One analyst. Five analysts' worth of output.
Themis is the reasoning layer that sits on top of your SOC — grounding every alert in your threat intel, runbooks, and environment, then investigating it end-to-end before an analyst ever opens the ticket. Alert floods become investigated cases. Tier 1 becomes strategic. Your senior analysts stop quitting.
5×
Alert throughput per analyst, vs. unaided Tier 1 triage
~8 min
Typical time from alert ingestion to evidence-backed verdict
70%+
Of low-risk alerts auto-suppressed with cited reasoning
0
Actions executed without a named human authorizing them
This is what Themis produces, on every alert.
Not a score. Not a summary. A complete investigation — verdict, reasoning, executable next steps, response actions — sitting in your analyst's queue before they've poured their coffee.
- Get-FileHash C:\Windows\System32\sdbinst.exe -Algorithm SHA256
- Get-Process -Id 68508 | Format-List *
- Get-WinEvent — filter Security ID=4688 around 16:18:50
- Pull Sysmon EID 10/11 and 3/13 for context window
- Isolate if unexpected: Stop-Process -Id 68508 -Force
- Collect artifact to \Evidence\sdbinst_20260416.exe
- Monitor sdbinst re-invocation for 24h
A real Themis output, redacted. This is the artifact every alert becomes — before a human touches it.
Every finding carries a confidence score and a risk level. Analysts see at a glance what needs their attention and what Themis already settled.
Narrative analysis that reads like a senior analyst wrote it — because under the hood, the agent pivoted across Sysmon, process, and network context before deciding.
Concrete PowerShell and EDR commands, already tailored to the host and the alert. Tier 1 verifies; they don't invent.
Containment, evidence collection, and monitoring actions pre-drafted. One click to escalate, one click to dismiss. Either way, the audit trail is already written.
Your SOC doesn't have an alert problem. It has an investigation problem.
Every vendor will sell you another detection engine. Your analysts don't need more alerts — they need fewer, better ones, already investigated. Themis is the layer between the firehose and the ticket.
It's why Tier 1 analysts burn out, senior hunters get pulled into triage, and your best runbooks live in someone's head instead of your stack. The alerts aren't the problem. The work between the alert and the verdict is.
Today
- Tier 1 analysts burning out on alert triage by month four
- Senior analysts pulled into Tier 1 work, strategic programs stalling
- MDR margins compressed by headcount cost to meet SLA
- Reasoning for dismissed alerts lost when the analyst leaves
- Investigation playbooks live in people's heads, not the stack
- Every new SIEM rule ships another thousand alerts nobody reads
With Themis
- Every alert auto-triaged with verdict, confidence, and cited reasoning
- Tier 1 reviews Themis output; senior analysts get their week back
- MSSP margins expand without adding analyst seats
- Every dismissal and every escalation is a permanent, auditable record
- Your runbooks are the agent's runbooks — indexed, grounded, reused
- Alert volume grows; analyst load doesn't
Hybrid by design: grounded knowledge, agentic action.
Themis isn't a chatbot wrapper over your alerts. It's a purpose-built reasoning system with two layers that work together: a retrieval-augmented knowledge layer so the agent always answers from fact, and an agentic investigation layer so it can actually do the work.
Every answer grounded in your context.
Themis retrieves from a layered corpus before it reasons. No hallucinated CVEs. No generic advice. Answers cite sources, every time.
- Global threat intelligence CVE feeds, IOC databases, vendor advisories, refreshed continuously
- MITRE ATT&CK + D3FEND Every finding mapped to techniques, with countermeasure linkage
- Runbook library Your SOPs, indexed and retrievable — the agent uses what you'd use
- Customer-specific context Your assets, your suppressions, your past incidents — the moat no generic LLM has
Multi-step reasoning across your stack.
A retrieval system alone doesn't investigate. Themis's agent plans, pivots, and decides — the work a Tier 2 analyst would do, done end-to-end.
- Plans the investigation Decides what to check, in what order, based on alert type and context
- Pivots across data sources Process tree, network, identity, cloud — follows the thread wherever it leads
- Proposes cited actions Every recommended step linked to the evidence and the framework that justifies it
- Human-in-the-loop by default Execution is always authorized; audit is always written
Two buyers. One reasoning engine.
Themis was designed with MSSP operations leads and internal CISOs in the room. Each gets the surface they need; both work from the same defensible record.
Scale without hiring.
I'm winning deals faster than I can hire analysts. Every new customer compresses my margin unless I can do more with the team I have.
- Multi-tenant from the ground up, with per-customer context isolation
- Force-multiply Tier 1 without sacrificing investigation quality
- Grow the book without growing headcount linearly
- Customer-branded artifacts and reporting, white-label ready
- Per-tenant runbook tuning — their playbooks, their context
24/7 coverage without 24/7 headcount.
I can't staff three shifts of Tier 1 analysts. I need my two senior people doing threat hunting, not wading through alerts.
- Off-hours coverage without outsourcing your context
- Senior analysts freed for hunting, purple teaming, architecture
- Every investigation documented — your knowledge stops walking out the door
- Deploys against your SIEM of record, no rip-and-replace
- Sovereign hosting available for regulated industries
Works with what you already own.
Themis is SIEM-agnostic and tool-agnostic. If your stack emits telemetry and accepts actions, Themis plugs in. No rip-and-replace, no forklift migration, no vendor lock-in.
