Product Overview
PulseDefend SOC-in-a-Box delivers enterprise-grade security operations at SMB price points through intelligent automation — powered by our AI Tier-1 analyst and the full Microsoft security ecosystem.
01
Onboard
Deploy & integrate
02
Baseline
Learn environment
04
Detect
Correlate & score
05
AI Triage
AI analyst verdict
→
Company size10–250 employees without a dedicated SOC team
→
Microsoft-stack environmentsMicrosoft 365 / Azure / Entra ID / Defender — natively integrated
→
Compliance pressureISO 27001, PCI-DSS, POPIA, GDPR exposure
→
MSPs & resellersWhite-label SOC capability to extend service offerings without headcount
→
SectorsFinance, legal, healthcare, retail, logistics
→
AI-powered Tier-1 analystHandles incident triage, enrichment & verdicts automatically — 24/7, no fatigue, sub-90-second response
→
Affordable SOC coverageFraction of a traditional MSSP retainer cost
→
Fast onboardingLive in under 48 hours — no heavy professional services engagement
→
Compliance-ready evidenceAudit-ready reports auto-generated with full evidence chain
→
Confidence-gated autonomyAuto-remediation only fires when AI confidence ≥ 90% — no rogue actions
Collect & Monitor
Sentinel Log AggregationDefender XDR EDRAzure Activity LogsCloud Posture (MDFC)Entra ID Audit Logs
Detect & Analyse
AI Triage AgentMITRE ATT&CK MappingThreat Intel EnrichmentUEBA / Behaviour AnalyticsKQL Threat Hunting
Respond & Remediate
Automated IsolationAccount Lockout / MFA ResetFirewall Rule PushEvidence PreservationConfidence-Gated Auto-Close
Onboarding Flow
Repeatable 4-phase process targeting sub-48-hour time-to-live. Built around Microsoft Sentinel's native connectors for rapid, low-friction integration into any Azure-based environment.
📋
Phase 1 — Discovery & Scoping
Day 1 · ~3 hrs
1
Client intake formAsset count, OS mix, Microsoft 365 tenant details, Sentinel subscription ID, compliance requirements, existing security tooling
2
Environment topology mappingNetwork diagram, Entra ID / AD structure, internet-facing assets, Log Analytics workspace ID
3
Stakeholder RACIWho approves automated actions, who receives alerts, escalation contacts for P1 incidents
4
Risk appetite & confidence thresholdConfirm 90% confidence gate for autonomous remediation. Define action types requiring explicit human approval regardless of confidence.
🔌
Phase 2 — Integration & Agent Deployment
Day 1–2 · ~6 hrs
A
MDE agent rolloutScripted Intune/GPO push for Microsoft Defender for Endpoint across all in-scope endpoints
B
Sentinel & Log Analytics wiringEnable Microsoft 365 Defender, Entra ID, Azure Activity, and Defender for Cloud data connectors. Grant AI Analyst managed identity read-only access.
C
AI Analyst Logic App deploymentSentinel automation rule: on incident creation → Logic App → AI Analyst ingest endpoint with secure auth header
D
Threat intel API configurationConfigure VirusTotal, GreyNoise, AbuseIPDB and Microsoft Threat Intelligence enrichment sources
E
Firewall API authPre-authorise API credentials for automated block rule pushes to Azure Firewall / NSG
F
Entra ID app registrationGrant Graph API permissions for account lockout, MFA enforcement, and session revocation response actions
📐
Phase 3 — Baseline & Validation
Day 3–14 · Automated
1
Behavioural baseline learning7–14 day observation window — Sentinel UEBA learns normal login times, data transfer volumes, and service account patterns
2
AI Analyst evaluation runAI Analyst runs against 90 days of historical closed incidents. Auto-remediation stays disabled until zero dangerous auto-closes confirmed.
