SOCHQ
FamilyFor Business
Sign in
Cyber Intelligence Platform · for Solo IT, SMB, MSP

The SOC that
tells you
what it just did.

SOCHQ Pro+ is AI-native security operations. Every alert arrives pre-triaged, correlated to the campaign it belongs to, and narrated with citations to the exact MITRE technique and IOC source. Your analysts stop reading logs and start reading sentences.

Cancel any time
SOCHQ Agent nativeMITRE ATT&CKCISA KEVMSP-ready
Live alert · narrated
Outbound C2 beacon to a known Cobalt Strike server.

A finance laptop, FIN-WS-08, started beaconing every 60 seconds to 89.248.165.74:443 — a server flagged by ThreatFox 11 hours ago as an active Cobalt Strike C2. JA3 matches a known operator profile, and two more hosts in the finance segment began the same beacon within 7 minutes. Almost certainly stage 5 of CMP-7741.

ThreatFox · 11hMITRE T1071.001SOCHQ Intel · "Cobalt Q4 IOCs"JA3 db · 89% match
triage score98
The platform

Nine capabilities. One codebase. Zero stitching.

SOCHQ replaces your "Splunk + 3 manual integrations + a Notion runbook" stack with one platform that comes with the playbook built in.

// 01

AI-native alert triage

Every alert auto-scored: statistical anomaly, per-tenant false-positive probability, UEBA baseline deviation, and a grounded LLM narrative. Analysts read sentences, not logs.

Sonnet 4 + Haiku 3.5 · citation-validated
// 02

Cross-alert correlation

Six detection patterns running every 60 seconds: active campaigns, MITRE kill chains, impossible travel, lateral movement, hash reuse, anomaly pile-ups. Surfaces as a live banner.

Leader-elected · one-click respond
// 03

SOCHQ Intel knowledge base

Versioned, tenant-scoped store: MITRE, CISA KEV, NVD, LOLBAS, Cloud IPs, Tor, plus your private runbooks and SOCHQ-authored intel. Every claim cites a real source.

pgvector semantic search · citation contract
// 04

Active Response (SOAR)

One-click block IP, disable account, isolate agent, kill process, quarantine file. Every action reversible from the same UI. Per-tenant audit log.

No separate SOAR product · auditable
// 05

UEBA & risk scoring

Per-user baselines, peer-group outliers, drift detection, watchlists. The list of people worth a glance updates in real time as behaviour shifts.

Nightly retrained · per-tenant models
// 06

MITRE ATT&CK heatmap

Live coverage map across all 14 tactics + 188 techniques. See which techniques have fired in your environment, color-coded by recency and frequency. Pivot from any cell to alerts.

D3 · full-screen, full-tactic
// 07

Threat hunting + IOC mgmt

Custom queries, saved hunts, bulk IOC import / export. Match events surface as their own alert stream — see exactly when your IOCs hit.

SOCHQ Agent-backed · cross-tenant aggregation (owner)
// 08

Multi-tenant + impersonation

Built MSP-native: manage dozens of customers from one console, impersonate any tenant for support, RLS-enforced data isolation at four independent layers.

RLS · 4-layer isolation verified in CI
// 09

SOCHQ Agent provisioning

Customers self-serve agent install — Linux deb / rpm, Windows PowerShell, macOS. Group + enrollment token created at tenant signup. Zero-touch onboarding.

SOCHQ Agent ships day one · 4 platforms supported
The moat · SOCHQ Intel

Every alert ends each sentence with a citation.

The AI cannot fabricate sources. Every [cite:N] marker in a narrative is validated server-side against the retrieval set. Click any pill, see the exact MITRE technique, KEV CVE, or SOCHQ Intel chunk it came from.

The citation contract.

Hallucination is structurally near-zero. Our prompts force the LLM to cite, our retrieval gives it sources, and our server rejects narratives whose citations don't validate. The model can refuse — it cannot invent.

Result: an AI you can sell to a regulated industry without flinching.

The knowledge base that compounds.

9 sources of truth, refreshed on their own schedules. Every customer who joins SOCHQ adds their private runbooks, and every resolved alert can be "tagged as a teachable case" — captured into the KB so future narratives cite it as precedent.

MITRE ATT&CK~600 chunks
CISA KEV~1,200
NVD CVE · 30d~3,000
LOLBAS~200
Cloud IP ranges~10k CIDRs
Tor exit nodes~2,500
SOCHQ Intelyour authored
Tenant runbooksprivate · per-tenant
SOCHQ vs a typical SOC stack

What a typical SOC makes you do. What SOCHQ does instead.

Most platforms hand you raw alerts and a bill that scales with your logs. SOCHQ hands you decisions — and the receipts behind them.

