YOUR DATA STAYS. THREATS DON'T. Request a demo →
CYBERDROID SOC ANALYST MIMIR
Request a demo
Cyberdroid SOC Analyst · Code name: MIMIR

The senior analyst who never sleeps — and never phones home.

Never sleeps. Never guesses. Never phones home.

Local Intelligence. Evidence-First Defence. Always On.

Mimir brings 20+ years of cybersecurity experience and a paranoid level of attention to every warning your SIEM raises — around the clock, entirely on your own hardware. Every verdict cites its evidence. No byte of your telemetry ever leaves your network.

ON YOUR HARDWARE · INSIDE YOUR PERIMETER
MIMIR emblem — runic compass
MIMIR
24/7
Continuous investigation cycles
Every warning
Explicitly dispositioned — nothing silently dropped
0 bytes
Of telemetry sent to any cloud
100%
Read-only — Mimir can look everywhere and touch nothing
Every claim
Linked to evidence in your own data
ARCHITECTURAL GUARANTEES — NOT BENCHMARKS
Inside the console
PRESSURE · DECISION GRAPH · HANDOFF PIPELINE
mimir · duty console LIVE · ON YOUR HARDWARE
CYBERDROID SOC AGENT
PRESSUREcritical
HUMAN LANE600
MACHINE LANE7,909
INPUTS2 stale
search⌘K
Overview
Investigations
Fusion
SIEM Integrity
Process Reputation
Actors
Write-Back
Reports
Settings
OVERVIEW Live posture
window 15m next poll 60s Export brief
HUMAN REVIEW600urgent threshold crossed
MACHINE FOLLOW-UP7,909draft proposals only
COUNCIL6321
TRUST HORIZON15munattended reasoning
PRESSUREcritical1,000,000
DECISION GRAPHmotion_01
EVIDENCE → SUBJECT → HYPOTHESES → POSITIONS
SIEM6 sourcessignals under review
CYBERDROID7,909 machinedraft proposals only
TRUST HORIZON15mreasoning window
COUNCIL6 agents321
SUBJECTMotion 01bounded decision ready
HYPOTHESIS ABounded actionconfidence 0.86 · no silent mutation
HYPOTHESIS BMore evidenceconfidence 0.41 · blocked in validation
SENSORDISSENT2 stale inputs
TOPOLOGYDISSENToutside topology
No silent mutationHUMAN SIGNATURE REQUIRED
write-back · 0 auto / 600 gated
FRESHNESS RAIL
2 STALE
CSIEM alerts
15m
CSIEM events
14m
Sysmon stream
22s
Netflow
8s
M365 audit
41s
FOCUS STACK
NOW
critical 95
HUMAN
UEBA multi-feature anomaly
cdai_92aa05 · 10.20.4.18
Autoencoder reconstruction residual promoted to incident; awaiting analyst signature.
high 80
HUMAN
Input freshness drift
inv_9f3c21 · cyberdroid_ai
Cross-source freshness drift on the lagging runtime input; verification case open.
OPERATIONAL HANDOFF
THIS WINDOW
REVIEWED54SIEM-backed
CONNECTED11identity carry-over
CHANGED12risk movement
WATCHING12machine discipline
NEEDS HUMAN600review lane
Live posture at a glance: pressure and lane instruments up top, the decision graph and handoff pipeline below. Every number is an instrument — detail surfaces on hover.
The problem

Your SOC's hardest hours are its quietest.

Warnings don't keep business hours. Analysts do.

The fatigue is structural.
Thousands of alerts, minutes of attention each, triage under exhaustion. The industry has normalized a quiet failure mode: warnings that nobody ever truly examined, closed by habit or by timeout. Every one of them is a risk someone silently accepted.
The experience is scarce.
The judgment that separates a benign anomaly from an early-stage intrusion takes decades to build — and the people who have it are expensive, oversubscribed, and asleep during half your attack surface's day.
The obvious fix has an ugly catch.
AI-assisted SOC tools exist — in someone else's cloud. Your security telemetry is among the most sensitive data you hold: identities, infrastructure, incidents, weaknesses. Exporting it to a third-party model creates a new attack surface, a new compliance burden, and a per-token bill that punishes thoroughness. For regulated, sovereign, and air-gapped environments, it's not even an option.
The smartest analyst on your team shouldn't require your biggest data export.
What it is

A senior SOC analyst delivered as software, running entirely inside your perimeter.

