Enterprise SOC.
SMB price tag.
The big SIEMs cost hundreds of thousands a year, run their AI in their cloud on your data, and require a team just to operate them. VortexSOC delivers the same detection, correlation, and AI-powered triage — with AI you control, fully hosted, at a price smaller teams can actually afford.
24
Open Alerts
3
Critical
8
Active Cases
72
Avg Risk Score
Managed for you · MITRE ATT&CK mapped · No vendor lock-in · AI-powered triage · 3,000+ detection rules
$4.44M
Average cost of a data breach
IBM Cost of a Data Breach Report 2025
60%
Of breaches involve a human element
Verizon DBIR 2025
21
Days average time from breach to ransomware deployment
IBM X-Force Threat Intelligence Index
< 1hr
Time to first detection after connecting logs
Signature rules fire immediately
The cost of doing nothing
Attackers don't discriminate by size.
They discriminate by security maturity.
Whether you're a five-person team or a regulated enterprise, attackers look for the same thing: soft defenses around valuable data, credentials, and payment information. "We're too small to be a target" and "we already have a SIEM" are both assumptions attackers count on.
The breach itself is the problem. So is not knowing about it for 206 days — the average time attackers dwell inside a network before detection, at any size.
VortexSOC fires signature-based rules within minutes of your first logs arriving. Behavioral detection reaches full accuracy after a 30-day learning period — zero alert fatigue from day one.
Security Incident Report
Total Breach Cost Estimate
Excludes long-term reputational damage and churn
Transparent pricing at launch. No setup, no ops burden.
How it works
From zero to protected in three steps
No six-week professional services engagement. No six-figure consulting bill. Ship logs, activate rules, done.
Ship your logs
Run Vector or Fluent Bit with our pre-configured pipelines. Common sources — Linux syslog, Windows Event Log, AWS CloudTrail, Azure AD, Palo Alto, Fortinet, Cisco ASA, Nginx — are included and ready to go.
Logs are OCSF-normalized at ingest and forwarded to VictoriaLogs. Your raw logs are always preserved.
Detection fires on two tracks
3,000+ SIGMA rules and threat-intel matching fire the moment logs arrive. In parallel, Learning Mode (on by default) quietly builds 30 days of behavioral baselines — alerts stay silent during the ramp, then UEBA and anomaly detection switch on automatically with zero noise.
Signature rules: immediate. Behavioral analytics (UEBA, peer deviation, impossible travel): accurate after the 30-day learning period.
Triage, respond, and close
Your team gets a rich case view with AI-generated summaries, raw log evidence, and suggested next steps. Playbooks automate common responses. Slack, Teams, and webhook notifications keep everyone in the loop.
Signature-rule alerts reach analysts in under 60 seconds; behavioral detections come online once the 30-day baseline is built.
Platform capabilities
Everything your SOC needs. Nothing it doesn't.
Detection engineering, behavioral analytics, automated response, and AI-powered investigation — built in, not bolted on. Managed for you. Onboarded in under an hour, accurate in 30 days.
3,000+ SIGMA Detection Rules
Import the entire SigmaHQ community library with one click. Rules cover brute force, privilege escalation, lateral movement, C2 beaconing, data exfiltration, and more — all MITRE ATT&CK mapped.
Correlation Engine
Define multi-signal threat patterns across alert rules and queries. When correlated threats fire, VortexSOC automatically creates a case, notifies your team, and kicks off a response playbook.
Agentic AI Investigation
Every incident is scored 0–100 by AI weighing severity, MITRE technique, asset criticality, and threat intel. For high-risk alerts, an agentic investigator autonomously pulls related incidents, queries recent activity, checks peer deviation, and writes a narrative with recommended next steps. Runs on managed AI with sensitive values PII-redacted before any prompt leaves your tenant — plus a full audit log of every AI call and prompt-injection protection.
Automated Response Playbooks
Build response workflows with conditional steps, HTTP actions, and script execution. Trigger manually or automatically when a case is created — cut mean time to respond from hours to minutes.
Pre-configured Log Pipelines
Ship logs with Vector or Fluent Bit using included configs for Linux syslog, Windows Event Log, AWS CloudTrail, Kubernetes, Nginx, and more. OCSF normalization happens at ingest — not query time.
