Hypothesis-driven, evidence-bound, defensible by construction. How AVA investigates an alert — from competing hypotheses, through evidence tested against your environment, to a verdict grounded in mathematics, not phrasing.
LLMs are built for conversation, not statistical truth — left alone, their confidence skews to a false 100% or 0%. PEBRE splits the work: AVA's agents extract the evidence; PEBRE weighs it across competing explanations and computes a mathematically grounded probability, the way forensic and judicial reasoning weigh evidence. The result is a defensible verdict with a deterministic audit trail — no hallucinated certainty, traceable decision by decision.
Hypothesis-driven, evidence-bound, defensible by construction. Two methodology, two output integrity. None of them is the one your team would have skipped.
Every alert enters investigation with multiple competing Investigation Hypotheses — malicious and benign — drawn from MITRE ATT&CK and the alert's own context. AVA tests them. The one supported by evidence becomes the verdict.
Hypotheses are evaluated against the user, the asset, the historical baseline, and the operational context — not in the abstract. Two identical alerts on two different assets produce two different investigations.
Every claim in the verdict resolves to a query, a log, a process tree, or an identity event — captured, citable, and timestamped. Cross-source corroboration is built in: EDR and SIEM independently confirm the same event. The Investigation Report is the artifact an examiner can walk through line by line.
When AVA can't conclude, it says so — and specifies exactly what evidence is missing. INCONCLUSIVE is a feature, not a fallback. Every investigation compounds: outcomes route into the priors, future investigations get sharper.
When AVA can't conclude,
AVA shows what's missing.
This is not the absence of evidence. It is the audit-grade declaration of it.
In-house SOC and managed service provider operate against different economics, different audit pressures, and different definitions of done. AVA's operating posture changes with them; the Investigation Discipline does not.
AVA closes L1 with an evidence-backed Investigation Report your senior analysts can defend in the next audit, the next board review, and the next post-incident write-up. Every verdict carries its evidence chain.
Native connectors into your existing Defender, CrowdStrike, Sentinel, or QRadar stack. No rip-and-replace. No new SIEM.
One Investigation Discipline across every tenant. Per-tenant context, per-tenant evidence, per-tenant Investigation Report — without rebuilding the playbook library each time you onboard.
Multi-tenant by construction. Cloud, on-prem, or private — sovereignty is a constraint, not a compromise.
Each new tenant onboards with their existing stack — not yours. Every new SIEM, EDR, or XDR is a single integration class away. No rebuild. No mapping spreadsheet.
The verdict is one artifact. The Co-Pilot is the next — an interactive surface where AVA continues, and the analyst directs. Detection engineering, root cause work, plain-English investigation across the stack — autonomous when configured, hand-off when judgment must be human.
Beyond it, AVA continues — drafting the next detection, opening the next investigation thread, pivoting across the endpoint in plain English, composing the next containment.
How far AVA goes is a setting, not a guess.
Run autonomous, with every step on the record.
Hand the keys to the analyst, when judgment must be human.
The Co-Pilot is the seam between the two — conversational, tool-aware, and always auditable.
Detection engineering, not as a separate team — as the verdict's natural conclusion.