Skip to main content

Features

Four-Tier Detection Pipeline
#

Every event flows through four layers — each one cheaper and more targeted than the next. A cross-cutting threat intelligence layer enriches every event with IP reputation data before it enters the pipeline.

Tier 1: Noise Suppression — Static rules filter ~70% of known-safe events before anything else runs. Password changes, routine admin operations, service heartbeats. Zero cost, zero latency.

Tier 2: Pattern Detection — 574 open-source SigmaHQ community rules match known attack signatures. Brute force, credential stuffing, privilege escalation, suspicious mailbox rules. Deterministic, auditable, updated weekly from the public SigmaHQ repository. Zero AI cost.

Tier 3: AI Triage — A fast AI model reads the remaining events every five minutes. It evaluates each event summary in context: is this routine, or does it warrant investigation? Routine events are logged and dismissed. Suspicious events are escalated.

Tier 4: AI Investigation — A powerful AI model takes over. It autonomously searches logs, correlates across sources, checks device inventory, looks up documentation, verifies network IPs — and produces a detailed, client-ready report with severity rating and recommended actions.

Multi-Source Coverage
#

Hal ingests and correlates across every major MSP log source:

  • Microsoft 365 — Exchange, SharePoint, OneDrive, Teams, Azure AD audit logs
  • Google Workspace — Reports API audit logs and Alert Center security alerts
  • Microsoft Entra ID — Sign-in logs, risk detections, directory audits via Graph API
  • Windows Servers — Event logs via Sidecar/Winlogbeat (no kernel agent)
  • Network Devices — FreeBSD router syslog over encrypted VPN tunnels Cross-source correlation is where Hal excels. A suspicious sign-in leads to a device check in your RMM, a forwarding rule in M365, and a KB article in your documentation platform — all in one investigation.

Self-Service Portal
#

A web portal for your team with full operational visibility:

  • Dashboard — health, costs, pipeline stats, infrastructure status
  • Alerts — expandable security findings with report IDs and severity
  • Costs — per-event AI cost tracking with API call drilldown
  • Consumption — per-client AI cost attribution with sparkline trends
  • Reports — PDF downloads for all investigations
  • Log Sources — per-client source status with health badges
  • Health — VM stats, service status, pipeline freshness, API reachability
  • Settings — AI model selection, service management
  • Web Chat — talk to Hal in plain English, ask about any client, any event
  • Slack Integration — optional add-on for teams that live in Slack

PDF Security Reports
#

Every investigation can produce a branded PDF report:

  • PAdES-B-T digitally signed with RFC 3161 timestamps
  • Cryptographic proof of when the report was generated and that it hasn’t been tampered with
  • Client-ready — send directly without editing
  • Verify any report online

365-Day Retention
#

Every log source, 365 days, fully searchable. Included in the platform fee — no premium tier required.

Suitable for HIPAA, PCI, and CMMC compliance frameworks that require extended log retention.

Real-Time Threat Intelligence
#

Every IP address in every log event is automatically checked against four globally-trusted threat intelligence feeds — at ingestion time, before the AI even sees the event.

  • Spamhaus DROP — Industry-standard blocklist used by ISPs and enterprises worldwide since 1998. Identifies hijacked IP space and professional spam/C2 infrastructure.
  • AlienVault OTX — The world’s largest open threat intelligence community with 200,000+ contributors (AT&T Cybersecurity).
  • abuse.ch — Swiss non-profit tracking malware command-and-control infrastructure. Cited by CERTs and law enforcement worldwide.
  • Tor Exit Nodes — Real-time identification of traffic originating from the Tor anonymization network.

A successful login from a threat-flagged IP always triggers investigation. No configuration required, no per-lookup fees, no add-on license. Included in every deployment.

Open Detection Rules
#

Tier 2 pattern detection uses SigmaHQ — the open-source, vendor-neutral, community-maintained detection standard. Every rule is publicly auditable. No proprietary black-box detection logic.

Rules update weekly from the public SigmaHQ repository. You can inspect exactly what is being detected and why.

There are no articles to list here yet.