A typical SOC platform
SOCHQ Pro+
Raw alerts dumped in a queue — you triage every one by hand.
Every alert arrives pre-triaged and narrated in plain English, with a 0–100 priority score.
AI summaries that confidently invent sources and hallucinate.
A citation contract: every claim is validated server-side against a real source. The model can refuse — it cannot invent.
A SIEM, plus a separate SOAR, a separate UEBA, and a Notion runbook.
One codebase. Triage, cross-alert correlation, UEBA, Active Response, and the knowledge base — all built in.
Per-seat, per-GB pricing that balloons the moment ingest grows.
Flat tier pricing. Every capability included on every tier — the tier is just scale, never features held hostage.
Weeks of professional services before you see a single alert.
Self-serve agent install, zero-touch enrollment. Minutes to first alert, not weeks.
Multi-tenancy bolted on as an afterthought — if it exists at all.
MSP-native from day one: four independent layers of RLS isolation, verified in CI.
Vendor intel is a black box you can't extend or correct.
A knowledge base that compounds — your runbooks and every resolved case become cited precedent for the next alert.
Built for three personas

From one analyst to dozens of tenants.

Same platform, three distinct chromes. Each persona gets the surface they actually use, none of the surface they don't.

Solo IT

One person. The whole stack.

Internal IT · freelance security · solo SOC

Replace your patchwork of free tools with a platform that comes with the playbook built in. Triage, hunt, respond — all from one console, narrated.

  • Full SOC analyst surface
  • One-click Active Response
  • Auto-response rules with confidence
  • Tag-as-teachable-case workflow
Professional

SMB security teams.

3 to 15 analysts · single tenant

Multi-user workspace with role-based access, custom AR rules, API access for downstream tooling, and a higher LLM budget. Your team's tribal knowledge becomes the KB.

  • RBAC: analyst, manager, admin
  • Per-tenant KB segment
  • API for SIEM/SOAR downstream
  • Custom AR rule confidence scoring
MSP

Dozens of tenants. One console.

Managed Service Providers · MSSPs

True multi-tenancy with four layers of data isolation. Manage every customer from one parent organisation, publish intel once and propagate to all child tenants, impersonate any tenant for support.

  • Cross-tenant alert visibility
  • MSP-published intel (auto-syndicate)
  • Per-customer billing + usage rollup
  • White-label support (Q4 2026)
Pricing · Pro+ tiers

Predictable pricing. No quote dance.

Every tier includes the SOCHQ Agent, the full AI pipeline, all 9 capabilities. The tier is about scale — agents, alerts/day, retention, MSP features — not features held hostage.

Solo IT

Family scope, power-user toolkit. For IT pros, consultants, homelabbers.
$99/mo
5 agents · 10,000 alerts/day
  • 90-day data retention
  • Everything in Family, plus:
  • CrowdStrike + SIEM integrations
  • Custom alert rules
  • API access
  • Full SOC analyst surface
Most popular

Professional

Full security operations for small businesses and teams.
$299/mo
100 agents · 50,000 alerts/day
  • 90-day data retention
  • Everything in Solo IT, plus:
  • UEBA behavior analytics
  • Vulnerability management
  • Auto-response rules
  • Compliance monitoring

MSP

Multi-tenant management for MSPs and MSSPs.
$499/mo
10 tenants · +$5 / agent
  • 180-day data retention
  • Everything in Professional, plus:
  • Multi-tenant management UI
  • Bulk agent provisioning
  • Quarterly business reviews
  • Cross-tenant alert visibility

Enterprise

Dedicated infrastructure, SSO, custom integrations. Quote follows a sizing conversation.
Custom
priced to your environment
  • Unlimited agents + tenants
  • Unlimited data retention
  • Dedicated SOCHQ VM
  • SSO / SAML 2.0
  • HIPAA / PCI DSS posture
  • Custom integrations
  • Named CSM + 24/7 priority
Founder's Lifetime Deal

Pay once. Use Solo IT for life.

Locks in the current feature set + all future Solo IT tier features. Direct line to the founder. Lifetime grandfathered pricing on add-ons. One-time payment via Stripe.
Everything in Solo IT, forever. No monthly bill, ever. Dedicated support engineer. For early supporters who want to bet on us once and never think about it again.
$999one-time
Add-on
SOCHQ Intel · subscription — Two monthly curated SOCHQ-authored threat briefs, premium intel chunks marked subscription-only, early access to teachable cases. Layered on any Pro+ tier.
+$49/mo
Integrations

Ingest from everywhere you already collect.

SOCHQ doesn't replace your existing tools — it makes the alerts they're already producing finally actionable. Six built-in connectors, twenty more in the connector framework, plus webhook / syslog catch-alls.

Sensor
SOCHQ Agentfirst-party, native
EDR
CrowdStrike Falconalert ingest
EDR
Microsoft Defenderendpoint
Logs
Grayloglog search
Open
WebhookJSON POST
Open
SyslogRFC5424/3164
Intel
MITRE ATT&CKbuilt-in
Intel
CISA KEVbuilt-in
Intel
NVD CVEbuilt-in
Intel
VirusTotallive
Intel
AbuseIPDBlive
Intel
AlienVault OTXlive
Notify
Slackper-tenant ch.
Notify
Microsoft Teamswebhook
Notify
Email · Resendtransactional
PSA
AutotaskMSP ticketing
Auth
OAuth · SSOGoogle · MS
Billing
Stripesubscriptions
Stop reading logs.

Your next alert is going to tell you what it is.

The SOCHQ Agent ships on day one. By Friday your inbox will be alerts that read like sentences and end with citations.

Cancel any time