Features built for real SOC workflows
Autopilot is designed to reduce alert fatigue without creating “auto-remediation anxiety”. Plans are proposed fast, but execution stays human-gated.
Autonomous triage
Agents analyze incoming alerts, extract entities (IPs, users, hosts), and assign severity.
- Entity extraction + normalization
- Noise reduction via context
- Consistent, explainable summaries
Incident correlation
Automatically link related alerts into unified cases with attack timelines.
- Case creation + merging
- Timeline reconstruction
- MITRE mapping support
Response planning
Generate risk-assessed response plans with recommended Wazuh Active Response actions.
- Plan proposals with risk notes
- Policy guard checks
- Execution is optional + gated
Two-tier human approval
A two-tier approval workflow ensures humans authorize every response action.
- Approve / reject / expire
- Audit trail for decisions
- Safer automation at scale
Evidence packs
Structured JSON evidence packages for compliance, audits, and forensics.
- Entities + timeline
- Plans + actions
- Exportable schema
Prometheus + Slack
Full observability with SOC KPIs + real-time approvals via Slack Socket Mode.
/metricsfor KPIs and latency- Interactive approval buttons
- No inbound ports required
Model-agnostic by design
OpenClaw supports multiple LLM providers. You can run paid models (for deeper reasoning) or local models (for air-gapped). Configure your provider in openclaw/openclaw.json.