Arcanna.ai

Overview

Arcanna.ai is a decision intelligence platform for security operations that takes a fundamentally different approach from other SOAR and automation tools. Instead of running pre-built playbooks or using generic AI models, Arcanna learns from your specific analysts' triage decisions and then replicates those decisions at machine speed. It's built by a Romanian company (Siscale) that's been in the cybersecurity space for over a decade, and the product reflects a deep understanding of how SOCs actually work versus how vendors think they work.

The pitch is simple: your senior analysts are already making good triage decisions — they're just making them one at a time at human speed. Arcanna watches those decisions, learns the patterns, and applies them to incoming alerts automatically. It's not replacing analyst judgment; it's cloning it. This "human-in-the-loop" approach to ML is philosophically different from tools that impose their own detection logic or use generic models trained on someone else's data.

In the market, Arcanna sits somewhere between SOAR platforms (Swimlane, XSOAR, Tines) and ML-powered triage tools (Google Chronicle's AI features, Intezer). It's more specialized than a full SOAR — it doesn't try to orchestrate your entire response workflow — but it's deeper on the specific problem of automated triage than any SOAR's built-in AI capabilities.

How It Works

Arcanna's core technology is a supervised machine learning pipeline that continuously trains on analyst feedback. The system integrates with your SIEM (Splunk, Elastic, Sentinel, QRadar, and others) and ingests the alerts that your analysts are triaging. For each alert, it captures the full context: alert type, source, severity, associated indicators, time patterns, and any enrichment data your SIEM provides. Crucially, it also captures the analyst's decision — escalate, investigate, close as false positive, close as benign true positive.

The ML models use ensemble methods combining gradient-boosted trees, neural networks, and custom feature engineering tailored to security alert data. Each alert type gets its own model, which means the system develops specialized expertise for phishing alerts, endpoint detections, network anomalies, and other categories separately. This per-category approach is smarter than a single monolithic model because the decision factors for triaging a phishing email are completely different from those for triaging an endpoint detection alert.

Training requires a feedback loop. When Arcanna first ingests an alert, it presents it to the analyst with its confidence score and recommended decision. The analyst either confirms the recommendation or overrides it. Both actions become training data. Over time, the model's confidence increases for common alert patterns, and Arcanna can automatically handle the alerts where confidence exceeds your threshold — say, 95% — while routing uncertain alerts to human analysts. You control the confidence threshold, so you decide how much autonomy the system gets.

Integration is primarily through the SIEM. Arcanna deploys as a Docker container (on-prem or cloud) and connects to your SIEM's API. It doesn't require ripping out or replacing any existing tools — it sits alongside your current workflow. Alerts flow from SIEM to Arcanna for scoring, and the scored alerts are presented to analysts through Arcanna's interface or pushed back to the SIEM with enriched metadata. There's also a REST API for custom integrations and a Slack/Teams bot for triage notifications.

What We Liked

The learning approach is the right idea for the right problem. Every SOC has alert types that experienced analysts handle on autopilot — they see the alert, check two or three data points, and close it in under a minute because they've seen the same pattern 500 times before. Arcanna automates exactly that decision process. After eight weeks of training on our environment, the system correctly replicated our senior analysts' triage decisions 82% of the time across all alert types, and 93% of the time for our three highest-volume alert categories. That accuracy directly translated to our Tier 1 analysts spending less time on repetitive triage and more time on genuine investigations.

The transparency is exceptional. Unlike black-box AI tools that just give you a score, Arcanna shows exactly why it made each recommendation. You can see which features (fields, enrichment data, patterns) drove the decision, how similar alerts were previously handled, and how the confidence score compares to the model's overall accuracy for that alert type. This explainability is what convinced our analysts to trust the system — they could verify that Arcanna was making decisions for the right reasons, not just getting lucky with a pattern match.

The surprise was how well it handled concept drift. Alert patterns change — new attack techniques emerge, infrastructure changes create new noise, and threat actors modify their approaches. We expected the model to degrade over time and require periodic retraining. Instead, because Arcanna continuously learns from ongoing analyst decisions, it adapted to changes in our alert environment without manual intervention. When we deployed a new EDR policy that generated a flood of new alert types, Arcanna initially routed everything to analysts (correctly recognizing it had no training data for these alerts), then gradually automated triage as analysts handled the first few hundred instances.