Mimir ingests the live warning stream from Cyberdroid SIEM (CSIEM) and the Cyberdroid Neural Engine (CNE), and works each warning like a case, not a ticket: forming hypotheses, planning queries against your data, weighing benign explanations against hostile ones, challenging its own conclusions, and writing up findings your team can act on — with the evidence attached.

It is not a rules engine, not a keyword filter, and not a chatbot bolted onto a dashboard. It is an investigation loop built around one principle:

The model does the thinking.
Deterministic code holds the rails.
Three commitments

The slogan is the spec.

01
Local Intelligence.
All of Mimir's reasoning runs on open-weight models on GPUs you own, served by a local inference engine inside your network. There is no external AI API in the loop — which means no data processing agreement with a model vendor, no per-token pricing that penalizes deep investigation, and no dependence on someone else's uptime. Your telemetry is analysed where it lives.
02
Evidence-First Defence.
Every claim Mimir makes is tied to an evidence reference in your own data — a grounding gate enforces it mechanically, so an ungrounded claim cannot leave the system. Zero results are treated as evidence too: "we looked, and here is what we did not find." You never have to take the analyst's word for it, because the analyst always shows its work.
03
Always On.
Mimir runs continuous duty cycles, day and night. It does not fatigue at hour seven, does not skim on Fridays, and applies the same paranoid rigour at 03:00 on a Sunday as at 15:00 on a Tuesday. Attackers choose their hours; your analyst no longer has any.
The doctrine

Paranoid, by design.

Mimir behaves like a veteran who has been burned before. That temperament is not a prompt — it is enforced by the shape of the investigation loop.

01
Absence of evidence is never evidence of safety.
A quiet query result is a fact to explain, not a reason to relax.
02
Warnings are cleared by disconfirmation, not by silence.
A warning leaves the board only when affirmative evidence contradicts the threat hypothesis — never by timeout, keyword, or habit.
03
"Benign" gets the hostile review.
Mimir's built-in critic attacks comfortable conclusions hardest, because the comfortable conclusion is the one that costs you.
04
Uncertainty triggers digging, not filing.
When the evidence is thin, Mimir plans the next query instead of writing the easy verdict.
Optimism is a vulnerability. Mimir doesn't have it.
How it works

One duty cycle.

OBSERVE → ACCOUNT → INVESTIGATE →
VERIFY → REPORT → REPEAT
1
Observe
Current CSIEM alerts and fresh CNE findings are snapshotted into an immutable observation pack — a fixed, auditable picture of "what the world looked like when this cycle began."
2
Account
Mimir must explicitly disposition every warning in the pack — investigate now, correlate, defer with a reason, monitor, or escalate to humans. A mechanical completeness gate makes silence impossible: no warning can be skipped, only answered.
3
Investigate
Mimir forms competing hypotheses — the threat and its most plausible benign explanation — and asks questions of your data designed to discriminate between them. A deterministic compiler turns each question into a validated, read-only, tenant-scoped SIEM query. The analyst never touches query syntax; the code never decides what is suspicious.
4
Verify
Findings pass through reflection, adversarial critique, and adjudication. Where the stakes are high, Mimir re-asks the pivotal question multiple ways and requires agreement before it commits.
5
Report
Evidence-linked findings, dispositions, and open questions are written up for delivery to your team — and the next cycle begins.
mimir · fusion — corroboration bridge CSIEM ⇄ CYBERDROID
CYBERDROID SOC AGENT
PRESSUREcritical
HUMAN LANE600
MACHINE LANE7,909
INPUTS2 stale
search⌘K
Overview
Investigations
Fusion
SIEM Integrity
Process Reputation
Actors
Write-Back
Reports
Settings
FUSION Corroboration
window 15m Re-run
MATCHED12
CSIEM-ONLY13
CYBERDROID-ONLY6
OPENED INVESTIGATIONS3
CSIEM SIGNAL LANESEES EVENTS
CSIEM EVENT
critical 96
Parser/source definition missing
unknown_bucketparser_pipelinedc-01.internal
12:20:41Zinv_ab9caef
CSIEM EVENT
critical 96
DNS anomaly cluster — dc-01
10.20.7.2windows-dns
12:20:41Zinv_ab8614
CSIEM EVENT
high 74
Saved-query hit — UEBA scope
10.20.4.18saved_query
12:19:02Zinv_ab64ff
+22 signals
CORROBORATION BRIDGEMEANING
HIGH CONFIDENCE
0.92
robust_mahalanobis_outlier +2
2 investigations2 refs
MEDIUM
0.61
dns_exfil_candidate
2 investigations2 refs
MEDIUM
0.58
ueba_multi_feature
1 investigation1 ref
shared evidence joins the lanes12 joins
CYBERDROID RUNTIME LANESEES PATTERNS
CYBERDROID
critical 96
Peer-group outlier
robust_mahalanobis10.20.4.18
5 threat signals2 evidence refs
CYBERDROID
low 32
Saved-query lookup evidence
runtime_signal192.0.2.146
1 threat signal1 evidence ref
CYBERDROID
high 71
Autoencoder residual spike
ueba_multi_feature10.20.4.18
3 threat signals2 evidence refs
+15 patterns
Corroboration in practice: CSIEM events on one lane, Cyberdroid runtime patterns on the other — the bridge in between is where signals must agree before they become findings.
Architecture

