AI SOC · Auditable reasoning
AI-powered SOC that explains every verdict.
Shelmia investigates every SIEM alert end-to-end and delivers an auditable verdict in minutes — for SOC teams that can't afford a 24/7 analyst rotation.
Built for the Latin American mid-market
Alert #A-2398 · Wazuh · 14:32:07 UTC
Outbound connection to known C2 infrastructure
Verdict
10.0.4.12 initiated outbound TCP to 185.232.65.41 — a known C2 server using application-layer evasion.
Reasoning chain
5 steps · 42s
Parse
Extracted src=10.0.4.12 → dst=185.232.65.41:443 from Wazuh event.
Reputation
47 / 89 vendors flag 185.232.65.41 as malicious.
Abuse history
234 reports in the last 30 days. Confidence score 100 / 100.
Technique
Pattern matches application-layer C2 over HTTPS.
Correlation
3 prior alerts on the same /24 subnet in the last 6 hours.
Full audit log attached
View trace →The asymmetry
The attack is already automated.The defense, still manual.
The problem
Alert fatigue is killing SOC throughput.
SIEMs fire thousands of alerts per day. Analysts can't investigate them all, so the signal disappears into the dashboard.
Alert volume
Every SIEM fires thousands of alerts per day. No SOC team can manually triage them all.
False positives
Most alerts are noise. Manual triage burns analyst hours and still gambles with risk.
Analyst fatigue
Repeated alerts numb the team. The one that matters ends up buried in the queue.
The cost
One missed alert can cost more than a year of MDR.
No 24/7 SOC
The mid-market can't afford a dedicated, round-the-clock analyst team.
Scarce talent
There's a global shortage of cybersecurity professionals. Hiring isn't a fast option.
The mid-market is in the worst spot: as exposed as a bank, without its defensive resources.
The product
Automated SOC alert triage, end to end.
Shelmia ingests every SIEM alert, filters known false positives, investigates what's left with AI agents, and ships a verdict with the full reasoning chain attached.
Ingested
~4,484 / day
- #A-2398highOutbound C2
- #A-2399lowLogin retry
- #A-2400lowHeartbeat
- #A-2401highPrivilege esc.
- #A-2402mediumCert expiry
- #A-2403lowDNS noise
- #A-2404mediumPort scan
- #A-2405lowUser agent
- #A-2406highMalware dropper
- #A-2407lowUpdate check
6 dropped as noise
Shelmia
Qualified
avg. 42s
- #A-2398Malicious
- #A-2401Suspicious
- #A-2404Benign
- #A-2406Malicious
Full reasoning attached
Ingest
Enrich
Deliver
Auditable verdictLess noise
False positives are filtered out before reaching a person.
Faster response
Investigation time (MTTR) drops from hours to minutes.
Every decision auditable
The verdict shows what was queried and why it was concluded.
How it works
How Shelmia investigates a SIEM alert.
Every step is deterministic where it can be and probabilistic only where it must be — the LLM writes the explanation, not the verdict.
- 01IngestAlerts from Wazuh and Elastic (SIEM).
- 02FilterDrop known false positives at the gate.
- 03QueueQueue the cases worth analyzing.
- 04AI agentsQuery reputation feeds, abuse history and adversary technique catalogs.
- 05VerdictA result with its full reasoning chain.
Sample trace · alert #A-2398
What an analyst sees
Agent trace · session #s-9847 · alert #A-2398
41 sec
Agent
Investigating Alert #A-2398. Parsing event: src=10.0.4.12, dst=185.232.65.41:443. Reputation lookup warranted.
Tool · reputation.lookup
→ { "ip": "185.232.65.41" }← { "malicious": 47, "total": 89, "categories": ["malware", "c2"] }Agent
High-confidence threat indicator. Checking abuse history.
Tool · abuse.report
→ { "ip": "185.232.65.41", "days": 30 }← { "reports": 234, "score": 100 }Agent
Confirmed bad reputation. Mapping to adversary technique.
Tool · technique.classify
→ { "indicators": ["outbound_443", "known_c2"] }← { "technique": "AppLayer-C2", "name": "Application Layer Protocol" }Agent
Pattern matches application-layer C2. Checking lateral signals on subnet.
Tool · timeline.query
→ { "subnet": "10.0.4.0/24", "window": "6h" }← { "related_alerts": 3, "severity": ["medium"] }Verdict
Outbound C2 beacon to known infrastructure. Recommended: block at egress + isolate 10.0.4.12.
Why Shelmia
Why Shelmia vs. traditional MDR.
Auditable reasoning
Not a black box. Every verdict shows what the agent queried, what it found and why it concluded what it concluded.
LATAM-native telemetry
Detection is tuned to the regional context — threats, stacks, language — that global vendors structurally underrepresent.
European hosting under GDPR
Data hosted in the EU, enabled by Uruguay's adequacy with the European Commission (Law 18.331). A concrete legal differentiator.
The moat isn't the AI model — it's the regional data and context that global incumbents don't have.
Why now
Why AI-driven SOC automation, now.
Agentic AI has matured
Reliable, traceable reasoning is now viable in production, not only in demos.
Attacks went industrial
Ransomware-as-a-service and offensive AI lowered the attacker's barrier.
Mid-market was left out
Enterprise MDR is expensive and heavy. A massive segment is still uncovered.
Regulatory tailwind
Data sovereignty and privacy rules push toward regional and European hosting.
Supported by
FAQ
Questions buyers ask before a pilot.
What does Shelmia integrate with?
Today Shelmia ingests alerts from Wazuh and Elastic (the most common SIEMs in the LATAM mid-market) and enriches them with multi-vendor IP reputation feeds, abuse history databases, and adversary technique catalogs. New connectors are added per pilot.
Is Shelmia an MDR replacement?
Shelmia is built for teams that can't afford a full MDR or a 24/7 SOC. It automates the triage layer — the part where most analyst hours go — and hands a qualified verdict back to your team or your existing MDR.
Where is the data stored?
All data is hosted in the European Union. Uruguay's adequacy decision with the European Commission (Law 18.331) lets LATAM customers store telemetry under GDPR — a legal differentiator that most US-based vendors can't match.
How is this different from a generic LLM wrapper?
The pipeline is deterministic where it can be and probabilistic only where it has to be. The LLM writes the explanation, not the verdict — every conclusion is backed by a chain of queries and findings that a human analyst can audit step by step.
How do I run a pilot?
We're running paid pilots with anchor customers across Uruguay, Argentina and Paraguay. Request a pilot from the form on this page — we'll set up a 30-minute scoping call within 48 hours.
Now in private pilots
Defense at the speed of attack.
We're running paid pilots with anchor customers across Uruguay, Argentina and Paraguay. If your SOC is drowning in alerts, we want to talk.