3
False positive suppressionWhitelist known-good IPs, service accounts, scheduled tasks, and backup jobs in Sentinel watchlists
4
Detection rule tuningEnable/disable Sentinel analytics rules based on client environment. Tune thresholds to minimise alert fatigue.
5
Playbook assignmentMap each alert category to the correct Logic App playbook with client-approved action scope
✅
Phase 4 — Go-Live & Handover
Day 14–16
1
Simulated attack validationSafe simulations verify detections fire, AI Analyst returns correct verdicts, and Logic App playbooks execute correctly end-to-end
2
Client dashboard walkthroughTrain client contact on posture dashboard, AI verdict queue, and alert notifications
3
Escalation testTrigger a test P1 alert to validate the full chain: AI verdict → confidence gate → SOAR action → human notification
4
Baseline security reportDeliver initial posture report: coverage gaps, AI eval accuracy, and first 30-day monitoring plan
Technical Architecture
Cloud-native and Azure-first. Built on Microsoft Sentinel and Defender XDR — PulseDefend's AI Analyst slots between the SIEM correlation layer and the SOAR automation layer, processing every incident automatically.
Data Collection & Telemetry
🛡️ Microsoft Defender for Endpoint (MDE)
📧 Microsoft 365 Defender — Email & Collaboration
🔐 Entra ID — Identity & Access Audit Logs
☁️ Microsoft Defender for Cloud (CSPM/CWPP)
🌐 Azure Firewall & NSG Flow Logs
📱 Defender for Cloud Apps (CASB)
📊 Azure Activity & Resource Logs
↓
Microsoft Sentinel — SIEM & Log Analytics
📡 Native Microsoft Data Connectors
🗄️ Log Analytics Workspace
📐 KQL Analytics & ASIM Parsers
📋 Sentinel Watchlists
🔗 Microsoft Threat Intelligence (MDTI)
↓
Detection & Correlation
🚨 Sentinel Analytics Rules (Scheduled + NRT)
🧠 Defender XDR Correlation Engine
👤 Sentinel UEBA
🗺️ MITRE ATT&CK Mapping (Built-in)
🤖 Fusion ML-driven Detection
⚠️ Defender for Cloud Security Alerts
↓
PulseDefend AI Analyst Layer
🤖 AI Triage Agent — Every Incident
🔬 Investigation Agent — Analyst Deep Dives
🌐 Threat Intel Enrichment (VT / GreyNoise / AbuseIPDB / MDTI)
🎯 Confidence-Gated Verdict Engine
🔍 KQL Threat Hunting Queries
📝 Legal-Grade Audit Trail
↓
SOAR & Automated Response
⚡ Sentinel Automation Rules
🔄 Azure Logic Apps Playbooks
🖥️ Defender for Endpoint API — Isolate / Remediate
🔐 Entra ID Graph API — Lock / MFA Reset / Revoke Sessions
🌐 Azure Firewall API — Block Rules
📬 Microsoft Teams Alerting
↓
Reporting & Client Portal
📊 Client Security Posture Dashboard
📄 Automated Security Audit Reports (Pro Tier)
🔗 Evidence Chain & Audit Trail
✅ Compliance Evidence Package
🔧
Azure Permissions Required
→
SecurityIncident.Read.AllSentinel incident access for AI Analyst triage
→
SecurityAlert.Read.AllAlert details and enrichment data
→
ThreatHunting.Read.AllAdvanced Hunting / KQL in Defender XDR
→
IdentityRiskyUser.Read.AllEntra ID risk signal access for user context
→
Log Analytics ReaderKQL queries against the Log Analytics workspace
All AI Analyst permissions are read-only. Response actions execute via separate, explicitly-scoped Logic App service principals — not the analyst agent itself.
→
Read-only at agent layerAI Analyst never closes incidents or takes response actions directly. It produces verdicts; Logic Apps act via confidence gate.
→
Eval gates autonomyZero dangerous auto-close errors confirmed before any auto-remediation path is enabled in production.
