Download Free CE

SynapCores SOAR — The Open-Core SOAR Platform for the Autonomous SOC

Tier-1 triage runs itself. IR playbooks dispatch real actions. Every step writes to an immutable audit log your SOC 2 auditor can query directly. Managed cloud, or one docker compose on your infrastructure. Per analyst seat — no per-action tax.

Join the waitlistStar on GitHubEnterprise — request pricing

The pain we built this for

If you run a Security Operations Center, you have already lost this conversation a hundred times: "We are buried in alerts. Tier-1 is burning out. Our SOAR playbook is YAML that nobody reads. When something real happens we still drag context from six different tabs into a Slack thread."

  • Tier-1 analysts triage 100–500 alerts per shift, and 90% are duplicates of yesterday's noise. Nobody has time to dedupe semantically.
  • Investigation context lives across SIEM + EDR + IAM + ticketing + the senior analyst's notebook. Every incident rebuilds it from scratch.
  • Your existing SOAR is a workflow engine, not a brain. Workflows fire — they don't understand the asset graph, similar past incidents, or the blast radius.
  • Your SOC 2 Type II auditor wants evidence. You spend 4–6 weeks pulling screenshots and signed PDFs.
  • You evaluated Tines and Torq. The per-action pricing got expensive the moment you tried to automate everything.

Six capabilities. One self-hosted stack.

Most SOAR platforms are a workflow engine bolted onto a job queue. SynapCores SOAR is a Node.js application backed by SynapCores — our AI-native database with graph, vectors, immutable audit, SQL, and agentic loop in one engine. The category-defining capabilities that follow are not add-ons. They are native to the data tier the app sits on.

Property graph for asset, identity & blast-radius queries

Tines and Torq have workflow engines but no graph. SynapCores has Cypher built into the same database — a single MATCH query returns the affected asset + its owner + every system it can reach + every vendor with downstream data access. Six weeks of Excel work in 100ms.

AI agents that act, not just narrate

Five autonomous agent personas — tier1-triage, incident-responder, forensic-investigator, threat-hunter, evidence-collector — run as SQL functions inside the database. They use vector search, Cypher traversal, and tool dispatch in a ReAct loop, with human-approval gates for high-blast-radius actions.

Semantic alert dedup at scale

Tier-1 analysts drown in duplicate alerts. SynapCores embeds every alert as a 384-dim vector, then cosine-similarity-matches against the last 30 days. 95% of overnight noise auto-closes before a human looks at it — the analyst sees the 5% that actually matter, already enriched.

Cryptographically immutable audit log

Every alert, every agent action, every analyst override, every auditor query — written to an append-only table with cryptographic chaining. Run VERIFY_CHAIN() and prove the audit trail has not been tampered with. The surface that wins SOC 2 Type II, breach-notification, and legal-discoverability conversations.

MCP portal for external auditors and investigators

Mint a scoped, read-only, time-bound MCP token. The auditor pastes it into Claude or Cursor and queries the audit log, incidents, and evidence packs in natural language. Every query the auditor runs is itself audit-logged. Collapses a 4-6 week Type II evidence cycle to a token and a chat.

Open core. Managed or self-hosted. No per-action tax.

Tines pricing scales with automation density — the more you automate, the more you pay. SynapCores SOAR charges per analyst seat, capped. The application source is public on GitHub. Choose managed cloud (we operate it) or self-hosted via one `docker compose up` — your data, your call, no devops project.

How it works

Three architectural pieces, all running on the same database connection.

1. The blast-radius graph

Every alert, asset, identity, vulnerability, IOC, vendor, and incident is a graph node. Every relationship (OWNED_BY, HAS_ACCESS_TO, VULNERABLE_TO, PART_OF) is an edge. One Cypher query returns the full subgraph around an alert — what it touched, who else it can reach, which vendors have downstream data access, and which prior incidents share the same shape.

Cypher in the same engine as SQL. No ETL between a graph DB and a row DB. No staleness.

-- "Show me the blast radius of alert ALR-9001"
CYPHER
MATCH (a:Alert {id: $alert})-[:RAISED_AGAINST]->(initial)
MATCH path = (initial)-[:OWNED_BY|HAS_ACCESS_TO|RESIDES_IN|VULNERABLE_TO*1..3]-(reachable)
OPTIONAL MATCH (reachable)<-[:RECEIVES]-(v:Vendor)
OPTIONAL MATCH (reachable)<-[:AFFECTED]-(prior:Incident)
  WHERE prior.opened_at > $window_start
RETURN initial, reachable, v, prior, path
-- Returns in ~100ms across millions of nodes.

