Agentic SOC

Claude Opus 4.6 agentic loop. 30 tools. 7 ARQ cron schedules. Redis memory: 20-turn cap, 6h TTL.

4 specialised sub-agents (SOVAOperator, ThreatHunter, ForensicsAgent, ComplianceAgent). HMAC task tokens. Human-in-the-loop approval.

Autonomous anomaly detection. OLS trend prediction. SQLite recipe cache. Haiku incident classification.

Session-level threat pattern detection including INJECTION_CHAIN. Cryptographic attestation chain.

Playwright headless Chromium. ScreencastRecorder captures video → MinIO SOC 2 evidence bundles.

In-process Claude Vision page assertion. No HTTP round-trip. Requires Playwright + Anthropic API key.

Claude Vision baseline vs candidate screenshot comparison. Verdicts: IDENTICAL / MINOR_DIFF / REGRESSION / CRITICAL.

SOVA tool #29: calls ShadowAIDetector directly. 18 providers. Falls back gracefully without package.

SOVA tool #30: causal chain retrieval from logs + XAI rationale. Used by ScenarioRunner smart_retry.

iOS + Android React Native app for on-the-go SOC operators. FCM/APNs push alerts fire on every HIGH/BLOCK verdict via the SOVA alerting pipeline. Alert feed, detail view with 9-stage XAI pipeline, one-tap deep-link to full XAI report. Device token registry (SQLite, max 50/tenant). Prometheus counter for delivered notifications.