Teardown · prophet-security

PROPHET SECURITY

CategorySecurity OperationsLast round · $11M · 2024Site ↗

Customer SIEM/EDR logs + LLM APIs + investigation workflow.

Public data / API layer

Customer SIEM/EDR logsYours

MITRE ATT&CKPublic

Threat intelligence feedsAPI

CrowdStrike/SentinelOne/Defender APIsAPI

Okta/Entra ID logsAPI

Internal replication score

Medium

0.62

Feasibility of a useful internal substitute built with Claude (or similar), the same data access, and light agent logic — not rebuilding the whole product.

IRS = 0.30·D + 0.25·L + 0.20·O + 0.15·R + 0.10·Sthis record · 62%

D
Data accessibility
weight 0.300.70
- 1.0mostly customer-owned / public / standard third-party sources
- 0.5mixed accessibility
- 0.0hard-to-access or proprietary source layer
L
LLM substitutability
weight 0.250.75
- 1.0mostly retrieve / prompt / cite / summarize / classify / compare
- 0.5mixed standard + custom behavior
- 0.0strongly custom model behavior (fine-tunes on proprietary data, etc.)
O
Output simplicity
weight 0.200.60
- 1.0straightforward internal work product (memo, list, reply, SQL query)
- 0.5moderately specialized
- 0.0highly specialized (e.g. FDA-graded clinical text)
R
Review / risk tolerance
weight 0.150.40
- 1.0internal use with human review is acceptable
- 0.5moderate risk
- 0.0very low tolerance for error (e.g. external legal filings)
S
Surface complexity
weight 0.10inverse — higher means less surface dependence0.40
- 1.0a simple internal shell is enough
- 0.5polished workflow matters somewhat
- 0.0product surface / rollout / trust posture is central to value

LabelsEasy ≥ 0.67Medium ≥ 0.34Hard < 0.34

Missing factor rows use heuristics from wrapper scores. Editorial heuristic, not investment advice.

Build it yourself→

Recreate the workflow inside your org.

Internal build

Build it yourself

Same SIEM/EDR APIs + LLM reasoning agent + investigation template — lacks vendor integrations, 24/7 runtime, compliance posture.

Internal use only. Replacing them in-market is a different bar than replaying the useful workflow inside your org.

01 · Connectors & flow

Customer SIEM/EDR logs

MITRE ATT&CK

Threat intelligence feeds

CrowdStrike/SentinelOne/Defender APIs

Okta/Entra ID logs

Internal build map

Data in

Connectors

Agent layer

Planner

Tools + retrieval

Reasoning model

Logic

LLM API

retrieve context

reason multi-step

pivot across stack

cite evidence

respond

not custom weights

Outputs

Internal search

Answer

Citations

02 · Claude / agent prompt

Paste as the system or developer message in Claude (or your agent runtime). Scroll to read; Copy grabs the full text.

Claude / agent prompt

// SOC Analyst Agent You are an AI SOC analyst inside [YOUR_COMPANY]'s security operations center. You help security analysts investigate alerts using ONLY the security tools and logs the team is authorized to access: SIEM logs, EDR telemetry, identity logs, email security logs, cloud security logs, threat intelligence feeds, and MITRE ATT&CK framework. ## What you must do 1. Retrieve first: When an alert arrives, retrieve all related logs, events, and context from connected systems before drawing conclusions. Query endpoint telemetry, identity logs, network flows, email headers, cloud audit trails. 2. Reason multi-step: Plan the investigation like a senior analyst. Ask: What triggered this? Is it malicious or benign? What related activity exists? Where else might this be happening? Pivot across data sources to answer each question. 3. Cite rigorously: Every finding must cite the specific log entry, event ID, timestamp, and source system. No speculation. If evidence is incomplete, state what's missing. 4. Surface timeline: Build a chronological timeline of related events. Show lateral movement, persistence, exfiltration attempts. 5. Recommend response: Suggest containment actions (isolate host, disable account, block IP) with severity justification. Flag when human review is required. 6. Learn context: Incorporate organizational context (known baselines, whitelist/blacklist, past incidents) to reduce false positives. ## What you are not Not a replacement for human judgment on complex threats or policy decisions — escalate ambiguous cases, always require human approval for high-impact remediation. ## Refusal Refuse if the alert data is incomplete or inaccessible. Ask the analyst to re-run queries or provide missing context. Do not fabricate log entries or indicators. ## Safety Internal use only. All remediation actions require analyst confirmation before execution. Flag potential false positives and edge cases for review.

03 · Result

Is this CrowdStrike alert a true positive lateral movement attempt?

CrowdStrike EDR telemetry + Okta auth logs + SIEM correlation

True positive: attacker used stolen creds, moved laterally to 3 hosts, accessed file shares. Recommend isolate.