CyberD20
Home/Services/Hermes SOC
Hermes Platform · v 2.4

An AI-assisted layer for analysts. Not a replacement for them.

Hermes is a security operations platform designed to augment analysts, accelerate investigations, reduce alert fatigue, and improve operational response for SMB and mid-market organizations. Built on Wazuh. Installed, integrated, and responded to by CyberD20 — not handed over for your team to figure out.

Request a walkthrough Engagement modelArchitecture
HERMES // SUMMARY● ONLINE
Alerts triaged / 24h
1,284
Analyst escalations
37
Mean enrichment
2.4 s
Noise reduction
~71%
WHAT HERMES IS
  • ·Analyst augmentation — context, prioritization, and recommended next steps
  • ·Workflow orchestration across Wazuh, Slack, Telegram, and ticketing
  • ·Contextual alert enrichment and MITRE ATT&CK mapping
  • ·Threat prioritization & investigation timelines
  • ·Detection-engineering hooks and tunable rules
  • ·Collaboration integration so investigations stay where the team works
WHAT HERMES IS NOT
  • ×Autonomous AI making unilateral defensive decisions
  • ×A replacement for skilled human analysts
  • ×Fully automated cyber defense with no human in the loop
  • ×A black-box model you can't tune, audit, or override
  • ×A marketing layer over an off-the-shelf SIEM
Operational philosophy. Hermes assists analysts. Human expertise validates findings. Investigations remain human-led. Operational judgment matters — and stays with your team.
Architecture

Telemetry in. Investigation context out. Analysts in command.

HERMES // SYSTEM TOPOLOGYv 2.4 · prod
SOURCES Wazuh SIEMEVENTS · AGENTS Endpoint telemetryEDR · OSQUERY Network & cloud logsVPC · SAAS · IDP Threat intel feedsOSINT · TLP:AMBER GRC & policyCONTROLS · MAPS HERMES ORCHESTRATOR Triage EnginePRIORITIZE · DEDUPE Enrichment LayerMITRE · ASN · WHOIS Investigation TimelineCASE OBJECT Escalation RouterANALYST IN LOOP Audit & ReplayEVERY DECISION LOGGED AGENTS & OUTPUTS Threat HunterPIVOT · HYPOTHESIZE Incident ResponseCONTAIN · DOCUMENT GRC AgentCONTROL EVIDENCE Slack / TelegramANALYST CHANNEL Reports / BriefingsEXEC SUMMARIES
Capabilities

What Hermes does for your analyst on shift.

01

AI-assisted alert triage

Hermes prioritizes the queue, deduplicates noisy alerts, and surfaces the few that warrant analyst attention now.

02

MITRE ATT&CK mapping

Each alert is mapped to relevant tactics and techniques — with the rationale exposed, not buried in a model.

03

Alert summarization

Multi-source events compressed into a human-readable narrative so an analyst can decide in seconds, not minutes.

04

Threat intel enrichment

ASN, WHOIS, geolocation, and curated TI sources attached automatically — TLP discipline preserved.

05

Investigation timelines

Every event, enrichment, and analyst action is recorded on a single case timeline — exportable and auditable.

06

Workflow coordination

Hermes routes the right alert to the right channel, paging on-call only when policy says it should.

07

Incident escalation

Severity escalation runs against your defined policy — every step logged, every decision reviewable.

08

Human analyst escalation

Hermes does not close cases on its own. Borderline events go to a human — with full context attached.

09

Detection engineering hooks

Tune rules, add custom detections, and replay historical events against new logic from one console.

Principle

Human expertise
remains critical.

Hermes assists analysts. It does not replace them. The platform exists to give skilled human operators more leverage — sharper context, faster pivots, fewer dead-end alerts — while preserving the judgment, accountability, and adversarial reasoning that machines do not have.

  • ·Hermes assists. Analysts decide.
  • ·Findings are validated by qualified humans before action.
  • ·Investigations remain human-led, with Hermes as instrumentation.
  • ·Operational judgment, accountability, and tradecraft matter.
Engagement model

Installation, integration, and response — provided by the firm.

Hermes is not handed over as software for your team to figure out. CyberD20 deploys it, wires it into your environment, and responds personally when Hermes surfaces a validated incident.

PHASE 01

Installation

Hermes and the underlying Wazuh stack are installed and hardened by CyberD20 — including a full Wazuh build-out for organizations that don't yet have a SIEM. No "follow the docs" handoff. Deployment is sized to the environment — on-prem, cloud, or hybrid — and configured against your asset inventory.

Provided by CyberD20
PHASE 02

Integration

Endpoint agents, network and cloud telemetry, identity providers, threat-intel feeds, and notification channels (Slack, Telegram, ticketing) are integrated and tuned. Detections are baselined to your environment so signal isn't buried in noise.

Provided by CyberD20
PHASE 03

24/7 monitoring & IOC alerting

Hermes monitors continuously — around the clock — and alerts the owner or designated manager when it identifies an indicator of compromise. Alerts arrive in the channel you actually read (SMS, Slack, Telegram, or email) with the context already attached: what triggered, where, and what to do next.

Provided by CyberD20
PHASE 04

Response on validated incidents

When Hermes surfaces an event that human review confirms is a real incident, CyberD20 responds. Containment, forensic triage, coordination with counsel and carrier, and a documented closeout — handled by the firm, not pushed back to your team.

Provided by CyberD20
What you provide
  • — Access & asset inventory
  • — Designated point of contact
  • — Authority to act in defined scenarios
What CyberD20 provides
  • — Hermes deployment & tuning
  • — Continuous detection engineering
  • — Incident response on validated events
What stays with you
  • — Operational judgment & authority
  • — Business-context decisions
  • — Final call on response actions
Hermes

Walk through Hermes against a real alert from your environment.

Request walkthrough SMB deployment