Connect Your Cloud in One Click
Authorize Google Workspace in a single click — no service-account keys, no agents to install, no Cloud Console setup. Login events, OAuth app grants, admin changes, and Drive sharing flow in for detection, and user/group identity context (with admin and privilege flags) enriches every alert automatically. The same authorization powers both — built for teams without a firewall or on-prem infrastructure.
Unified Log Search
Search VictoriaLogs and VictoriaMetrics from a single interface. Filter fields, inspect raw log lines, run aggregations, and save queries for team reuse — without leaving the SOC dashboard.
UEBA Behavioral Baselines
Impossible travel, first-seen country/host/process detection, DNS entropy (DGA), email exfiltration signals, and service account abuse — all based on 30-day per-entity behavioral baselines. Peer deviation z-scores amplify alerts when behavior diverges from similar entities. Fully accurate after a 30-day learning period.
30-Day Learning Mode
Enabled automatically on first install with zero setup — signature rules still fire, but behavioral alerts and cases stay silent through a zero-noise 30-day baseline period while live progress and model confidence climb. At day 30 it auto-switches to full alerting, or an admin can go live early.
Pre-built VRL Transforms
Ready-to-use Vector Remap Language pipelines normalize Windows, Linux, AWS CloudTrail, Azure AD, Palo Alto, Fortinet, Cisco ASA, Infoblox, and more to OCSF 1.1 at ingest — before data hits storage. More sources added regularly, or upload your own custom transform directly in the UI.
Threat Intelligence
Blocklist feeds from Feodo Tracker, URLhaus, and ThreatFox run daily with no setup — IOC matching works out of the box. Plug in VirusTotal or AbuseIPDB API keys for deeper enrichment; malicious verdicts automatically boost entity risk scores.
Bring Your Own Detection Sources
Already running CrowdStrike, SentinelOne, Darktrace, or another EDR/UBA tool? Route their OCSF-formatted alerts through the same ingest pipeline as your logs, then search, correlate, and manage cases in one place. VortexSOC becomes a unified detection and case layer over your existing stack — no rip and replace.
Interoperability
Built on open standards
No proprietary lock-in at the data layer. VortexSOC speaks the formats your tools already use — import, export, and integrate without translation layers.
Open Cybersecurity Schema Framework
All ingested logs are normalized to OCSF at pipeline time — before they ever reach storage. Query and correlate across sources with a unified schema.
REST API — Machine-readable spec
Every VortexSOC endpoint is described by a published OpenAPI 3.0 spec. Automate alert ingestion, case management, and rule deployment from any toolchain.
Adversarial Tactics, Techniques & Procedures
Every detection rule and correlation is mapped to MITRE ATT&CK tactics and techniques. Filter alerts, track coverage gaps, and report by technique ID.
Generic Signature Format for SIEM Systems
Detection rules are stored and distributed in SIGMA format — the industry-standard, vendor-neutral rule language. Import from SigmaHQ or write your own.
Compatible metrics & alerting
VictoriaMetrics is a drop-in Prometheus replacement. Remote write, scrape endpoints, and PromQL-compatible MetricsQL queries all work out of the box.
Built-in IOC enrichment & blocklist feeds
Daily ingestion from Feodo Tracker, URLhaus, and ThreatFox keeps blocklists current automatically. Incoming alert IPs, domains, and file hashes are enriched via VirusTotal and AbuseIPDB — malicious verdicts boost entity risk scores in real time.
How we compare
Enterprise security. Not enterprise complexity.
Same detection power as the enterprise giants — without the licensing, the headcount, or the lock-in.
Detect from day one. Rules, 3,000+ SIGMA detections, threat-intel matching and the correlation engine fire the moment logs arrive. Behavioral analytics (UEBA & ML anomaly scoring) mature over ~30 days as they learn your environment — the same baseline period as Splunk ES UBA and Microsoft Sentinel UEBA.
