Governed run replay

Live - no signup

Triage alerts under your controls.
Watch a responder approve containment.

A governed SOC-triage run, replayed end to end: source-grounded evidence from telemetry, deterministic detection checks, then a human approval gate where a responder approves containment - the containment action stays in preview until approved.

Request a demo Watch it run

Read-only replay of an illustrative run - no inputs, no production credentials.

Telemetry-grounded evidence with citations
A human approval gate that owns containment
A tamper-evident proof packet
Self-hosted, EU-hosted - under your controls

Autonomous SOC triage

run_9f12ccsoc-triage/v3

Governed run

Run receivedstatus

Telemetry evidence extractednode

Detection rules matchednode

Lateral-movement policy triggernode

Threat score 74/100 - highnode

Human approval gateapproval

ApprovedContainment approved by a responder - proof packet recordedWatch it run

A real governed run, replayed in full below - ending in a human containment approval and an auditable proof packet.

Autonomous SOC triage

run_9f12ccsoc-triage/v300:00.0 elapsed

Governed runIllustrative sample - EU region

Ready to run - press play

Watch a governed run, end to end

Eight events, exactly as the platform recorded them - from intake to a human approval gate that owns containment. Nothing is simulated past what you see here.

status - seq 1

Run received

running

A high-severity endpoint alert was submitted for governed triage. The run is registered against flow soc-triage/v3 and begins under the workspace's controls - every step from here is recorded.

SubjectHigh-severity endpoint alert

Flowsoc-triage/v3

Run idrun_9f12cc

RegionEU

node - seq 2

Telemetry intake & evidence extraction

passed

The alert and its telemetry were parsed and source-grounded evidence was extracted - each finding carries a citation back to the telemetry source it came from.

Process tree - suspicious script interpreter spawnedEvidence: 7 items edr-trace 9f12

Network connections to an external command hostEvidence: 4 items netflow 2026-06-18

Technique mapping - command and scripting interpreterEvidence: 1 item mitre T1059

node - seq 3

Deterministic detection checks

info

Rule-based detection checks ran against the alert telemetry. The benign-activity checks passed - but a malicious-execution match drives the gate later depends on.

Endpoint agent healthy and reporting

No approved maintenance window active

Malicious execution detection matchedCommand and scripting interpreter - MITRE T1059

node - seq 4

Policy-trigger checks

info

Workspace policies were evaluated against the extracted evidence. One policy trigger fired on lateral movement.

Affected host outside the critical-asset tier

Lateral movement observed toward a privileged hostPolicy: lateral-movement / privileged-host

node - seq 5

Threat scoring

passed

The findings were combined into a composite threat score. The score is high, so the run is routed to a human responder rather than auto-contained.

74/ 100High

0 - low60 - review threshold100 - high

Above the 60 review threshold -> routed to a human approval gate. No containment is applied automatically.

approval - seq 6

Human approval gate

approved

Containment authorization

gate: containment-authorization

Approved

A responder examined the run and approved containment at the gate. The host-isolation action stays in preview - a dry-run - until this approval, and only then is the host isolated.

Confirmed malicious execution - MITRE T1059

Lateral movement toward a privileged host

Responder SOC responder Decision recorded at the gate

output - seq 7

Proof packet recorded

completed

soc-triage_run_9f12cc.packetsha256:9f12...cc31

Decision
APPROVED

Host isolation released after approval. Containment scoped to the affected endpoint only.

Reasons

Confirmed malicious execution - MITRE T1059

Lateral movement toward a privileged host

Evidence (source-grounded citations)

Process tree and execution chain edr-trace 9f12

External command-host connections netflow 2026-06-18

Technique mapping mitre T1059

Written once to a tamper-evident, append-only audit ledger - decision, responder, reasons, and evidence.

done - seq 8

Review complete

completed

Finished with a recorded, auditable human decision

The run ended exactly where governance required: a person decided, the decision is logged, and there is a proof packet anyone can audit later. Containment stayed in preview until a human approved it.

OutcomeContainment approved at human gate

Decided bySOC responder

Proof packetrun_9f12cc

Events recorded8 of 8

What just happened

Three governance moments, in one run.

The replay is not a chatbot demo. It is the control plane doing its job: grounding, gating, and proof - the parts a regulator asks about.

Seq 2

Evidence from telemetry

Every finding is grounded in a telemetry source and technique mapping. Responders and auditors can trace any claim back to where it came from - not to a model's recollection.

Seq 6

A human gate that owns containment

A high threat score routes to a responder, not an auto-contain. Here the responder approved host isolation - and the action stayed in preview until that approval. Nothing is isolated without it.

Seq 7

A tamper-evident proof packet

The decision, the responder, the reasons, and the cited evidence are written once to an append-only audit trail. Months later, you can prove exactly why this host was contained.

Built for regulated teams - designed to run under your controls

Self-hosted

EU AI Act controls

GDPR controls

Audit trail

Data sovereignty

PrivateFlow is not certified under any compliance framework. Controls are designed to support compliance preparation. This run is an illustrative, synthetic example.

See it on your own data

Run this on your own alerts.

We'll stand up a governed pilot on your own data - sandbox first, no production credentials required. You decide what the gates do.

Request a demo Replay the run