Unit cost
€3.00 – €12.00 per review or incident handled
Methodology v1.0. Counted once per review or incident handled regardless of which capability handled it.
Run the security operations surface end-to-end — quarterly access reviews, vendor-security questionnaire completion, phishing triage on reported items, and compliance-evidence assembly — with analyst review on every risk call.
Scoped like a SOC analyst hire, priced per review or incident handled, anchored to a fully-loaded EUR 70-95k benchmark.
Response time
sub-minute on routine triage
Accuracy target
95-98%
Escalation cap
under 2 hours on analyst review
Priced per business action
Range reflects artifact depth. Low end is phish-triage decisions and single-control evidence pulls; high end is full vendor-security questionnaires and multi-control audit bundles.
Unit cost
€3.00 – €12.00 per review or incident handled
Methodology v1.0. Counted once per review or incident handled regardless of which capability handled it.
Human-equivalent reference
SOC Analyst
EU mid-market
Benchmarked against EU mid-market SOC analyst roles. Fully loaded includes salary, benefits, EDR + GRC + identity tooling, management overhead, and first-year ramp.
Live calculator
Demo projection · Methodology v1.0
Capabilities
Activate the capabilities that match your largest repetitive categories. Start with the default set; expand as you prove each one. Metered unit is the role's — adding capabilities never changes the per-action price.
Runs quarterly access audits and surfaces stale-access removal candidates.
Read the capability
Drafts responses to vendor-security questionnaires with policy citations.
Read the capability
Intakes reported phish, analyses, and decides contain or dismiss.
Read the capability
Assembles control evidence and flags drift against the compliance framework.
Read the capability
Scenarios
Three business shapes we see most often. Costs are computed from €3.00 – €12.00 per review or incident handled and a fully-loaded SOC Analyst benchmark.
Scenario 1 · SaaS · 300-800
300 reviews or incidents handled / month
Starting capabilities
Situation
A 500-person B2B SaaS company runs 300 reviews or incidents a month. Quarterly access reviews overrun by weeks. Reported phish waits hours in the queue.
Agent fit
Security Operations Analyst activates access review and phishing triage. Reviews ship on cadence with stale-access removal; phish is triaged in minutes; the analyst shifts to real risk calls.
Outcome
Expected outcomes at this volume: access-review completion above 95%, phishing-triage lead time under 15 minutes, analyst hours reclaimed weekly.
Scenario 2 · Services · 800-2000
700 reviews or incidents handled / month
Starting capabilities
Situation
A 1500-person services firm runs 700 reviews or incidents a month. Vendor questionnaires backlog for weeks. Audit evidence is a scramble every cycle.
Agent fit
Security Operations Analyst activates all four capabilities. Access reviews ship on cadence; vendor questionnaires turn around in days; phish gets triaged in minutes; compliance evidence stays audit-ready.
Outcome
Expected outcomes: cycle-time reduction 50-70% on coordination surface, vendor-review turnaround 60-80% faster, compliance evidence audit-ready at any moment.
Scenario 3 · SaaS · 40-80
120 reviews or incidents handled / month
Starting capabilities
Situation
A 60-person fintech runs 120 security reviews and incidents a month. SOC 2 evidence is assembled by hand every quarter. Access reviews run late and leave stale accounts between cycles.
Agent fit
Security Operations Analyst activates access review and compliance monitoring. Reviews land on cadence with stale-access removal; evidence bundles stay audit-ready continuously; the analyst spends time on risk calls, not spreadsheets.
Outcome
Expected outcomes at this volume: access-review completion above 95%, compliance evidence audit-ready at any moment, analyst hours reclaimed weekly.
Scenario 4 · Marketplaces · 300-800
500 reviews or incidents handled / month
Starting capabilities
Situation
A 500-person marketplace runs 500 security reviews and incidents a month. Vendor questionnaires queue up for two weeks. Reported phish attempts sit in the queue half a day. Audit evidence is stitched together the week before each review.
Agent fit
Security Operations Analyst activates vendor-security review, phishing triage and compliance monitoring. Questionnaires turn around in days; phish triages in minutes; compliance evidence holds audit-ready.
Outcome
Expected outcomes: vendor-review turnaround 60-80% faster, phishing-triage lead time under 15 minutes, compliance evidence continuously ready.
Access-review completion on cadence
Above 95%
Vendor-review turnaround
60-80% faster
Phishing-triage lead time
Under 15 minutes
Compliance-evidence readiness
Audit-ready at any moment
Weekly maintenance
3-5 hours
Evidence traceability
every review and incident logged with policy and control reference
How it works
Workflow summary
The agent picks up security work from triggers — review window open, vendor questionnaire received, phish reported, audit evidence requested — and produces the artifact with analyst review built in.
Exceptions
Confirmed incidents, privileged-access findings, regulator-facing items, and legal-sensitivity flags route to the analyst with annotated context.
When humans step in
Humans step in on confirmed incidents, privileged-access findings, vendor-risk disputes, and regulator-facing items.
Connected systems
Agent operates inside identity provider, EDR, ticket system, doc repo, messaging, and GRC tool. Runs access reviews, drafts vendor-questionnaire responses, triages reported phish, and assembles compliance evidence — all with analyst review on risk calls.
Data inputs
Access data, vendor questionnaires, reported phish, compliance controls, policy library. Writes review findings, questionnaire responses, phish-triage outcomes, and evidence bundles back to source systems with audit trails.
Decision logic
Uses access-review rules, risk-scoring logic, phish-signal patterns, and control-mapping matrices to decide auto-handle, draft-for-review, or escalate-to-analyst.
Readiness
Identity provider wired, EDR feed connected, GRC tool integrated, phish-reporting channel agreed.
Integrations
No new systems to learn. The role connects to the platforms your team already uses.
What "working" looks like
Access-review completion above target
Above 95%
Share of quarterly access reviews completed on cadence with stale-access remediation.
Source · Identity provider + GRC report
Vendor-review turnaround cut target range
60-80% faster
Median time from questionnaire intake to draft response.
Source · Agent execution log
Phishing-triage lead time under target
Under 15 minutes
Median time from phish report to triage decision.
Source · Agent execution log
Compliance-evidence audit-ready
Audit-ready at any moment
Share of controls with current evidence bundled and mapped.
Source · GRC report
Governance & compliance
AI Act posture
Subject to full EU AI Act conformity assessment, risk management, logging, human oversight, and post-market monitoring obligations.
GDPR legal basis
Legal obligation
DPIA
Recommended before deployment. We'll run one as part of the Launch Program.
Questions we get
An AI role priced per review or incident handled. It runs access reviews, vendor-security questionnaire responses, phishing triage, and compliance evidence assembly. Same scope as a SOC analyst hire, priced per artifact.
Pure usage: EUR 3-12 per review or incident handled. Launch fee covers access-review workflow capture, vendor-questionnaire library, phishing playbook, and compliance-framework mapping.
No. Every confirmed incident, privileged-access finding, vendor-risk dispute, and regulator-facing item routes to the analyst and CISO. The agent produces artifacts and recommendations; humans own risk judgement.
Common frameworks — SOC 2, ISO 27001, HIPAA, GDPR controls — are supported with custom control-mapping during launch. The evidence bundle format is framework-specific.
Okta and Microsoft Entra ID on identity. CrowdStrike Falcon on EDR. GRC integration depends on the stack in place. Ticketing runs through Jira.
Typical 28-42 days given the depth of workflow capture. Faster with documented access-review cadence, an active questionnaire library, and a mapped compliance framework.
Chat opens with your role context already loaded. Scope a launch set of capabilities, review integrations, and get a timeline in one conversation.