2. Five autonomous agent personas

tier1-triage handles every incoming alert — dedup via embedding cosine, enrich with asset and identity context, score severity, escalate or close. incident-responder executes the matched playbook via tool dispatch (isolate, disable, revoke, notify), pausing for human approval at high-blast-radius actions. forensic-investigator reconstructs incident timelines. threat-hunter runs new IOC drops against the historical access log. evidence-collector assembles tamper-evident artefact packs for legal and regulators.

Each persona is a recipe in the public GitHub repo. Operators write their own.

-- Trigger autonomous triage on every new alert
SELECT AGENT_RUN('tier1-triage', alert_id) AS verdict
FROM alerts
WHERE status = 'new';

-- The agent's tool registry includes:
--   execute_query, vector_search, enrich_asset,
--   enrich_identity, mark_duplicate, assign_severity,
--   isolate_endpoint, disable_user, snapshot_disk, …
--
-- Each tool call is one row in the immutable audit log.
-- High-blast-radius tools (isolate, disable, revoke)
-- pause for human approval by default.

3. Immutable audit + MCP for auditors

Every action — agent tool dispatch, analyst override, external auditor query — writes to an IMMUTABLE table with cryptographic chaining. Run VERIFY_CHAIN() to prove the trail has not been tampered with. Mint a scoped, read-only, time-bound MCP token for your SOC 2 auditor — they paste it into Claude or Cursor and query the audit log directly. Every query they run is itself logged.

This is the screen that closes enterprise deals.

-- The immutable audit table
CREATE IMMUTABLE TABLE audit_log (
  event_id    INTEGER PRIMARY KEY,
  ts          TIMESTAMP NOT NULL,
  actor       TEXT NOT NULL,
  actor_type  TEXT NOT NULL,
  -- 'human' | 'agent' | 'system' | 'external_auditor'
  action      TEXT NOT NULL,
  target_id   TEXT,
  payload     JSON,
  request_id  TEXT
);

-- Prove the chain has not been tampered with
SELECT VERIFY_CHAIN('audit_log') AS chain_ok;
-- → { chain_ok: true, last_event_hash: "0x…" }

SynapCores SOAR vs Tines vs Torq vs Splunk SOAR

The honest comparison. We ship the capabilities the incumbents bolt on, and we charge for the things the incumbents charge for the wrong way.

FeatureSynapCores SOARTinesTorqSplunk SOAR
Open core (source on GitHub)YesNoNoNo
Managed cloud OR self-hosted (docker compose)YesSaaS onlySaaS onlyHeavy install
Property graph for blast-radius queriesYesNoNoNo
Native vector search (similar-incident retrieval)YesNoLimitedNo
Autonomous AI agents with tool dispatchYesWorkflow onlySomeBolt-on LLM
Cryptographically immutable audit logYesNoNoNo
MCP portal for external auditorsYesNoNoNo
Pricing modelPer analyst seatPer actionPer workflowPer SIEM tier
Data residency controlYour infrastructureSaaS onlySaaS onlySplunk-locked

Feature claims for third-party products reflect public documentation and customer commentary as of late 2026. We will correct anything inaccurate — open a PR on the homepage repo.

Who this is for

SOAR is bought and run by the security team — specifically the people who own detection-and-response operations. The primary buyer is technical and comfortable with infrastructure. For the CISO and the auditor who are not hands-on, the managed-cloud tier means they never have to install or operate anything.

Primary buyer
SOC Director / Head of Detection & Response

Runs a 24/7 SOC with 5–25 analysts. Already operates Splunk + CrowdStrike + Okta + Confluence runbooks. Owns the SOAR budget. Comfortable with `docker compose` and the CLI — open-core is a pro signal, not a fear signal. Wants the autonomous-Tier-1 outcome without losing control of the data.

Economic buyer
CISO at a Series B–E SaaS or Mid-Market

Owns the SOC 2 / ISO 27001 / FedRAMP roadmap and signs the cheque. Often not hands-on with infrastructure — uses Enterprise managed cloud so there is nothing to install. Open-core is a board-level credibility multiplier (no vendor lock-in, supply-chain-attack defensible).