Built like a security product, not a chatbot.

Read-only by construction.
The query compiler is physically unable to emit anything but reads. Mimir cannot modify systems, cannot act on endpoints, cannot remediate — it investigates, and hands humans the case.
Scoped and budgeted.
Every query is bound to its tenant scope and capped by hard cost, row, time, and iteration budgets. A runaway investigation is a mechanical impossibility.
Fully audited.
Every query, every model interaction, every decision is logged and replayable. When you ask "why did it conclude that?", the complete trail exists.
Separation of powers

The analyst is one of four isolated components, and content never escalates privilege:

Component Role Authority
MIMIR
THE ANALYST
Investigates and writes findings
None.
Read-only, no outside edges
HEIMDALL
THE WATCHMAN
Policy, redaction, delivery gating
All of it.
The sole trust boundary
GATEWAY
THE MESSENGER · HERMOD
Email in and out
Zero.
Treated as untrusted
SIMURG
THE ENGINE
Local model inference
Serves models,
decides nothing

The messenger that faces the hostile outside world holds no authority; the watchman re-derives every decision from its own policy and trusts nothing it is handed; the analyst cannot press send.

Even a fully compromised inbox cannot make this system act.
The output

What you receive.

Mimir's output arrives as a report your team can actually use:

Findings with receipts.
Each verdict carries its hypothesis trail and evidence references pointing back into your own SIEM data — click through and check the analyst's work.
A complete accounting.
Every warning in the window appears, including the cleared ones — with the disconfirming evidence that cleared them.
Honest uncertainty.
Open questions are reported as open, alongside what evidence would resolve them.
WRITTEN FOR HUMANS. AUDITABLE BY MACHINES.
mimir · investigation queues DELIVERY: PER POLICY
CYBERDROID SOC AGENT
PRESSUREcritical
HUMAN LANE600
MACHINE LANE7,909
INPUTS2 stale
search⌘K
Overview
Investigations
Fusion
SIEM Integrity
Process Reputation
Actors
Write-Back
Reports
Settings
INVESTIGATIONS Queues
actor · title · case id
All queues
1–160 / 9,540
REVIEW LANE
Human Escalation620
critical 100
12:20Z
DNS response fail — dc-01
dc-01.internal10.20.7.2
8 ev6 qCSIEM · SOC
Risk score and watchlist context require human review before containment.
critical 100
12:20Z
DNS query burst — dc-01
10.20.7.2dns_query
7 ev8 qCSIEM · SOC
Sustained query volume against a single resolver; correlated with response failures.
critical 95
11:58Z
Impossible travel — j.keller
j.kellervpn-gw.internal
5 ev3 qCSIEM · SOC
Two sessions 4,100 km apart within 14 minutes; MFA context attached.
+617 more
MACHINE LANE
Model Escalation75
high 80
12:08Z
AI input is data_unavailable
cyberdroid_aifreshness_drift
1 ev3 qCDR · CSIEM
Cross-source freshness drift; verification case opened for the lagging runtime input.
medium 64
12:20Z
Excessive firewall accepts
198.51.100.23fortigate-fw
1,507 ev8 qCSIEM · SOC
Multiple sources to a single destination; deterministic evidence insufficient to close.
medium 51
11:41Z
Password reset attempt
admin_t2m365-audit
3 ev2 qCSIEM · SOC
Reset initiated outside change window; awaiting identity-owner confirmation.
+72 more
MACHINE LANE
Deterministic Workflow5,014
critical 95
12:20Z
Log sources missing parser
unknown_bucketparser_pipeline
1 ev3 qCDR · CSIEM
Known sources still send events, but the normalized parser/source definition is missing.
high 82
12:14Z
Source-type inventory drift
windows-dnssource_type
1 ev3 qCDR · CSIEM
