Resolve AI
Resolve AI is SenseOn's autonomous investigation capability. It analyses security cases raised by the SenseOn platform, gathers evidence from multiple data sources, and delivers clear, evidence-backed verdicts — so your team spends less time on repetitive triage and more time on what matters.
What does Resolve AI do?
Every time SenseOn raises a high or critical case which is managed by the SenseOn SOC, Resolve AI automatically picks it up and investigates it, just like an experienced SOC analyst would. It gathers context, checks historical patterns, queries threat intelligence, and produces a structured verdict with a confidence score.
The result is a clear recommendation for each case:
- Escalate. This case requires your attention. Resolve AI flags confirmed threats, suspicious activity, and anything it cannot rule out as benign.
- Close as False Positive. The detection fired incorrectly. The observed activity does not match what the rule was designed to detect.
- Close as Benign True Positive. The detection fired correctly, but the activity is genuinely harmless. For example, a sysadmin running legitimate maintenance scripts, scheduled backup software, or routine IT asset discovery.
- Needs More Info. There is not enough data to make a confident call. Resolve AI tells you exactly what is missing so your team can follow up.
Every verdict includes supporting evidence, a confidence score, and recommended next steps — giving your analysts everything they need to validate or act on the finding.
How does it work?
Resolve AI follows a structured investigation process for every case:
- Evidence gathering. Resolve AI pulls together data from multiple sources including case details, detection rule context, host and network observations, historical case patterns, and threat intelligence feeds.
- Analysis. All gathered evidence is analysed together to build a complete picture of the activity. Resolve AI considers what the detection rule is designed to catch, whether the observed behaviour matches known benign patterns, and how similar cases have been resolved in the past.
- Verdict delivery. A structured verdict is produced with a confidence score, key evidence, and recommended analyst actions.
What data sources does Resolve AI use?
Resolve AI draws on a rich set of context to inform every investigation:
- Case details. The full case timeline, observations, and metadata from Hunt Lab from SenseOn.
- Detection rule context. What the triggering rule is designed to detect and why it fired.
- Historical patterns. How similar cases have been resolved previously, both for your organisation and across the wider SenseOn customer base.
- Host and network telemetry. Related observations from the same hosts, users, and IP addresses.
- Threat intelligence. Enrichment from multiple threat intelligence sources covering IP reputation, domain analysis, file hashes, and known indicators of compromise.
Confidence scoring
Every verdict comes with a confidence level so your team knows exactly how much weight to place on the recommendation:
| Confidence | What it means |
|---|---|
| High | Strong historical evidence supports this verdict. Clear detection context with no conflicting signals. You can act on this with high assurance. |
| Medium | Moderate supporting evidence. Some ambiguity or a single signal without corroboration. Worth a quick review before acting. |
| Low | Limited historical data or conflicting signals. Treat as a starting point for further investigation. |
How does Resolve AI handle security testing?
Resolve AI is designed to be cautious. If it detects activity that resembles penetration testing, red team exercises, phishing simulations, or vulnerability scanning, it will always escalate — even if the activity appears to be expected or scheduled.
Only your team can confirm whether security testing is authorised. Resolve AI will never assume testing activity is benign, ensuring you always have visibility into these events.
What are the benefits?
Faster case resolution. Cases that previously required manual analyst review are investigated automatically, reducing time-to-verdict from hours to minutes.
Consistent, evidence-backed decisions. Every verdict follows the same structured investigation process, drawing on the same data sources and applying the same standards. No more variation between analysts or shifts.
More time for high-value work. By handling the high-volume, repetitive cases, Resolve AI frees your security team to focus on genuine threats, proactive threat hunting, and strategic security improvements.
Full transparency. Every verdict includes the evidence gathered, the reasoning behind the decision, and clear next steps. Your team always has the full picture and the final say.
Continuous learning from history. Resolve AI considers how similar cases have been resolved across your organisation and the wider SenseOn customer base, giving it pattern recognition that improves with every case.
Frequently asked questions
Does Resolve AI replace the SenseOn SOC? No. Resolve AI handles the repetitive, high-volume cases so the SOC can focus on complex investigations and threat hunting.
Can Resolve AI take actions in my environment? Resolve AI is an analysis and recommendation engine. It investigates cases and delivers verdicts, it does not make changes to your environment, block users, or isolate hosts.
How accurate is it? Resolve AI is held to a strict quality standard with greater than 99% agreement with experienced analyst decisions. Every verdict includes a confidence score to help prioritise.
What if Resolve AI gets it wrong? Safety is built into the design. When in doubt, Resolve AI escalates rather than closing a case. High-confidence auto-close thresholds are jointly managed with strict oversight, and any unexpected result triggers immediate review.
Does it work with my existing SenseOn setup? Yes. Resolve AI works with your existing SenseOn deployment with no additional configuration required. It reads cases from your environment and delivers verdicts alongside your existing workflows.