→
Full evidence chainEvery claim backed by a specific log entry, timestamp, and tool result — audit-grade documentation.
→
Legal-grade audit trailAll decisions logged: incidents, triage runs, tool calls, agent reasoning, and actions — admissible chain of custody.
AI Analyst
PulseDefend's proprietary AI Analyst acts as a tireless Tier-1 SOC analyst — processing every Microsoft Sentinel incident the moment it fires, enriching it with threat intelligence, and delivering a confidence-scored verdict within ~90 seconds.
✓ Validated performance: 87.7% triage accuracy against real-world incident datasets. Mean triage time ~87 seconds. Mean 10.3 tool calls per triage. Confident false-positive closure rate eliminates analyst queue noise automatically.
⚖️
Two-Tier Agent Architecture
L1
Triage Agent — every incidentFast and cost-efficient. Processes the Sentinel incident envelope, runs entity lookups against threat intel sources, executes targeted KQL hunts in Log Analytics and Defender XDR Advanced Hunting, and delivers a classified verdict with confidence score. Closes confirmed false positives autonomously at ≥90% confidence. Routes true positives to L2 or human queue.
L2
Investigation Agent — analyst-triggered deep divesBroader context, deeper analysis. Analyst initiates the deep dive — approving scope and cost. Produces an IR-quality investigation report including full attack timeline, lateral movement mapping, MITRE ATT&CK technique attribution, and recommended containment actions.
🎯
Confidence-Gated Autonomy
→
≥90% confidence — TruePositiveSOAR Logic App playbook triggered automatically. Appropriate containment fires within minutes — no human in the loop for confirmed threats.
→
≥90% confidence — FalsePositiveIncident closed and documented automatically. Analyst queue stays clean of noise.
→
<90% or Investigate verdictPlaced in human analyst queue with full pre-loaded evidence — enrichment data, KQL results, and AI reasoning all ready. Analyst effort focused where it matters.
The confidence gate is configured per client during onboarding. Clients with lower risk appetite can raise the threshold — requiring higher confidence before any automated action fires.
Automated Triage Pipeline (per alert)
1
Sentinel incident fires → Logic App → AI Analyst ingestIncident envelope posted to AI Analyst ingest endpoint via Azure Logic App automation rule. Added to processing queue with authenticated header.
2
Triage Agent picks up jobAgent pulls incident and accesses Microsoft Sentinel, Defender XDR, and connected security APIs using read-only Managed Identity — no stored credentials.
3
Entity enrichment & KQL huntsIPs, file hashes, and domains queried against VirusTotal, GreyNoise, AbuseIPDB, and Microsoft Threat Intelligence. KQL hunting queries run in Sentinel Log Analytics and Defender XDR Advanced Hunting.
4
Validated verdict submittedSchema-enforced verdict: classification, confidence score, evidence chain (specific log entries + timestamps), deep-dive flag, and recommended actions.
5
Confidence gate evaluatedIf TruePositive/FalsePositive + confidence ≥ 90% and pre-go-live eval passed → SOAR Logic App triggered automatically.
6
Human queue or auto-remediateSub-90% or Investigate → analyst queue with full evidence package. ≥90% TruePositive → Logic App executes response playbook within minutes.
7
Audit trail persistedAll tool calls, reasoning steps, decisions, and actions logged — legal-grade chain of custody for every incident handled.
Microsoft Security Integration
Microsoft SentinelDefender for EndpointDefender XDREntra ID Graph APIDefender for Cloud AppsMicrosoft Threat IntelligenceLog Analytics KQLAdvanced Hunting
Threat Intelligence Sources
VirusTotal — File / IP / DomainGreyNoise — IP Noise ClassificationAbuseIPDB — IP ReputationMicrosoft MDTI — Native TIMITRE ATT&CK Framework
Detection & Automated Triage
Every alert is scored, enriched, and confidence-gated before any remediation action fires. Noise is eliminated autonomously; confirmed threats are acted on within minutes.