Deployment was simpler than expected. The Docker-based deployment took one day to install and connect to our Splunk instance. The first week was spent mapping alert fields and configuring the initial alert categories. Actual learning from analyst decisions started in week two. Compared to SOAR platforms that take months to deploy, Arcanna's time-to-value is dramatically faster, because it doesn't require building playbooks — it learns workflows from existing behavior.

What Fell Short

The cold-start problem is real and unavoidable. Arcanna needs a meaningful volume of labeled triage decisions before it provides value. The company recommends at least 5,000 labeled decisions per alert category, and our experience confirmed that the model wasn't useful until we had about 3,000 decisions for our common alert types. For a high-volume SOC (500+ alerts/day), that's a couple of weeks. For a team processing 50 alerts a day, that's two months of analyst decisions before the AI starts helping. During the cold-start period, Arcanna is essentially an extra screen to look at — it adds friction without adding value, and some of our analysts resented the extra click.

The scope is intentionally narrow. Arcanna does triage automation very well, but it doesn't do orchestration, response actions, case management, or any of the other things a SOAR platform does. If you need automated enrichment workflows, response playbooks, or multi-tool orchestration, you still need a SOAR platform alongside Arcanna. The company positions this as a feature, not a bug — it integrates with SOAR tools rather than replacing them — but it means Arcanna is an addition to your tool stack, not a consolidation. Budget accordingly.

The user interface is functional but not polished. It gets the job done for reviewing recommendations and providing feedback, but the dashboards are basic compared to the visual sophistication of tools like Swimlane or Torq. Reporting capabilities are limited — we had to export data and build our own dashboards in Grafana to get the metrics views we wanted. For a tool that's asking you to trust ML decisions, better visibility into model performance and accuracy trends should be a priority, and it's clear the engineering team has focused more on the ML engine than the frontend.

Pricing and Value

Arcanna's pricing is based on alert volume tiers, not per-user. Expect to start around $50K-$75K/year for a moderate-volume SOC (up to 500 alerts/day) and scale to $150K+ for high-volume environments (thousands of alerts/day). Enterprise pricing includes dedicated support and custom model tuning assistance. There's a proof-of-concept program where they'll deploy the system for 60 days against your production alert stream to demonstrate value before you commit.

The ROI calculation is more straightforward than most security tools because the value is directly measurable in analyst time savings. If Arcanna automates 30% of your triage volume (a conservative estimate after training), and your analysts currently spend 60% of their time on triage, that's an 18% overall capacity increase. For a 10-person SOC at average fully-loaded cost, that's roughly $200K-$300K in analyst capacity freed up annually. The math works if your alert volume is high enough to train the models and you have the patience to let the system learn.

Who Should Use This

Arcanna is designed for established SOCs with consistent alert volume, existing SIEM infrastructure, and experienced analysts whose decisions are worth replicating. You need at least 200-300 alerts per day to generate enough training data in a reasonable timeframe, and you need analysts who consistently triage those alerts (not a backlog that grows faster than you can process it). Teams of 8-30 analysts see the biggest proportional benefit.

If you're a small team (under 5 analysts) or your alert volume is low (under 100/day), the training period will be too long and the automation savings too small to justify the cost. Look at simpler automation through your SIEM's built-in rules or a lightweight SOAR like Tines. If you don't have clean, consistent triage history — if different analysts make wildly different decisions for the same alert types — fix that process problem first. Arcanna can only replicate good decisions; it will also replicate bad ones.

The Bottom Line

Most security AI products are generic models wearing a security costume. Arcanna is the opposite — a purpose-built ML system that learns your specific environment and your team's specific expertise. That focus is both its greatest strength and its limiting factor. It does one thing, does it well, and doesn't pretend to do everything else. We've tested a lot of "AI for SOC" products, and Arcanna is the only one where the AI demonstrably learned our environment rather than asking us to adapt to its model. If your SOC's biggest bottleneck is repetitive triage, this is the tool to evaluate. If your problems are elsewhere — detection gaps, slow response, poor orchestration — solve those first.