Robo8We turn a flood of alerts into a handful of decisions.
Robo8 is a defensive cyber agent that watches your environment, understands what it's seeing, and acts within limits you set — so your analysts spend their time on the threats that genuinely need a human.
The pipeline
Detect
Multi-class detection across network (flow anomalies + behaviour), endpoint (auth, process, file), and cloud (SIEM alerts), each tagged to a MITRE ATT&CK technique.
Correlate
Signals about the same entity are fused into one incident with a risk score. A network scan + an endpoint brute-force + a cloud impossible-travel become a single, high-confidence story.
Reason
Each incident is triaged by an LLM grounded in live ATT&CK + known-exploited-CVE intelligence (RAG), producing an explainable verdict and a recommended countermeasure.
Respond
Graduated autonomy: reversible low-risk actions (rate-limit, block IP, revoke token) run automatically; isolating a host or disabling a user is queued for human approval.
Learn
Analyst verdicts train a model that resists poisoning, with drift monitoring and automatic retraining as attacker behaviour shifts.
Prove
Every verdict and action is written to a tamper-evident audit trail and exposed as Prometheus metrics — defensible after the fact.
Cyber Advisory, built in
Beyond live defense, Robo8 maintains a continuously-updated knowledge base your team can query in plain language:
- 697 MITRE ATT&CK techniques with defensive countermeasures.
- 1,600+ CISA Known-Exploited Vulnerabilities, refreshed automatically, with ransomware-linked CVEs flagged.
- Semantic search — ask "kerberos ticket theft" or "log4j RCE" and get the right techniques and CVEs by meaning, not keywords.
- Defensive runbooks mapped to techniques, so a verdict comes with a next step.
Where it fits
| Layer | Robo8 ingests / enforces |
|---|---|
| SIEM / agents | Wazuh, Kafka streams, batch files (PCAP/flow, host logs, alerts) |
| Enforcement | Firewall (nftables/pfctl), EDR isolate, IdP disable / token revoke — via webhooks or local adapters |
| Reasoning | Local models (Ollama / model2vec) for privacy, or a cloud LLM for maximum quality |
| Operations | Web dashboard, REST API, Prometheus metrics, Docker / Kubernetes / Helm |