Alerting is easy. Collecting context is the part that doesn't scale.
If you've worked in a SOC, you know the real bottleneck isn't firing alerts — it's everything that happens after. The pivoting between six different consoles. The rushed notes. The context that lives in one tool but is needed in another. Analysts spend more time hunting for data than making decisions, and that's the gap I've been obsessing over for a long time.
Today, I'm excited to introduce Talon — an AI SOC analyst built directly into SOCFortress CoPilot that turns raw alerts into structured investigation reports with IOCs, correlated timelines, and recommended next steps.
And I'll say it plainly: I haven't seen another solution in the open-source SIEM world that tackles this problem this directly.
The Problem: Alert Fatigue Isn't About Alerts
The industry talks a lot about alert fatigue, but the real issue is context fatigue. A Tier-1 analyst can triage an alert in seconds. The Tier-2 bottleneck happens when that analyst has to pivot between the Wazuh Manager, the indexer, Velociraptor, threat intel feeds, and whatever else is in the stack — just to figure out whether something is worth escalating.
That process is manual, inconsistent, and slow. And it's the reason most SOC teams can't keep up.
Talon was built to fix exactly that.
What Talon Actually Does
Talon is an AI agent that sits inside your CoPilot environment and has the same tools your SOC analysts do. It connects to your SIEM stack via MCP (Model Context Protocol) and can:
- Search your Wazuh Indexer (OpenSearch) — querying alerts, correlating events across time windows, and surfacing related activity around a given alert
- Interact with the Wazuh Manager API — checking agent status, pulling configuration data, and understanding the state of your environment
- Run Velociraptor artifact collections — kicking off live forensic collections like process lists, SSH authorized keys, and more, directly from the chat interface
- Query CoPilot — pulling customer data, provisioned agents, and alert metadata
- Search the web — performing threat intelligence lookups on IPs, domains, and file hashes
- Write back into CoPilot — generating structured reports, IOCs, and jobs that are linked directly to the originating alert
The result is that when an alert fires, Talon doesn't just summarize it. It investigates it — the way a real analyst would, but faster and more consistently.
This Isn't a Single LLM Call
I've seen a lot of AI agent hype in the security space, and most of it boils down to one LLM enrichment call dressed up as automation. Security is complex. A single alert often requires multiple pivots, cross-referencing several data sources, and building a timeline before you can reach an accurate conclusion.
Talon uses MCP-based SIEM pivots combined with web search capabilities, built on NanoClaw — a project that strips away the bloat and security concerns of OpenClaw while keeping the core capabilities: CLI tooling, web searching, and the ability to integrate custom MCP tools in a containerized environment.
Under the hood, Talon is powered by the Claude Agent SDK. It runs inside an isolated Docker container, and every interaction — whether it's querying your indexer or collecting a Velociraptor artifact — happens within that sandboxed environment.
Privacy By Design
Sensitive identifiers matter. Usernames, email addresses, private IP addresses, and other PII are anonymized before they're sent to the LLM. When the report comes back, that data is de-anonymized so the final output has real, actionable context based on your actual environment — without ever exposing those details to the model.
Memory That Makes It Smarter
Talon has persistent memory via a Memory Palace. It retains outcomes, asset context, and confirmed false positives across investigations. That means the next investigation is faster and more accurate because Talon already knows your environment — which hosts are critical, which alerts were previously triaged as benign, and what patterns have been seen before.
What It Looks Like in Practice
Here's what happened during a live test I ran while recording the demo:
Alert: PowerShell screen capture command detected
Talon analyzed the alert and produced a full investigation report:
- Identified the PowerShell command as using the
System.Drawing.Graphicsmethod — a documented adversary technique mapped to MITRE ATT&CK - Correlated surrounding events in the 15 minutes prior: Windows Defender triggered against potentially unwanted software, PowerShell dropped files to temp directories, and multiple registry modification events were generated
- Performed script block analysis and matched the pattern to Atomic Red Team test procedures
- Built a full SIEM correlation timeline showing every related event between 10:45 and 11:01
- Ran IOC analysis (no external IPs or domains were extracted in this case)
- Provided recommended next steps: collect the full process tree via Velociraptor, investigate the Defender event, examine dropped files, and confirm with the asset owner
But it didn't stop there.
I then asked Talon about a suspicious IP address from another alert. It searched the web and identified the IP as a Hetzner VPS — a cloud provider commonly used for C2 infrastructure. It noted the non-standard port had no legitimate assigned services, and that the unmodified reverse DNS suggested a quickly deployed attack server.
Then I asked: "What hosts in my environment have communicated with this IP?"
Talon queried the Wazuh Indexer and found two hosts had made connections. It traced lateral movement — the attacker had SSH'd from one compromised endpoint as root into a second host and ran curl commands to the C2 through it. It flagged the second host as compromised and recommended rotating all SSH keys immediately.
I then asked Talon to use Velociraptor to collect running processes from the compromised host. It did — and flagged Tor running on the endpoint, started before the attack window. It also identified that Nginx had started during the attack window, likely deployed by the attacker as part of their infrastructure.
All from a chat interface inside CoPilot.
Automatic Investigation Triggers
You don't have to manually trigger Talon for every alert. Within CoPilot's customer management, you can enable AI triggers on a per-customer basis. Once enabled, every new alert automatically kicks off a Talon investigation — so by the time an analyst opens CoPilot, the report is already waiting.
Nothing Changes in Your Architecture
This is important: Talon sits on top of your existing open-source SIEM stack. It connects to the tools you're already running — Wazuh, Graylog, Velociraptor, Grafana — via their APIs. No re-architecture. No migration. You deploy Talon as a lightweight container on a separate VM (even 2 cores and 4GB of RAM is enough), configure the MCP connections, and it's ready.
Your stack stays the same. Talon just makes it smarter.
An Extension of Your Team — Not a Replacement
I want to be clear about the philosophy here. Talon is not designed to replace your security team. It's designed to be a valuable extension of your security team. The analysts stay in the driver's seat. Talon handles the repetitive context collection, the cross-tool pivoting, and the report generation so your team can focus on making decisions and taking action.
Fewer tabs. More consistency. Faster investigations.
Get Started
Talon is open source and available today:
- Talon: https://github.com/taylorwalton/talon
- SOCFortress CoPilot: https://github.com/socfortress/CoPilot
- CoPilot Docs: https://docs.socfortress.co
- Watch the full demo: https://youtu.be/5xDRfyrWoSA?si=S8X7_jHWVqrUAnkA
If you're new here — welcome. I'm Taylor Walton, and I've spent over a decade working with open-source security tools like Wazuh, Graylog, Velociraptor, and Grafana, building and refining SIEM stacks for organizations of all sizes. That experience is what led me to build SOCFortress and CoPilot.
If your team needs help deploying Talon, standing up a full SIEM stack, or optimizing what you've already got — that's exactly what our Professional Services team does:
👉 https://www.socfortress.co/solutions/professional-services
This is just the beginning for Talon. More MCP tools, better fine-tuned instructions, and local LLM integration via Ollama are all on the roadmap. Stay tuned.