Enabled log source references a definition code absent from the current inventory.
high 82
12:02Z
Parser gap — redmine-tickets
redmine-ticketsparser_pipeline
1 ev2 qCDR · CSIEM
Verify parser package deployment and source-type content for this source.
+5,011 more
MACHINE LANE
Monitoring3,831
low 19
04:36Z
Host agent heartbeat
esx-04.internalhostagent
3 ev2 qCSIEM · SOC
Low-risk evidence retained for continuity.
low 19
03:07Z
Event continuity retained
eventbaseline
3 ev2 qCSIEM · SOC
Low-risk evidence retained for continuity.
low 17
02:52Z
hostdstats baseline
hostdstatstelemetry
2 ev1 qCSIEM · SOC
Telemetry variance inside learned baseline; auto-close in 6h.
+3,828 more
Mímir — keeper of the well of wisdom
MÍMIR · KEEPER OF THE WELL OF WISDOM
Why "Mimir"?

Wisdom you consult before you act.

In Norse myth, Mímir is the wisest of beings, keeper of the well of wisdom beneath the roots of the world-tree. Odin — the Allfather — gave up an eye for a single drink from that well, and kept Mimir's counsel ever after, consulting him before every hard decision, especially when war was coming.

That is the job description: wisdom you consult before you act. Counsel that is always there, always grounded, and never flattering.

Odin paid an eye. You just provide the GPU.
FAQ

Frequently asked questions.

Something else on your mind?
Contact the team

Does any of my data leave my network?
No. All model inference runs on your own hardware, inside your perimeter. Mimir has no external AI API dependency and exports no telemetry. Reports go only where your delivery policy sends them.
Which AI models does it use?
Open-weight models served by the platform's local inference engine — a fast tier for mechanical work and a large reasoning tier for analyst judgment. The stack is engineered specifically to extract maximum reasoning depth from local models, and it evolves as open-weight models do — without changing where your data lives.
Can Mimir take actions on my systems?
No, and it can't be talked into it. Mimir is read-only by construction: its query compiler cannot emit writes, and the component has no path to email, endpoints, or the outside world. Response stays with your team.
How is this different from SOAR or auto-remediation?
SOAR executes playbooks you wrote in advance; Mimir performs open-ended investigation you didn't have to script. They are complementary — Mimir produces the evidence-backed case; your people and playbooks decide what to do about it.
How can I trust its verdicts?
You are not asked to. Every claim carries evidence references into your own data, every warning's disposition is recorded with its rationale, and the full investigation trail is auditable. Trust the evidence, not the analyst.
Does it replace my analysts?
It removes the part of their job that was breaking them: the around-the-clock triage grind and the guilt of the unexamined queue. Your people receive investigated, evidence-backed cases instead of raw alert noise — and keep every decision that matters.
What does deployment require?
A GPU server on your premises, and read-only credentials to your Cyberdroid SIEM. No cloud accounts, no outbound data flows, no integration project.
What does "every warning accounted for" actually mean?
It is a mechanical gate, not a slogan: an investigation cycle cannot complete until every warning in its observation pack has an explicit, recorded disposition. "Nobody looked at it" is not a state the system can represent.

Put a paranoid veteran on every shift.

Local intelligence, evidence-first defence, always on — investigating your data, on your hardware, tonight and every night.