Architecture
Autopilot cleanly separates data access (MCP), reasoning (OpenClaw agents), and execution (human-gated responder).
High-level diagram
WAZUH MANAGER ──▶ MCP SERVER ◀──▶ OPENCLAW GATEWAY ──▶ 7 SOC AGENTS
│ │ │
Alerts Wazuh API AI orchestration
│ │ │
▼ ▼ ▼
AUTOPILOT RUNTIME SERVICE
cases • evidence packs • response plans • metrics • slack
Key idea: plans can be generated fast, but the “execute” path is gated.
Agent pipeline
Alert Ingestion → Triage → Correlation → Investigation
│
▼
Response Planner → Policy Guard → Human Approval → Responder
The Policy Guard acts as a safety layer. Humans always remain the final decision point for actions.
The 7 SOC agents
| Agent | Function | Autonomy |
|---|---|---|
| Triage | Analyze alerts, extract IOCs, create cases | Automatic |
| Correlation | Link related alerts, build attack timelines | Automatic |
| Investigation | Deep analysis, process trees, threat intel enrichment | Automatic |
| Response Planner | Generate risk-assessed response plans | Proposal only |
| Policy Guard | Validate actions against security policies | Advisory |
| Responder | Execute Wazuh Active Response commands | Human-gated |
| Reporting | Generate SOC metrics, KPIs, shift reports | Automatic |
Operational outputs
- Cases (correlated incidents)
- Evidence packs (structured JSON)
- Response plans (risk-assessed proposals)
- Prometheus metrics (
/metrics) - Slack approvals (Socket Mode)