SIEM & log
EDR & XDR
Identity, cloud & network
Response, ticketing & MDR
What SOC leaders measure when Themis is in the stack.
Target outcomes from AlecTech's internal SOC deployments and early design partners. Your mileage will vary with alert volume, tuning maturity, and the quality of your upstream detections — which is part of why the first demo is a working session, not a slide deck.
5×
Analyst throughput
Alerts meaningfully investigated per analyst-hour, versus unaided Tier 1 triage.
−80%
Mean time to triage
From hours to minutes, measured from ingestion to verdict with evidence.
70%+
Benign auto-suppression
Of low-risk alerts closed with cited reasoning, one-click reviewable.
100%
Audit coverage
Every verdict, every action, every dismissal — timestamped and attributable.
These numbers represent Themis in well-tuned deployments. On day one, expect lower ratios while the knowledge layer learns your environment; on month three, expect to exceed them as your runbook library and suppressions become Themis's long-term memory.
Answered plainly.
The questions every SOC director asks on the second call. Here they are before you pick up the phone.
Isn't this just ChatGPT pointed at my alerts?
No, and the difference matters. A generic LLM has no knowledge of your assets, your suppressions, your runbooks, or your past incidents — so it either refuses to commit to a verdict or it confabulates one. Themis's knowledge layer grounds every response in your environment and the global threat corpus (MITRE ATT&CK, CVE feeds, vendor advisories). Its investigation layer is a purpose-built agent that plans multi-step triage, pivots across your telemetry, and cites its evidence. The output is auditable; the reasoning is traceable; the actions require human authorization.
How is this different from Microsoft Security Copilot or CrowdStrike Charlotte AI?
Security Copilot and Charlotte are vendor-locked — they reason on data that lives inside their respective platforms. That's fine if your whole SOC runs on one vendor. Most don't. Themis is SIEM-agnostic and XDR-agnostic by design; it reasons across whatever telemetry you already have, without asking you to consolidate.
We also expose the knowledge layer: you can inspect what runbooks are indexed, see which were retrieved for a given decision, and tune the corpus. That level of transparency isn't available in the closed copilots.
What if Themis gets a verdict wrong and takes action?
Themis doesn't take action. Humans do. Every response in the artifact — isolate, block, disable, notify — is a recommendation with cited evidence, executed only after a named human authorizes it. That authorization is captured in the immutable audit log.
For lower-risk workflows (benign alert auto-closure, ticketing hand-off), customers can opt into automation tier by tier — but the default posture is recommend, not act.
Does Themis replace our analysts?
No. Themis replaces the part of the analyst's day that nobody wanted: manual triage of alerts that turn out to be benign 95% of the time. What's left is the work analysts are actually trained for — validating edge cases, hunting, tuning detections, investigating real incidents.
Every MSSP and internal SOC we talk to is undersupplied on analyst capacity, not oversupplied. Themis stretches the team you have.
Where does the data live? Is this Canadian-hosted like AlecTech's other products?
Themis supports both options. Default deployment for Canadian customers is in Canadian data centres. For international customers we offer regional residency (US, EU).
For customers with sovereign or air-gapped requirements, Themis can be deployed in-tenant against your own model endpoints (Azure OpenAI private deployment, self-hosted Llama or Qwen, or similar). We support sovereign AI posture because some of our customers — including regulated industries and government — require it.
Do you train on our data?
No. Customer telemetry and runbooks are retrieved at inference time, not used to train models. The customer-specific context layer is a per-tenant retrieval index; it is not commingled, not used for any other customer, and is deleted on contract termination. Your data is your data.
What does deployment actually look like?
Standard deployment is 2–4 weeks. Week one: connect telemetry sources and import your runbook library. Week two: tune the knowledge layer, set up routing to your cockpit and ticketing, configure per-tenant (or per-department) context. Week three: parallel run against live alerts with your analysts reviewing every Themis output. Week four: cutover, with Themis handling first-pass triage and your analysts reviewing.
Larger MSSPs with complex multi-tenant topology can take 6–8 weeks.
How is Themis priced?
Themis is licensed per tenant (for MSSPs) or per seat (for internal SOCs), with volume pricing on alert throughput. All integrations, all knowledge-layer sources, and the agentic investigation layer are included — we don't upsell you on capabilities that should be standard. Pricing is tailored during the discovery call to match your alert volume and deployment model.
Does this integrate with BreachGuard?
Yes. When a Themis investigation concludes that an incident involves personal information, it can auto-create a BreachGuard privacy incident with the relevant evidence attached — kicking off the regulatory notification workflow from the same source of truth as the security incident.
This is the AlecTech advantage: security and privacy operations sharing one record, one timeline, one audit trail.
See Themis triage a live alert.
Thirty minutes with an AlecTech security engineer. We connect Themis to a representative telemetry feed — yours or ours — and walk you through an investigation end-to-end. No slide decks, no pitch. Just the artifact, the reasoning, the actions.
- Your telemetry, ingested live Wazuh, Sentinel, Splunk, or a representative sample we provide.
- One real alert, investigated end-to-end Watch Themis ground, pivot, reason, and produce the full artifact.
- Your questions, answered by an engineer No sales handoff. The person on the call is the person who built it.
- The deployment scope, mapped How Themis fits your stack, how long it takes, what the first 90 days look like.
