Hexory is a sovereign, multi-agent AI SOC platform built in the Kingdom of Saudi Arabia. It triages, investigates, and responds to security threats at machine speed, with every decision explainable and auditable.

How is Hexory different from a traditional SOAR or SIEM?

Traditional SOAR follows rigid playbooks and SIEM generates alerts based on static rules. Hexory uses multi-agent AI that reasons through each case — correlating signals, gathering evidence, and producing a defensible verdict with full reasoning trace, rather than handing more alerts back to overwhelmed analysts.

How does Hexory align with Saudi NCA and SDAIA frameworks?

Hexory is engineered to map against the National Cybersecurity Authority's Essential Cybersecurity Controls (NCA ECC-2:2024) and aligned with the SDAIA AI Adoption Framework — which mandates transparency, human oversight, and model accountability for public-sector AI deployments in the Kingdom.

Where is Hexory's data hosted?

Hexory is designed for in-Kingdom deployment on sovereign infrastructure, with customer control over where models run, where data lives, and who has access. Data handling is aligned with Saudi PDPL requirements.

What does 'earned autonomy' mean?

Earned autonomy means Hexory's AI agents act independently only on scenarios they've demonstrably proven they can handle. Novel or high-impact situations are escalated to humans. Every autonomous action is logged, reviewable, and reversible — giving SOCs speed without sacrificing control.

Request a demo

Self-learningAutonomous SOC

A multi-agent AI workforce that triages, investigates, and responds at machine speed, with every decision explainable and auditable.

Request a demo

Hexory-LLM · Live

Sec Intelligence

Sec-LLMExplainableSovereignReal-time

THREAT INPUTLow-prevalence domain · signin.accounts-gooqle.com

CONTEXTUser amir-david · host amir-david-pc · IP 104.215.148.63

REASONINGTyposquat pattern detected — credential harvesting hypothesis

EVIDENCE FORLow prevalence (moderate) · Deceptive TLD (strong)

EVIDENCE AGAINSTNo prior entity flags (weak) · Low asset criticality (weak)

VERDICTESCALATE · Confidence 87% · Full trace attached

863

Alerts processed

33%

Auto-resolved

Critical missed

Hexory-LLM — purpose-built for security reasoning. Sovereign. Explainable.

Our Core Differentiator

Powered by Hexory-LLM. Purpose-built for security.

Most platforms wrap a generic LLM around security alerts. Hexory-LLM is different. It was trained from the ground up on real SOC decisions — triage verdicts, investigation traces, and analyst actions — so its reasoning reflects how experienced security teams actually think. The result is a model that understands context, surfaces evidence on both sides of a verdict, and never hides behind a confidence score without explaining why.

Security-Native Reasoning

Built exclusively on real SOC decisions — triage verdicts, investigation traces, and analyst responses. Not fine-tuned on web text. Every inference grounded in security logic.

Sovereign by Design

Deployed inside your perimeter. Your alerts, your decisions, your data never leave your environment. Deploy on public cloud, private cloud, or fully air-gapped — wherever your policy requires.

Arabic + English Intelligence

Native bilingual reasoning in Arabic and English. Threat narratives, analyst reports, and escalation summaries delivered in the language your team works in.

Governance-Ready

Every decision carries a full reasoning trace, evidence weights, and an audit log. Satisfies regulators who ask: why was this alert escalated, and who approved it.

Continuously Self-Improving

Hexory-LLM learns from every HITL feedback loop in your environment. The longer it runs, the sharper it gets on your attack surface and your tolerance thresholds.

Calibrated Confidence

Every verdict surfaces a confidence score with the reasoning behind it. The model tells you when it is uncertain — so you know when to act and when to review.

Air-Gap Ready

Fully on-premises deployment supported

Cloud Flexible

Public, private, or hybrid deployment

Arabic-English

Native bilingual threat intelligence

Audit-Ready

Full decision trace on every verdict

How autonomy is earned, not assumed

From Intern to Autopilot. On criteria you can verify.

Hexory promotes itself through three stages of autonomy, gated by measurable performance against your environment. You see the criteria. You watch the platform earn each promotion. Nothing is assumed.

