FAQ
General questions
What is Qevlar AI and what does it do for Security Operations Centers?
Qevlar AI is an AI SOC Platform that expands SOC capacity without adding headcount and doesn’t hallucinate. It investigates every alert in under 3 minutes and delivers explainable, evidence-based results so SOC teams cut false positives, reduce MTTR, and focus on proactive defense instead of repetitive manual work.
How is Qevlar AI different from a security copilot?
Copilots require an analyst to prompt them, review suggestions, enrich data, and make the final call.
They accelerate manual work, but they don’t remove it.With Qevlar AI, as soon as an alert comes in, it autonomously pulls data from your security stack, enriches evidence, correlates context, and reaches a clear verdict (benign or malicious) without relying on playbooks or predefined workflows.
How is Qevlar AI different from SOAR platforms?
Solutions like Qevlar AI are sometimes perceived as SOAR replacements, but that’s a misconception.
SOARs remain the backbone of orchestration and execution in modern SOCs: they provide structure, reliability, and the ability to act across systems at scale.
Qevlar AI makes your investigations more adaptive and contextual, reducing the cost of future SOAR adjustments and playbook updates.
Qevlar applies consistent investigation logic adapting the investigation path to the available artifacts and context.
SOAR assists in enrichment and handles remediation.
Human analysts stay in the loop and make faster, more informed decisions on the next steps.
Learn about the typical setup of Qevlar AI used together with a SOAR here.
How is Qevlar different from other AI SOC Analysts or Agents?
Most “AI SOC analysts” on the market are LLM-driven agents.
When investigating the same alert, LLMs can take different paths and reach different conclusions. Even for simple alerts, consistency rarely exceeds 75%, while complex ones can generate nearly 100 unique investigation paths.
Qevlar’s investigations are powered by a proprietary graph-based AI orchestrator. Qevlar’s graph orchestration defines the investigation steps and delivers deterministic, evidence-based reasoning. LLM agents execute these steps, add context, pull data, and produce clear reports. This ensures consistent, reproducible results.
Which parts of the incident response lifecycle does Qevlar AI handle?
Qevlar AI fully automates alert triage, enrichment, and investigation, and provides a clear verdict with documented reasoning. Analysts then review and trigger remediation.
In short: Qevlar handles everything up to the decision; humans handle the action.
Does Qevlar replace SOC analysts?
No. Qevlar doesn’t replace analysts. It removes the repetitive workload that prevents them from doing high-value security work.
By autonomously handling alert triage, enrichment, and investigation, Qevlar frees analysts to focus on what truly matters: proactive defense, threat hunting, improving detections, and handling real incidents.
Think of Qevlar as a force multiplier: it handles the tedious work so your analysts can finally focus on the strategic work.
Performance & capabilities
How fast can Qevlar AI triage and investigate alerts?
Qevlar reduces the mean time to investigate to under 3 min.
How does Qevlar ensure investigation quality is consistent?
Qevlar’s core engine is a proprietary graph-based AI orchestrator. Qevlar’s graph orchestration defines the investigation steps and delivers deterministic, evidence-based reasoning. LLM agents execute these steps, add context, pull data, and produce clear reports.
This ensures consistent, reproducible results.
How does Qevlar utilize my context for its investigation?
Qevlar goes beyond basic triage. Its goal is to understand the full incident lifecycle, including lateral movement, impact, and follow-on activity.
To do this, it enriches the alert with data from the tools you connect to Qevlar, such as:
SIEM/XDR for logs and correlation
EDR for endpoint activity
NDR for network behaviour
CTI for threat intelligence
Other identity or infrastructure platforms
You can also share your business context with Qevlar in plain language, and it will apply it to all relevant investigations.
By combining these signals, Qevlar builds a complete, context-aware view of the incident and delivers a clear investigation outcome.
Can Qevlar handle complex, multi-step, or novel threats?
Yes, Qevlar deals with all types of alerts.
What happens if the AI is unsure about an alert?
If Qevlar doesn’t have enough data to reach a conclusion, it marks the alert as Inconclusive and explains why. This helps your SOC analysts quickly see what information is missing so they can either provide it to Qevlar or continue the investigation manually.
How does Qevlar avoid hallucinations?
Qevlar avoids hallucinations by not using LLMs to make decisions.A graph-based AI orchestrator does all reasoning. It defines the investigation steps and delivers deterministic, evidence-based reasoning. LLM agents execute these steps, add context, pull data, and produce clear reports.
Can Qevlar explain how it reached a conclusion?
Yes. At the end of every investigation, analysts receive a comprehensive report that documents the entire investigative path, supported by evidence.
Can analysts review or override the AI’s decisions?
Of course. Analysts remain your main decision-makers. They can change the conclusion and explain why, for example, an alert is benign rather than malicious. This information is stored in Qevlar as a context item and automatically applied in future investigations.