Alert Severity & Routing Matrix
| Severity | AI Confidence Gate | Auto Action | Notification | SLA |
|---|
| P1 Critical | TruePositive + conf ≥ 90% | Immediate isolate / lock / block via Logic App | SMS + Call + Teams + Email to all stakeholders | Auto: <5 min · Human: <30 min |
| P2 High | TruePositive + conf ≥ 90% | Targeted containment (block IP, suspend session) | Teams alert + Email to lead analyst | Auto: <10 min · Human: <2 hrs |
| P3 Medium | conf < 90% or Investigate verdict | Enrichment + evidence collection → human queue | Dashboard alert + daily digest | Human review: <8 hrs (business hours) |
| P4 Low / Info | FalsePositive verdict or conf < 50% | Log and correlate. Auto-close if conf ≥ 90% FP. | Weekly report only | Review in weekly posture meeting |
Key Detection Use Cases
Ransomware BehaviourLateral MovementCredential StuffingImpossible TravelData ExfiltrationC2 BeaconingLiving-off-the-Land (LOLBins)
Brute Force / Password SprayPrivilege EscalationPhishing Email ClickedNew Admin Account CreatedMass File Deletion / EncryptionAfter-hours Admin ActivityRogue OAuth App Consent
Automated Response Playbooks
Azure Logic App playbooks triggered automatically when the AI Analyst returns a TruePositive verdict with confidence ≥ 90%. All actions are logged with a full audit trail.
⚠ Confidence gate: These playbooks fire only when the AI Analyst returns ≥ 90% confidence on a TruePositive verdict AND the pre-go-live eval confirmed zero dangerous auto-closes. Sub-threshold incidents route to the human analyst queue with full evidence pre-loaded.
🔐 Ransomware / Mass Encryption Detected
P1 CriticalAuto-RemediateMITRE T1486
›
1
Immediate endpoint isolationDefender for Endpoint API: network-isolate affected host(s) within 60 seconds of detection
2
Memory & disk snapshotTrigger live forensic snapshot before any data is further altered. Push to secure evidence storage.
3
Lateral movement sweepQuery Sentinel for same process hash, parent process, or C2 IP on all other endpoints in last 24h
4
Isolate related hostsAuto-isolate any additional compromised endpoints found in sweep via MDE API
5
Block C2 infrastructurePush deny rules to Azure Firewall / NSG for all IOCs surfaced by AI Analyst threat intelligence enrichment
6
Preserve backup integrityFlag current recovery point to prevent overwrite during incident window
7
P1 escalationImmediate Teams + SMS + call to client emergency contact and on-call analyst with full AI Analyst evidence package
👤 Account Compromise / Credential Theft
P1–P2Auto-RemediateMITRE T1078
›
1
Revoke all active sessionsEntra ID Graph API: revoke all refresh tokens and active sessions for the account immediately
2
Disable the accountDisable login temporarily via Graph API — not delete, to preserve forensic integrity
3
Force MFA re-registrationReset MFA methods to force re-enrolment on next login from a trusted device
4
Audit recent activityPull last 72h of sign-in logs, mail rules, forwarding changes, file access, and admin actions
5
Check for persistenceLook for new inbox rules, OAuth app consents, new admin accounts, scheduled tasks created by this account
6
Notify manager and ITAutomated Teams message and email to user's manager and IT contact with recovery instructions and AI Analyst evidence summary
🌐 Malicious IP / C2 Communication Detected
P2 HighAuto-RemediateMITRE T1071
›
1
Block IP/domain at firewall & DNSAPI push of deny rule to Azure Firewall / NSG and internal DNS blocklist
2
Identify source endpointCorrelate network flow to specific endpoint and user account from Defender XDR Advanced Hunting
3
Endpoint process investigationQuery MDE timeline for the responsible process, capturing process tree and parent chain
4