High-leverage
MSSP / MDR Service Provider

Runs a SOC service for 20+ customers. Per-customer SOAR cost is killing margin. White-label deployment + multi-tenant isolation + open-core licensing (no SaaS-only lock-in) change the unit economics.

Quickstart — 30 seconds

The stack is one docker compose up away — no devops project. From there, point your SIEM's webhook at /v1/soar/alerts and the triage agent goes to work. Prefer not to host anything? Enterprise includes managed cloud.

# 1. Clone the SOAR stack (SOAR app + SynapCores)
git clone https://github.com/SynapCores/synapcores-soar
cd synapcores-soar

# 2. Bring up the whole stack — ~30 seconds
docker compose up -d
#   → synapcores (data tier) on :8080
#   → synapcores-soar (app, Node.js)  on :3000

# 3. Get the admin password from the first-boot log
docker compose logs synapcores 2>&1 | grep "password:"

# 4. Point your SIEM's webhook at /v1/soar/alerts
#    (Splunk, Sentinel, Chronicle, CrowdStrike etc.)
#
# 5. Open the investigation UI — your first triage
#    agent is already running.
#
# Prefer not to host anything? Enterprise includes a
# fully managed cloud deployment — same stack, we run
# it for you.

Pricing

Open core: the application source is public on GitHub. The wedge against Tines and Torq is a per-analyst-seat model with no per-action tax — the more you automate, the more value you get without the bill going up. Self-host it yourself with one docker compose up, or let us run it for you in Enterprise.

Open Core

$0

Self-hosted via docker compose. Yours forever.

  • Full SOAR application source (Node.js / TypeScript)
  • SynapCores Community Edition as the data tier
  • One `docker compose up` brings the whole stack up in ~30s
  • All five agent personas
  • Ingest connectors for every major SIEM, EDR, IAM, cloud audit source
  • Action library for endpoint isolation, identity revocation, network blocking, snapshotting, ticketing, notifications
  • Cypher + SQL + vector search in one database
  • Immutable audit log with VERIFY_CHAIN()
  • Investigation UI with the graph explorer
  • Playbook authoring + dry-run mode
  • GitHub + Discord community support
github.com/SynapCores/synapcores-soar
Enterprise

Custom

Per-analyst seat. No per-action tax.

Everything in Open Core, plus:

  • Fully managed cloud — we operate the stack, you log in (no devops required)
  • Assisted on-prem deployment if you prefer to host it yourself
  • 24/7 support + on-call escalation + dedicated solution engineer
  • Certified playbook library (50+ pre-built workflows)
  • SOC 2 Type II auditor portal (scoped MCP tokens, session recording, evidence pack builder)
  • Compliance certifications: SOC 2 Type II, ISO 27001, FedRAMP (roadmap)
  • Multi-tenant isolation for MSSP / MDR providers
  • Custom integration development (we wire your in-house tools)
  • SLA-backed uptime + incident response from us
Request Enterprise pricing

Frequently asked

What is SynapCores SOAR?+

SynapCores SOAR is an open-core SOAR (Security Orchestration, Automation and Response) platform that runs the autonomous SOC. The application is a Node.js/TypeScript service; the data tier is SynapCores, our AI-native database. It deploys as a docker-compose stack you self-host, or as managed cloud we operate for you. It includes a property-graph engine for asset and identity correlation, AI agents for autonomous Tier-1 triage and IR playbook execution, vector search for similar-incident retrieval, and an immutable audit log for forensic and regulatory defensibility.

How is SynapCores SOAR different from Tines or Torq?+

Tines and Torq are closed-source SaaS workflow engines with per-action pricing that gets expensive as you automate more. SynapCores SOAR is open-core (the application source is public on GitHub), available as managed cloud or self-hosted, and priced per analyst seat with no per-action tax. It also ships with a graph engine, vector search, and an immutable audit log built into the same database — capabilities you would otherwise stitch together from Neo4j, Pinecone, and a custom audit service.

Does SynapCores SOAR replace my SIEM?+

No. SynapCores SOAR sits beside your existing SIEM (Splunk, Datadog, Microsoft Sentinel, Chronicle) and EDR (CrowdStrike, SentinelOne, Defender). It ingests alerts via webhook, enriches them with graph and vector context, runs autonomous IR playbooks, and writes back to your stack via API. Your SIEM keeps log retention; we add the autonomous-SOC brain on top.

