learned Patterns
AllACTIVESHADOWEDRETIRED
Search by title…
Encoded PowerShell → LSASS access
7 seeds · by Sarah Levine
ACTIVE88%
Impossible-travel sign-in → token revoke
5 seeds · by Daniel Roth
ACTIVE81%
Phishing attachment → mailbox sweep
4 seeds · by Sarah Levine
SHADOWED63%
Brute force → conditional-access lockout
3 seeds · by Maya Aronov
SHADOWED58%
Legacy RDP exposure (deprecated runbook)
2 seeds · by Daniel Roth
RETIRED41%
Encoded PowerShell → LSASS access ●locked
Confidence 88% · 7 seeds · Model text-embedding-3-large
ACTIVESHADOWEDRETIRED
T1059.001T1003.001workstationSysmonVirusTotalActive Directory
Canonical steps (6)
1
Open & triage case
case_opened · open
2
Hash reputation - VirusTotal
enrichment_query · vt.hash
3
Pull user context from Active Directory
enrichment_query · ad.user
4
Isolate host
playbook_invoked · isolate-host
5
Disable the source account
response_action · ad.disable
6
Set disposition: True Positive - Contained
disposition_set · tp.contained
Contributors (4)
Sarah Levine3 cases
Daniel Roth2 cases
Maya Aronov1 case
Tom Becker1 case
04

Junior analysts watch their own growth

A private dashboard - never a leaderboard. Each analyst sees their closed cases, how their replays land, and how often the patterns their work seeded got reused by the rest of the team.

My World / My Stats
My Analyst Stats
Personal growth metrics from Shadow Analyst - your closed cases, your replays, and the patterns your work seeded. No comparisons to teammates by design.
30d90d180d
Cases (last 90d)
Cases closed
38
Median time-to-close
6.2m
Replays (last 90d)
Started
24
Completed
21
Aborted
2
Failed
1
In flight
0
Success rate
88%
Patterns
Top contributor of
3
Patterns where your seed work dominates.
Contributed to
9
Patterns you've seeded any case to.
Replays of your patterns
47
How often the team reused your recipes.
Signed in as you. These numbers are visible only to you.

Captured · learned · replayed

Senior judgment, on every shift.

Shadow Analyst turns your team's best work into something the whole SOC can lean on - privately, auditably, and with a human always holding the trigger.

Mobula SOAR · runs fully air-gapped · no customer data leaves the tenant