Conditional isolationIf beacon pattern confirmed (regular interval, small payload) → escalate to P1 and isolate host via MDE API
5
TI pivotExpand IOCs from C2 IP to associated domains, ASN, and malware family via threat intel enrichment
📧 Phishing / BEC Email Detected
P2–P3Semi-AutoMITRE T1566
›
1
Quarantine the emailMicrosoft 365 Defender API: move from all mailboxes that received it to quarantine
2
Identify all recipientsSearch mail logs for all users who received the same email (same subject / sender / attachment hash)
3
Check for clicks / executionQuery Defender for Endpoint timeline and M365 Defender URL click logs for any users who interacted with payload
4
Block sender / domainAdd to Microsoft 365 Defender blocklist
5
User notificationAutomated phishing awareness message via Teams to all recipients
6
Escalate if clickedAny confirmed click → trigger Account Compromise playbook for that user
📤 Data Exfiltration Detected
P1Auto-RemediateMITRE T1041
›
1
Block outbound transfer in progressAzure Firewall rule to block destination IP/port immediately
2
Isolate source endpointNetwork-isolate the host responsible for the transfer via Defender for Endpoint API
3
Quantify the transferPull NSG flow logs and Defender CASB data to estimate data volume, destination, and file types
4
Identify the dataCross-reference with Microsoft Purview DLP labels and file access logs to classify what was exfiltrated
5
Legal / breach notification flagIf PII/financial data confirmed → auto-flag for incident commander and legal. POPIA/GDPR breach clock starts.
6
Evidence chain preservationLock all relevant logs and snapshots with tamper-evident hashing for legal admissibility
AI Analyst Operating Costs
Per-client costs for PulseDefend's AI Analyst layer — including LLM API usage, threat intelligence APIs, and shared AI infrastructure. Microsoft Azure, Sentinel, and Defender licensing are carried directly by the client as part of their Azure subscription.
ℹ Cost responsibility: Each client implementation runs within the client's own Azure tenant. Azure Sentinel ingestion, Log Analytics workspace, and Defender licensing are billed directly to the client. PulseDefend charges only for the AI Analyst operating costs shown below.
✓ Key finding: At 20 incidents/day + 2 deep dives/day, total AI Analyst cost is approximately $78–95/month per client — well within margin on all pricing tiers.
🤖
LLM API Cost (AI Analyst)
Pricing basis: $3/MTok input · $15/MTok output
Triage Agent (every incident)
Input tokens per incident
~8,000
Output tokens per incident
~2,000
20 incidents/day × 30 days
600 incidents/month
Monthly — Triage Agent
$32.40
Investigation Agent (deep dives only)
Input tokens per deep dive
~30,000
Output tokens per deep dive
~5,000
Cost per deep dive
~$0.165
2 deep dives/day × 30 days
60 deep dives/month
Monthly — Investigation Agent
$9.90
Total LLM API / month
$42.30
Token estimates based on AI Analyst evaluation metrics: mean 10.3 tool calls, ~87s per triage. Deep dives carry 3–4× more context from expanded hunts and full IR report generation.
| Incidents/day | Deep Dives/day | LLM API/mo | Total AI Cost/mo |
|---|
| 5 | 1 | $10.40 | ~$38 |
| 20 | 2 | $42.30 | ~$92 |
| 50 | 5 | $114.75 | ~$182 |
| 100 | 10 | $229.50 | ~$318 |
100 incidents/day exceeds typical SMB volumes. At that scale, the client likely graduates to a larger enterprise engagement or dedicated infrastructure.
🌐
Threat Intelligence APIs
(amortised across clients)
VirusTotal (paid, shared)
~$100/mo ÷ 10 clients
GreyNoise (Community/Paid)
~$50/mo ÷ 10 clients
AbuseIPDB (paid)
~$20/mo ÷ 10 clients
TI APIs per client/month
~$17
TI API costs drop as client count grows. At 20 clients these allocations halve. GreyNoise Community is free for limited use — start there and upgrade as volume demands.
