Your SOC. Agents That Investigate. No Data Leaving Your Infrastructure.
Flocks coordinates 7 specialist agents across 150+ cybersecurity tools to automate alert triage, cross-device investigation, device inspection, and host forensics. Self-evolving, it learns from real operations and builds enterprise-specific knowledge that improves every shift. No data leaves your infrastructure.
Flocks is ThreatBook’s AI for Security arm — the part that does security work inside your existing stack. Every other agentic-security pitch requires a bet on the vendor’s closed cloud. Flocks doesn’t: open source, locally deployed, no data leaving your infrastructure.
SOC Teams Are Overwhelmed by
Volume, Not Complexity
The fundamental SOC problem is not a talent shortage, it's a volume problem. Most analyst time is consumed by repetitive alert review, manual enrichment, and multi-tool log queries that produce no actionable findings. The actual investigations that require human judgment are delayed by the overhead of arriving at them.
Review, Not Investigation
Security analysts in most SOC environments spend the majority of their working hours reviewing, triaging, and closing or escalating alerts, not investigating confirmed incidents. The volume of daily alerts from SIEM, EDR, and network tools consistently exceeds what teams can meaningfully investigate within the same shift. Real threats are delayed or missed not because analysts lack skill, but because they never get to them.
Require Manual Multi-System Logins
Correlating an alert across SIEM, EDR, firewall, and network detection requires manually logging into each system, running separate queries, and assembling the results by hand. For a three-system investigation spanning two time zones, this can take an experienced analyst four to six hours, time that should be spent on analysis, not data retrieval. Shift handoffs routinely cause investigation continuity loss.
Senior Analysts Leave
SOC institutional knowledge, the playbooks, the tuning history, the organization-specific context that makes investigations efficient, lives in analyst heads, not in systems. When senior analysts rotate, leave, or change shifts, incoming analysts restart from scratch on cases that should have established context. Most SOC platforms don't accumulate operational knowledge in a form that new team members can access and build on.
Agents That Work the Alert Queue
While Analysts Focus on Real Incidents
Flocks deploys Rex as the persistent SOC coordinator, continuously monitoring alerts, correlating events across time zones and device boundaries, and dispatching specialist agents to run parallel investigations without human handoff. Rex connects to your existing security devices via "one-sentence" natural language API integration, no complex configuration required. The specialist agent team covers SIEM analysis, EDR investigation, firewall log correlation, network traffic analysis, and host forensics.
Flocks is open-source, locally deployed on Windows, Mac, or Ubuntu with a one-click start. All data stays within your infrastructure, no cloud dependency, no data sharing. The 30-day onboarding provides 10M tokens per day to get the agent team operational and accumulating enterprise-specific knowledge from your real SOC environment.
- Rex continuously monitors alerts across all connected security devices, no shift gaps, no timezone handoff failures
- 7 specialist agents run parallel investigations across SIEM, EDR, firewall, and network tools simultaneously
- One-sentence natural language device integration, connect existing security tools without configuration scripting
- Self-evolving knowledge base: Flocks learns from real operations and accumulates enterprise-specific investigation context
- Fully open-source, locally deployed, no data leaves your infrastructure, no licensing cost
Four Proven SOC Automation
Scenarios That Run Today
Flocks ingests the alert queue continuously, enriches each alert with context from connected security tools, and executes investigation playbooks autonomously. Low-confidence alerts are closed with a structured audit trail. High-confidence alerts are escalated to analysts with a complete investigation summary, eliminating the majority of manual review cycles from the analyst workflow.
Specialist agents execute queries in parallel across all connected security devices — SIEM, EDR, firewall, NDR — and Flocks correlates the findings into a unified investigation timeline. Multi-system investigations that take analysts hours complete in minutes. Cross-timezone correlation runs continuously without shift handoff, maintaining investigation continuity between analyst sessions.
When an alert implicates a specific device, Flocks dispatches specialist agents to query that device's logs, running processes, network connections, and configuration state in parallel. The device inspection report is assembled automatically and attached to the escalation summary, giving analysts full device context without manual log pulls or tool-switching.
For confirmed incidents, Flocks executes deep host forensic collection — file system artefacts, registry state, memory indicators, and persistence mechanisms — without requiring an analyst to manually script queries per endpoint. Forensic findings are structured into a timeline and cross-referenced against ATI threat intelligence to identify known attack patterns and attribute activity to tracked threat groups.
From One-Click Deploy to
Autonomous SOC Operations
Flocks is operational in hours, not weeks. The one-click installer handles local deployment. Natural language device integration connects your existing security stack without configuration scripts. Rex starts processing the alert queue immediately and begins accumulating enterprise-specific knowledge from the first shift.
One-click installer on Windows, Mac, or Ubuntu. No cloud dependency, all data stays on your infrastructure. Connect existing security devices via natural language API description and Flocks will handle the integration automatically.
Rex begins monitoring the alert queue immediately after device connection. Alerts are ingested continuously across all connected security tools, no manual queue management required. Cross-timezone correlation runs persistently, including during off-hours when manual monitoring is reduced.
Specialist agents run parallel investigations across SIEM, EDR, firewall, and network tools. Rex synthesizes findings into a structured investigation timeline. Host forensics agents analyze processes, persistence mechanisms, and exfiltration indicators autonomously, returning a complete finding before analyst involvement is required.
Confirmed incidents trigger response actions, ticket creation, and escalation workflows. Closed cases update the Flocks knowledge base, the enterprise-specific context that makes every subsequent investigation faster and more accurate. Analysts receive findings ready for decision, not raw data requiring assembly.
What Security Teams Achieve with Flocks
Flocks is open-source and locally deployed with no licensing fees. The 30-day onboarding includes 10M tokens per day. Teams can deploy, evaluate, and run Flocks in production without budget approval cycles or procurement delays.
The 150+ integrated tools cover the full investigation workflow, log analysis, threat intelligence lookup, network forensics, endpoint investigation, and response execution, all accessible to the specialist agent team without additional integration work from the security engineering team.
Rex monitors alerts continuously, including overnight hours, weekends, and timezone transitions where human coverage is reduced. Alerts that previously waited hours for the morning shift are investigated and either closed or escalated before the analyst arrives.
The ThreatBook Products Behind This Use Case
Open-source, locally deployed agentic SecOps platform.
Rex (Main Agent) + 7 specialist agents. 150+ integrated tools. Four proven scenarios: alert triage, cross-device investigation, device inspection, host forensics.
Self-evolving knowledge base. 10M tokens/day for your first 30 days.
Learn moreDeploy Flocks in Your SOC
Today, No Cost, No Cloud
Download Flocks from GitHub and run the one-click installer. You'll have Rex and the specialist agent team operational in hours. The 30-day trial includes 10M tokens per day to get your agent team fully operational on your real alert environment.
Open-source. No credit card. Data stays on your infrastructure.