Architecture

Autopilot cleanly separates data access (MCP), reasoning (OpenClaw agents), and execution (human-gated responder).

High-level diagram

WAZUH MANAGER ──▶ MCP SERVER ◀──▶ OPENCLAW GATEWAY ──▶ 7 SOC AGENTS
       │                 │                    │
     Alerts          Wazuh API            AI orchestration
       │                 │                    │
       ▼                 ▼                    ▼
                 AUTOPILOT RUNTIME SERVICE
          cases • evidence packs • response plans • metrics • slack

Key idea: plans can be generated fast, but the “execute” path is gated.

Agent pipeline

Alert Ingestion → Triage → Correlation → Investigation
                              │
                              ▼
                     Response Planner → Policy Guard → Human Approval → Responder

The Policy Guard acts as a safety layer. Humans always remain the final decision point for actions.

The 7 SOC agents

AgentFunctionAutonomy
TriageAnalyze alerts, extract IOCs, create casesAutomatic
CorrelationLink related alerts, build attack timelinesAutomatic
InvestigationDeep analysis, process trees, threat intel enrichmentAutomatic
Response PlannerGenerate risk-assessed response plansProposal only
Policy GuardValidate actions against security policiesAdvisory
ResponderExecute Wazuh Active Response commandsHuman-gated
ReportingGenerate SOC metrics, KPIs, shift reportsAutomatic

Operational outputs