🏗️
AI Infrastructure (shared, per client)
Azure Container Apps (AI worker + web)
~$80/mo ÷ 10
Azure Database for PostgreSQL Flexible
~$50/mo ÷ 10
Azure Cache for Redis (processing queue)
~$35/mo ÷ 10
AI Infrastructure per client/month
~$17
Infrastructure is shared across clients using tenant isolation (separate schemas / namespaces). At 20+ clients, consider dedicated ACA environments per client group.
💰
Total AI Analyst Cost Summary
LLM API (20 incidents + 2 deep dives/day)
$42.30
Threat Intelligence APIs (÷ 10 clients)
$17.00
AI Infrastructure (÷ 10 clients)
$17.00
Total AI Analyst COGS / client / month
~$76 – $95
Excludes analyst labour overhead. Add ~$80–120/client/month for Professional tier human analyst coverage. All costs in USD. Azure / Sentinel costs are carried by the client.
Pricing
Simple, transparent pricing. Monthly fees scale with your environment. Implementation is a single once-off investment per client engagement.
ℹ Cost note: Microsoft Azure, Sentinel, and Defender licensing are carried by the client directly. Monthly PulseDefend fees cover AI Analyst operations, managed SOC services, and platform access only.
🚀
Implementation Fee
— Once-off per client deployment
$4,995
once-off
✓
Full environment discovery & scoping4-phase onboarding with dedicated implementation engineer
✓
Sentinel & Defender connector wiringAll Microsoft 365, Azure, and Entra ID data connectors configured and validated
✓
AI Analyst baseline evaluation run90-day historical incident evaluation — zero dangerous auto-closes confirmed before go-live
✓
SOAR playbook deployment & customisationLogic App playbooks deployed and tuned to client's approved action scope
✓
Simulated attack validation & go-liveFull chain tested end-to-end before monitoring begins. Baseline security report delivered.
✓
30-day hypercare periodDedicated support and tuning in the first 30 days of production monitoring
Monthly Managed Service
Starter
$100
+ $10/user + $10/endpoint
per month · per client
AI-powered monitoring with 9×5 analyst oversight. Ideal for organisations seeking automated detection coverage with human escalation during business hours.
- AI Analyst Tier-1 triage (24/7 automated)
- Confidence-gated automated SOAR response
- Microsoft Sentinel analytics & UEBA
- Defender XDR & MDE integration
- Threat intelligence enrichment
- Vulnerability scanning
- 9×5 human analyst monitoring & escalation
- Monthly security posture report
- Microsoft Teams & email alerting
- 24/7 SOC human coverage
- Automated security audit reports
Professional
$300
+ $10/user + $10/endpoint
per month · per client
Full 24/7 SOC service with AI-augmented human analyst coverage around the clock, plus automated compliance-ready security audit reports.
- AI Analyst Tier-1 triage (24/7 automated)
- Confidence-gated automated SOAR response
- Microsoft Sentinel analytics & UEBA
- Defender XDR & MDE integration
- Threat intelligence enrichment
- 24/7 human SOC analyst monitoring & escalation
- Automated security audit reports
- MITRE ATT&CK threat hunting (scheduled)
- Dedicated escalation line
- Monthly + quarterly executive posture reports
- Vulnerability scanning
White-Label / MSP
Custom
Volume pricing available
contact us for MSP rates
Full white-label deployment under your brand. Deliver SOC-in-a-Box as your own managed security product — PulseDefend operates silently in the background.
- All Professional tier features
- White-label portal & reporting (your brand)
- Multi-tenant management dashboard
- Sliding scale volume discounts
- Reseller margin built into pricing
- Dedicated MSP success manager
- Co-branded onboarding collateral
- Priority SLA & escalation path
Pricing Example — 50 Users, 60 Endpoints
Implementation fee of $4,995 is charged once at the start of the engagement per client. No implementation fee on annual renewal. MSP volume discounts apply from 5+ clients.