SUPERVISED

The Intern

What the AI does

Recommends actions for every alert
You approve or reject each one
Builds trust through every review

Analyst time

~3 hrs/day

Review load

You review everything

Criteria

Starting stageNo criteria required

HYBRID AUTONOMY

The Co-Pilot

What the AI does

Auto-closes obvious noise (LOW severity)
You still approve all escalations
Medium and above always need your eyes

Analyst time

~1.5 hrs/day

Review load

~50% less manual review

Criteria to reach this stage

Alert Volume100+ alerts triaged
False Positive RateUnder 20%
Trust Score60 or higher

FULL AUTONOMY

The Autopilot

What the AI does

Auto-closes LOW + MEDIUM noise
Auto-escalates HIGH/CRITICAL to T2
You only review edge cases & gray areas

Analyst time

~30 min/day

Review load

~90% automated

Criteria to reach this stage

Alert Volume500+ alerts triaged
False Positive RateUnder 5%
Agreement Rate85% or higher
Trust Score80 or higher

Promotion criteria are evaluated continuously. Trust Score combines accuracy, agreement with analysts, and false-positive performance. Stages are reversible: if metrics drop, autonomy is reduced automatically.

The AI SOC you were promised. Now actually shipped.

Identify

What matters

Multi-agent triage and investigate alerts at machine speed, suppressing false positives so analysts only see real threats.

Investigate

At Scale

Specialized AI agents chase down evidence on prioritized cases, every hypothesis, every pivot, every conclusion attached to its reasoning trace.

Respond

With earned control

Agents act on what they’ve proven they can handle. Anything novel is escalated. Every action is logged, reviewable, reversible.

It’s not about automating. Hexory explains.

Every triage. Every escalation. Every conclusion. With full reasoning you can audit.

The Hexory Way

Every decision shown, evidence, reasoning, outcome
Full reasoning trace, audit-ready by default
A four-act narrative for every investigation
Earned autonomy, the platform improves with your team

Hexory SOC · Evidence Review

Hexory Summary

User amir-david accessed low-prevalence domain signin.accounts-gooqle.com from IP 104.215.148.63. Agent escalated to Tier 2 — credential harvesting pattern identified.

Evidence For Escalation

Typosquat domain patternStrong

Low domain prevalenceModerate

Credential harvesting signatureModerate

Evidence Against

No prior entity flagsWeak

Low asset criticality tierWeak

Recommended Action

Escalate to Tier 2

Confidence

87%

The platform

One platform. Every decision explained.

Noise Shield

Silence the noise before it reaches an analyst.

Multi-agent triage filters obvious noise at machine speed, surfacing only what genuinely needs human attention. Every alert that reaches the HITL queue arrives with a structured verdict: Hexory Summary, Threat Assessment, Affected Assets, and the evidence both for and against the AI's recommended action.

Noise Shield filters ~33% of alerts automatically at maturity
Every queue item carries a structured verdict, not just a label
Quick Decision Mode: approve, escalate, or modify in one click

Hexory SOC · Triage

Hexory HITL Queue showing the Quick Decision Mode card with Hexory Summary, Threat Assessment, and structured evidence

Live screen from the Hexory platform. Customer-identifying values redacted.

The modern SOC is being challenged with evolving attack size.

of organizations name false positives their #1 detection challenge

SANS 2025 Detection & Response Survey

of SOC analysts report burnout

Tines Voice of the SOC Analyst Report

0 mo

average SOC analyst tenure — among the shortest in IT

Industry consensus, SOC retention research

daily alerts at enterprise scale, with 50–80% false-positive rates

AI SOC Market Landscape 2025

8–12 analysts

$1M–$2M annually to operate a 24/7 Tier-1 SOC

Industry SOC staffing & total cost of ownership benchmarks

We don’t sell features. We replace broken assumptions.
The Hexory thesis

Built to run anywhere. Powered by Hexory-LLM.

Deploy anywhere

Compatible with every major hyperscaler.

Run Hexory on public cloud, sovereign cloud, hybrid, or fully on-premises. The platform is cloud-agnostic and Kubernetes-native — your infrastructure choice, not ours.

Google Cloud

AWS

Microsoft Azure

Oracle

Hexory-LLM

Our model. Purpose-built for security.

Hexory-LLM is not a general-purpose model wrapped around alerts. It was trained from the ground up on real SOC decisions — so its reasoning reflects how experienced security teams actually think.

Security-Native Trained exclusively on real SOC decisions — triage verdicts, investigation traces, analyst actions.

Sovereign Deployment Runs fully inside your perimeter. Your data never leaves your environment.

Governance-Ready Meets your organization's data residency and regulatory requirements, wherever you operate.

Audit-Ready Every decision carries a full reasoning trace and evidence log.

Self-Improving Learns from every HITL feedback loop. Gets sharper the longer it runs in your environment.

See it in your environment.

30 minutes. Real telemetry, real triage. You decide whether the numbers we just claimed hold up against your alert backlog.

Live walkthrough of T1, T2, and the Trust Agent
Discussion of your deployment topology and data sovereignty needs
NCA-alignment review against your current MSOC posture