What does "open-core" mean — do I need a devops team to run it?+

No devops team required. The SOAR application source is public on GitHub — every connector, every agent persona, every playbook is reviewable code under a permissive license. To run it: one `docker compose up` brings up the stack (SOAR app + SynapCores) on your infrastructure in about 30 seconds. If you would rather not host anything, Enterprise includes managed cloud — we operate it, you log in. Open-core means the code is honest; how you consume it is your choice.

Can my SOC 2 Type II auditor use SynapCores SOAR directly?+

Yes. SynapCores SOAR exposes a scoped MCP (Model Context Protocol) token that an external auditor can paste into Claude, Cursor, or any MCP-compatible LLM. The auditor queries the immutable audit log, incidents, and evidence packs directly using natural language. Every query the auditor runs is itself logged in your tamper-evident audit trail. This collapses the typical four-to-six-week Type II evidence-collection cycle to a token and a chat session.

What data sources does SynapCores SOAR ingest from?+

SIEMs (Splunk, Datadog, Microsoft Sentinel, Chronicle, Elastic, Sumo Logic), EDR/XDR (CrowdStrike, SentinelOne, Microsoft Defender, Carbon Black, Sophos), identity providers (Okta, Azure AD, AWS IAM, GCP IAM, Google Workspace), cloud audit logs (AWS CloudTrail, GCP Audit, Azure Monitor), email security (Proofpoint, Mimecast, M365 Defender, Abnormal), vulnerability scanners (Qualys, Tenable, Wiz, Snyk), ticketing (ServiceNow, Jira, PagerDuty), and threat intelligence feeds (MISP, OpenCTI, Recorded Future, STIX/TAXII).

What actions can the agents execute?+

Isolate endpoints (CrowdStrike, SentinelOne, Defender), disable users and revoke sessions (Okta, Azure AD), block IPs and domains (Cloudflare, Palo Alto, Zscaler, Cisco Umbrella), snapshot disks and capture memory (AWS, GCP, Azure, Velociraptor), quarantine emails (Proofpoint, Mimecast, M365), create and update tickets (ServiceNow, Jira, PagerDuty), and post to channels (Slack, Teams, PagerDuty). High-blast-radius actions stop and ask for human approval by default.

Where is my SOC data stored?+

Wherever you decide. Self-hosted: everything — alerts, identities, asset graphs, playbook state, audit logs — lives in your infrastructure inside the SynapCores RocksDB-backed engine. No customer data leaves your network. Managed cloud: dedicated single-tenant SynapCores instance in your chosen region, ours to operate, yours to query and export. Embedding generation and LLM inference can run locally on the bundled native model or be routed to your chosen provider — your choice, your contract, your data residency.

What does pricing look like?+

Open-core: no license fee for the self-hosted application. Enterprise is per-analyst-seat with no per-action tax — the wedge against incumbents that charge per workflow execution. Enterprise covers managed cloud hosting, 24/7 support and on-call escalation, a certified playbook library with 50+ pre-built workflows, the SOC 2 Type II auditor portal, compliance certifications (SOC 2, ISO 27001, FedRAMP roadmap), and dedicated solution engineering.

When will SynapCores SOAR be generally available?+

The open-source repository is live at github.com/SynapCores/synapcores-soar. General availability of the full enterprise tier is targeted for Q4 2026. Join the waitlist to lock in design-partner status, get architecture-review access, and shape the playbook library.

Get on the SynapCores SOAR waitlist

Design-partner slots are limited. Waitlist members get:

  • First access to the public GitHub repo as it lands
  • A scoped architecture-review call with the engineering team
  • Input on the playbook library — your most-painful playbook gets built first
  • Lock-in on Enterprise pricing for the first twelve months
  • Direct line to the engineering team for integration requests

Free weekly course

Learn machine learning, hands-on

Join the newsletter for a free weekly Machine Learning course you run yourself in Community Edition — plus new-release notes and support tips. No spam, unsubscribe anytime.

Free forever. We'll never share your email.

One stack. The whole SOC.

Graph for blast radius. Vectors for similar incidents. Agents for autonomous triage. Immutable audit for SOC 2. MCP for external auditors. Open core, managed cloud or self-hosted, per analyst seat — no per-action tax.

Join the waitlistStar on GitHub