Integration & deployment
How long does it take to deploy Qevlar AI?
Qevlar is API-based, so deployments usually take only a few hours. Our fastest deployment so far took just 10 minutes.
What integrations does Qevlar support today?
Qevlar AI integrates with a wide range of common SOC tools, including solutions from:
Microsoft
CrowdStrike
Palo Alto
Google SecOps
SentinelOne
Splunk
Cisco
And many more. You can find the complete list of supported integrations on our integrations page.
Does Qevlar require building or maintaining playbooks?
No, Qevlar AI is fully autonomous. No playbooks required.
Do I need to modify my SIEM/EDR rules to work with Qevlar?
No. Qevlar AI integrates seamlessly into your investigation workflows.
Data Privacy, security & compliance
Does Qevlar AI train on my data?
No. Qevlar AI learns from investigation results, not from private customer inputs. Qevlar works right away and doesn’t require learning time.
What data does Qevlar access during investigations?
Qevlar only accesses the data sources you explicitly connect to it. You decide which tools, logs, identities, or telemetry Qevlar can use, and you can restrict or revoke access at any time.
During an investigation, Qevlar pulls only the evidence required to understand the alert context (for example, logs, identity details, endpoint information, threat intelligence). It does not access anything outside the sources you have approved.
Does Qevlar have SOC 2 Type 2 certification?
Yes, Qevlar is SOC 2 Type 2 certified, meaning an independent auditor has verified that our security controls are designed effectively and operate consistently over time.
Where is Qevlar hosted?
The SaaS platform is hosted in the EU (Belgium) with GCP.
Success, adoption & proof
What companies have been using Qevlar AI, and what results have they achieved?
Qevlar AI is already deployed in production by Fortune Global 500 enterprises and leading MSSPs, including Orange Cyberdefense and Atos.
Across customers, we consistently see:
MTTI reduced to under 3 minutes
100% of alerts enriched & investigated (no backlog)
Up to 80% of alerts auto-closed with full evidence
24/7 continuous investigation without adding headcount
For real examples and detailed outcomes, visit our Customer Stories page.
How to send a security incident to Qevlar for investigation?
Qevlar offers companies two primary methods for securely sharing security incident data. Qevlar can pull the data, or you can push it to Qevlar via simplified calls.
How does the onboarding process work?
Once the agreement is signed, we begin the deployment immediately.
You are assigned a dedicated Customer Success Manager who guides you through each step and tracks progress through a joint success plan.
What does a typical rollout look like?
Incident ingestion: You can either push incidents to Qevlar or let Qevlar pull them directly from your security tools.
Automated investigation: As soon as an incident arrives, Qevlar runs a full investigation, enriching and pivoting across your security stack to gather context and reach an accurate verdict.
Reporting: Once finished, Qevlar publishes a complete investigation report through the API. Your SIEM, SOAR or ticketing system can attach it directly to the corresponding incident.
Automated remediation: Insight Tags and structured actions from the report can be used by your automation workflows to remediate issues and automatically close tickets when appropriate.
How long before we see results with Qevlar AI?
Qevlar starts delivering value immediately. It connects to your security tools via API, usually within a few hours, and the fastest deployment so far took only 10 minutes.
You see the impact right away and get immediate ROI.
Organizational adoption
How do teams typically adapt to using autonomous investigation?
Teams adapt quickly because Qevlar is simple to use and removes the overwhelming alert volume that usually consumes their day.
The first phase focuses on building analyst trust through one use case. As teams see that Qevlar performs deep investigations with consistently high accuracy, they become comfortable auto-closing benign tickets and allowing Qevlar to perform containment actions.
Then they confidently expand Qevlar to more alert types and a broader perimeter.
Qevlar can also run headlessly, so analysts don’t need to learn a new console or switch to another one.
Does Qevlar help with analyst training and upskilling?
Yes. Qevlar accelerates skill development across the entire SOC.
Junior analysts are exposed to real investigations from day one, learning directly from Qevlar’s structured reasoning rather than being stuck in low-value triage.
Senior analysts finally regain time to focus on complex investigations, tune detections, and mentor the team, rather than spend it on repetitive alert handling.
How is responsibility shared between the SOC and the AI?
Qevlar handles the triage, enrichment, and full investigation of every alert.
The SOC team remains responsible for final validation, decision-making, and remediation.
In other words, Qevlar does the heavy lifting, and analysts retain control over the outcomes.
About Qevlar
Where is Qevlar AI based?
Qevlar AI is a French company headquartered in Paris.
Who founded Qevlar AI?
Qevlar AI was founded in 2023 by two machine learning engineers - Ahmed Achchak and Hamza Sayah.
See how much of your manual workload can be automated
