Robo8
Knowledge assistant in Robo8 today

Ask your security knowledge a question — get a cited answer, not a search page.

A Rovo-style assistant for the SOC: it reads your runbooks, policies and wiki together with live MITRE ATT&CK and CISA KEV intelligence, and answers in plain language with citations you can click. Grounded in your sources, run on your infrastructure — so it never invents a procedure you don't actually have.

Open the Ask tab See the scanner
Grounded answers with citations Your runbooks + Confluence / Notion + ATT&CK + KEV Proactively surfaces knowledge into cases Sovereign — your content stays put

How it answers

1

Connect your knowledge

Sync Confluence and Notion spaces, drop in runbooks and policies, alongside Robo8's built-in ATT&CK techniques and KEV catalog. Sync is idempotent — re-runs update, never duplicate.

2

Retrieve by meaning

Semantic vector search finds the relevant passages — ask "kerberoasting response" and it pulls the right runbook section and ATT&CK technique, not keyword noise.

3

Answer, grounded & cited

The model composes an answer only from retrieved sources and links each claim back to its origin. No sources, no fabricated answer — it tells you the gap instead.

What an answer looks like

Q · "A user account is hitting impossible-travel and Kerberos errors — what's our play?"
Correlate the two as a single identity incident. Per your IR runbook, disable the account at the IdP and revoke active tokens (reversible, so Robo8 can stage it for approval), then preserve auth logs. This pattern maps to ATT&CK T1558 — Steal or Forge Kerberos Tickets; check for golden-ticket indicators before re-enabling.
IR-Runbook · Identity Compromise §3ATT&CK T1558Access-Control Policy §5

Illustrative. Every answer cites the exact sources it used; if the knowledge base lacks coverage, the assistant says so rather than guessing.

Proactive, not just a search box

The assistant doesn't wait to be asked. Because it lives next to live detection and cases, it brings the right knowledge to the analyst at the moment it matters.

Surfaces runbooks into cases

When a case opens for a technique or CVE, the assistant attaches the matching runbook section and prior similar cases — the analyst starts with the playbook already in front of them.

Flags knowledge gaps

If an incident type has no runbook coverage, it says so — turning "we didn't have a process" into a tracked documentation task before the next time.

Drafts the write-up

From the case timeline and cited sources it drafts the post-incident summary and customer note, so closing a case produces the record instead of more after-hours typing.

How it plays out in a company

Enterprise SOC · Tier-1 onboarding

A new analyst who answers like a senior

  • Week one, a Tier-1 hits an alert type they've never seen.
  • They ask the assistant in plain language; it returns the team's own runbook step, the ATT&CK technique, and the relevant policy — each cited.
  • The analyst acts correctly without paging a senior, and learns the source for next time.
  • Tribal knowledge that lived in three people's heads is now answerable by anyone.
MSSP · multi-tenant, high ticket volume

Consistent answers across every client

  • Each tenant's knowledge stays isolated to that tenant.
  • Analysts get the same grounded, cited guidance regardless of who picks up the ticket.
  • Onboarding a new client means syncing their space — not retraining the whole team.
Mid-market · lean team, audit pressure

Policy that's actually usable mid-incident

  • "Are we required to notify within 72 hours for this?" gets a cited answer from the team's own incident-response policy — in seconds, during the incident.
  • The assistant drafts the post-incident note from the case record, with sources attached.
  • The auditor sees decisions traceable to documented procedure.
Any team · the 3 a.m. incident

The senior who isn't online, on call anyway

  • An on-call engineer faces an unfamiliar containment decision out of hours.
  • The assistant returns the documented play and the reversible-action guidance, grounded in the team's own runbook — not a generic internet answer.
  • The right call gets made, and it's defensible in the morning.

Scenarios are illustrative of how grounded retrieval and the case workflow operate; outcomes vary by environment and content quality.

Why it's safe to trust

Grounded — or it says it doesn't know

Answers are composed only from retrieved sources. With no relevant source, the assistant declines rather than hallucinating a procedure — a wrong answer in a SOC is worse than none.

Every claim is cited

Each answer links back to the runbook section, ATT&CK technique, or policy it used, so a human can verify before acting.

Sovereign by default

Runs on your infrastructure with local models if you choose; your wiki and runbooks are not shipped to a vendor's cloud to be indexed.

Respects access & leaves a trail

Queries are gated by role, and what was asked and answered is auditable — the same governance that covers detection covers knowledge.

How it differs from a generic chatbot

DimensionGeneric AI chatbotRobo8 assistant
Source of truthThe model's training data Your runbooks, policies, ATT&CK & KEV
TrustPlausible but unverifiable Cited to the exact source; declines when uncovered
PostureAnswers when asked Proactively surfaces knowledge into cases
DataPrompt may leave your boundary Runs on your infra; content stays put

Third-party products are referenced for ecosystem context only; no affiliation or endorsement is implied.

Turn your wiki into an analyst that's always on shift.

Open the dashboard Talk to us