| VortexSOC ← You are here | Splunk | MS Sentinel | No SIEM | |
|---|---|---|---|---|
| Monthly cost | See pricing | $1,800+ | $2,000+ | $0 |
| Time to deploy | < 1 hour | 2–6 weeks | 3–10 days | — |
| Behavioral detection accuracy | 30-day learning | 60–90 days tuning | 30–90 days | — |
| Detections live day one | ✓ | ✓ | ✓ | — |
| Behavioral baselines | ~30 days | ~30 days | ~7–30 days | — |
| Fully managed hosting | ✓ | ✗ | ✓ | — |
| Your data stays yours | ✓ | ✗ | ✗ | — |
| AI case analysis | ✓ | Add-on $$$ | Add-on $$$ | — |
| 3,000+ SIGMA rules | ✓ | ✗ | ✗ | — |
| MITRE ATT&CK mapping | ✓ | ✓ | ✓ | — |
| Runs on a single VM | ✓ | ✗ | ✗ | — |
| Correlation engine | ✓ | ✓ | ✓ | — |
| Automated playbooks | ✓ | SOAR add-on | Logic Apps | — |
| No per-GB pricing | ✓ | ✗ | ✗ | — |
| Transparent pricing | ✓ | ✗ | ✗ | — |
Competitor pricing estimated from public sources. Actual costs vary by configuration and data volume. Time to deploy reflects software install + first logs, not procurement. Behavioral baseline periods are approximate and depend on log volume and entity activity.
Integrations
Works with your existing stack
VortexSOC connects to the tools you already run — Windows, Linux, AWS, Azure, Kubernetes — no rip-and-replace required.
Log Sources
-
Linux syslog / auditd
System logs, auth events, audit trail
-
Windows Event Log
Security, System, Application logs via Vector
-
LimaCharlie EDR
Windows & Mac endpoint telemetry — process, DNS, file, and credential-access events via managed agent, OCSF-normalized
-
Google Workspace
Logins, OAuth grants, admin changes, Drive sharing — one-click connect, no agent or key file
-
AWS CloudTrail
API calls, IAM events, S3 access
-
Azure AD / Entra ID
Sign-ins, MFA events, directory changes
-
Kubernetes
Container and pod logs via Fluent Bit DaemonSet
-
Nginx / Apache
Web access and error logs
-
Network Firewalls
Palo Alto, Fortinet, Cisco ASA, pfSense — pre-built VRL transforms included
Metrics & Observability
-
VictoriaMetrics
Native MetricsQL queries and dashboards
-
Prometheus
Remote write + scrape endpoint
-
Node Exporter
Host-level CPU, memory, disk, network
-
OpenTelemetry Collector
OTel remote write → VictoriaMetrics
Notifications
-
Slack
Rich alert cards per channel or severity
-
Microsoft Teams
Incoming webhook adaptive cards
-
Webhook
Any HTTP endpoint — PagerDuty, Opsgenie, etc.
-
Email / SMTP
HTML alert notifications with case links
Identity & Auth
-
Local accounts
Built-in users + RBAC; always available as break-glass login
-
Azure Entra ID
OIDC auth with group→role mapping via Microsoft Graph
-
Generic OIDC
Google, Okta, Auth0, Keycloak, JumpCloud — any OIDC IdP
-
SAML 2.0
ADFS, Ping Identity, Shibboleth — SP metadata auto-generated
-
Audit log
Every action logged with actor, resource, and timestamp
AI Providers
-
Claude (Anthropic)
Managed triage & summaries — PII-redacted before any prompt leaves your tenant
-
OpenAI / Azure OpenAI
Managed, or bring your own key — the same PII redaction applies
-
Any OpenAI-compatible server
Dedicated deployments — bring your own OpenAI-compatible endpoint
-
Built-in risk engine
ML scoring with no AI key needed
Response & Automation
-
HTTP playbook actions
Call any REST API — block IPs, create tickets
-
Script execution
Run bash or Python on trigger
-
Case management
Built-in ticketing, assignment, and workflow
-
Threat intel feeds
IP, domain, and hash enrichment
Need a custom source? Upload your own VRL transform directly in the UI.
Who it's for
Right-sized for your team. Scales as you grow.
The detection engine is the same whether you're a five-person security team or a regulated enterprise. What changes is the plan — not the product.
Small & mid-size teams
Enterprise detection, SMB price
Too big for nothing, too small for Splunk. VortexSOC gives you the same detection power as the enterprise giants — AI-powered triage, UEBA baselines, 3,000+ SIGMA rules — at a price that doesn't require a board meeting to approve.
- Up and running same day — no procurement, no install
- AI does the analyst work your team can't staff for
- A fraction of what the big SIEMs cost — pricing coming soon
- Signature rules fire immediately · behavioral baselines mature in 30 days
Larger organizations · regulated industries
Your data. Your controls.
Dedicated deployment, isolated infrastructure, and full audit logging — every action by every user logged with actor, resource, and timestamp. Custom data retention, bring-your-own AI model, SSO, SAML 2.0, and SLA guarantees.
- Dedicated instance — no shared infrastructure
- Bring your own AI — point at your own model endpoint
- Azure Entra ID / SAML 2.0 / OIDC — SSO with group→role mapping
- Custom retention policies · SOC 2 compliance package · 99.9% SLA
All plans include the full feature set. No capabilities locked behind a higher tier. See pricing →
Everything you need. Managed for you.
No servers to run. No tuning sprints. No professional services bill. VortexSOC is operated for you — you log in and start catching threats.
We operate your VortexSOC instance — infrastructure, updates, backups, and uptime. You get enterprise-grade detection without an enterprise-grade ops burden.
- Unlimited users No seat limits on any plan
- No per-GB overage fees Daily ingest cap + 90-day retention — whichever comes first
- We handle infrastructure Updates, backups, and uptime — not your problem
- Your data stays yours Isolated per-customer deployment
- Full feature access No features locked behind a higher tier
- AI-powered triage included The analysis your team can't staff for
- Onboarded in under an hour Guided wizard, no professional services needed
Ships pre-configured
Ready to detect on day one
VortexSOC isn't a blank canvas. It launches with everything your SOC needs to start catching threats immediately — no professional services required.
- 3,000+ SIGMA detection rules — pre-loaded and tuned
- OCSF-normalized log pipeline configs (30+ sources)
- Pre-built SOC dashboards for common threat categories
- Baseline alert rules: brute force, privilege escalation, lateral movement, C2
- Multi-stage correlation rules for attack chain detection
- Response playbooks for common incident types
- MITRE ATT&CK framework mapping across all rules
- AI risk scoring & triage — managed, with sensitive data PII-redacted before any prompt leaves your tenant
- Case management with notes, artifacts, and IOC tracking
- SSO: Azure Entra ID, Generic OIDC, SAML 2.0, Local — full RBAC
- Guided setup wizard — connect your first log source, enable learning mode, and invite your team in minutes
- Threat intelligence — daily feeds from Feodo Tracker, URLhaus, ThreatFox + VT/AbuseIPDB enrichment
- Login hardening — brute-force protection, IP allowlist, service accounts & API keys
Built on proven, battle-tested technology — efficient at any scale
Log storage & search
LogsQL · 10–100× faster and leaner than Elasticsearch
Metrics & alerting
MetricsQL · Long-term retention · Prometheus-compatible
Platform database
Cases · Alerts · Users · RBAC — all durable relational data
Log collection + OCSF normalization
Pre-configured pipelines for 30+ common log sources
All logs normalized to OCSF (Open Cybersecurity Schema Framework) at ingest
Simple, transparent pricing.
Details coming soon.
Tiered by daily log ingest volume — not per alert, not per seat, not per feature. The full platform on every plan. Pricing will be published at launch.
Tiered by ingest volume
Plans are sized by daily log ingest — not seats, not alerts, not features. Send more logs, pay for a bigger plan. Everyone gets the full platform.
Retention cap included
90-day log retention included on every plan. Each tier has both a daily ingest cap and a total storage cap — whichever is reached first. No hidden retention fees.
No overage surprises
When you approach your cap we notify you and help tune your log sources — not hit you with an overage bill. Clean logs mean better detection anyway.
Get notified when pricing goes live
We'll send one email when plans are published — nothing else.
No per-GB overages · No surprise bills · Full platform on every plan
Roadmap
The core platform is production-ready today. These are the next capabilities on the roadmap — more coverage, more automation, and deeper integrations with your existing stack.
SOAR Integrations
Orchestration & Automation
Native integrations with leading SOAR platforms for advanced playbook automation — conditional branching, API chaining, multi-system orchestration — beyond VortexSOC's built-in playbook engine.
Detection Library
Curated detections & analytics packs
VortexSOC already ships 3,000+ SIGMA rules, UEBA baselines, and ML anomaly detection. Next: curated detection packs tuned for specific verticals and threat actors, updated continuously as the threat landscape evolves.
Have a feature request? Get in touch — coming soon