All posts

Inside ORACLE: How AVA Triages Alerts Like a Senior Analyst — Only Faster, and It Never Forgets

Inside ORACLE, AVA's hypothesis-driven triage framework: how it reasons like a senior analyst across six stages, and gets sharper with every alert it sees.

Abstract editorial illustration of a luminous circular reasoning loop drawing scattered points inward through weighing thresholds into ordered equilibrium, with a feedback filament, symbolizing a triage framework that learns.

AVA’s Hypothesis-Driven Triage Framework - turning alert fatigue into evidence-based decisions.


The problem every SOC knows too well

Modern security operations centers don’t have a detection problem. They have a triage problem.

EDR and SIEM platforms generate thousands of alerts a day. The overwhelming majority are false positives or low-risk noise - but buried inside that flood are the handful that actually matter. The cost of finding them is brutal: an analyst manually pivots across CrowdStrike, Defender, Logsign, Elasticsearch, VirusTotal, AbuseIPDB and more, copy-pasting indicators between consoles, reconstructing timelines by hand, and rendering a verdict that is often subjective and rarely reproducible.

The result is alert fatigue: real threats sit in a queue while analysts burn hours clearing noise, and the institutional knowledge gained from each investigation evaporates the moment the ticket closes.

AVA was built to fix this - not by bolting an LLM onto an alert feed, but by codifying how a senior analyst actually reasons. We call that reasoning loop ORACLE.


Introducing ORACLE

ORACLE is the Hypothesis-Driven Triage Framework at the core of AVA.

Most automated triage guesses; ORACLE reasons.

Like the best human analysts, it forms an explicit hypothesis about what an alert means, then methodically tests that hypothesis against evidence drawn from every available source before committing to a verdict - and it gets sharper with every alert it sees.

The name maps to the six stages of the loop:

StageWhat happens in AVA
OObserveNormalize the alert and extract the entities that matter - hosts, users, attacker/victim IPs, file hashes, MITRE tactics - and resolve which telemetry sources cover it.
RRatePEBRE, our probabilistic reasoning engine, trained on your own closed alerts, together with a memory of prior cases, gives a fast, calibrated probability of benign-versus-malicious before any expensive work begins.
AAssertForm an explicit, testable attack hypothesis and a plan of specific questions - Lines of Inquiry - that would prove or disprove it.
CCollectSpin up autonomous investigation agents - one per question, running in parallel - that gather concrete evidence across every integrated EDR, SIEM and threat-intel source.
LLabelAdjudicate the evidence into a nuanced five-grade verdict, governed by hardened threat-intelligence rules the model cannot overrule.
EEvolveFeed everything learned back into PEBRE and a persistent memory store, so AVA compounds its expertise over time.

The novelty isn’t any single stage - it’s the loop. ORACLE is a triage framework that fuses a statistical prior, hypothesis-driven multi-agent investigation, evidence-based adjudication, and a continuous learning cycle into one closed, auditable system.


The ORACLE loop at a glance


How ORACLE works, stage by stage

O - Observe: establishing the facts

Every alert enters through a normalization stage that extracts the entities that matter: hosts, users, attacker and victim IPs, file hashes, MITRE ATT&CK tactics, and vendor identifiers. Crucially, AVA’s adapter system resolves which telemetry sources cover this alert - CrowdStrike Falcon, Microsoft Defender, Logsign, Elasticsearch - alongside always-on cyber threat intelligence. This is what lets ORACLE reason across a heterogeneous security stack instead of being locked to one vendor.

R - Rate: the statistical second opinion

Before any expensive investigation, ORACLE consults two fast signals: PEBRE, our probabilistic reasoning engine, trained on the organization’s own closed alerts, which produces a calibrated probability that the alert is benign given its observable entities; and a memory lookup against prior, similar cases - matched by hash, host, user, IP, or tactic.

If the statistical confidence that an alert is benign is overwhelming (and an analyst hasn’t forced a deeper look), ORACLE renders a fast, well-reasoned benign verdict in seconds. Everything else flows into a full, hypothesis-driven investigation.

This is how AVA clears the noise floor without the noise floor clearing your analysts.

A - Assert: reasoning before doing

For everything that survives the gate, ORACLE does what a seasoned analyst does first: it thinks. A strategist stage formulates an explicit attack hypothesis, a focused investigation objective, and a set of Lines of Inquiry - specific, testable questions that would prove or disprove the hypothesis. Each Line of Inquiry is routed to the right data source, so a network question goes to the SIEM and an endpoint question goes to the EDR. This is the heart of what makes ORACLE hypothesis-driven: nothing is investigated at random - every query exists to confirm or kill a stated theory.

C - Collect: evidence, gathered in parallel

Each Line of Inquiry is handed to its own autonomous investigation agent, and they run in parallel. These agents don’t hallucinate conclusions - they execute real queries against each connected source in its own native query language, enrich every indicator against threat-intelligence sources, and return structured findings: a conclusion (confirmed / refuted / inconclusive), the supporting evidence with cited artifacts, the exact queries run, and any IOC hits discovered. When multiple sources cover the same question, ORACLE deliberately cross-corroborates them - endpoint evidence checked against network evidence - because no single source tells the whole story.

L - Label: a verdict you can defend

ORACLE synthesizes every parallel finding into a verdict on a five-grade scale - True Positive, Likely Malicious, Inconclusive, Likely Benign, False Positive - far more honest than a binary true/false. The adjudication stage reconstructs timelines, flags anomalies (and tellingly, the absence of expected anomalies), correlates indicators into kill chains, and applies non-negotiable threat-intelligence hard rules: a high-confidence malicious indicator cannot be quietly downgraded to benign. The verdict comes with a reasoning narrative, an executive summary, MITRE ATT&CK-mapped findings, prioritized recommended actions, and a complete audit trail of every tool the system touched.

E - Evolve: getting smarter with every alert

This is the principle most platforms skip. After a deep investigation, ORACLE closes the loop: newly discovered evidence is fed back to PEBRE, sharpening its judgment for the next similar alert; and reusable patterns are distilled into the memory store, so a threat investigated once is recognized instantly the next time.

AVA doesn’t just triage alerts. It accumulates institutional expertise that previously walked out the door every time an analyst did.


Why ORACLE is different

Most “AI SOC” tools fall into one of two camps: a classifier that spits out a score with no reasoning, or an LLM that generates plausible-sounding narratives with no verifiable evidence. ORACLE rejects both.

  • It pairs statistics with reasoning. PEBRE’s statistical prior provides calibrated, data-grounded confidence; the agentic investigation provides depth and explanation. Neither alone is enough.
  • It’s hypothesis-driven. Every deep investigation starts from an explicit, testable theory - so the work is focused, the conclusions are falsifiable, and the reasoning is traceable.
  • It’s evidence-grounded, not generative. Every conclusion traces back to a real query, a real artifact, and a full audit trail.
  • It’s multi-source by design. ORACLE fuses EDR, SIEM, and threat intelligence and cross-corroborates between them automatically.
  • It learns. The feedback loop means AVA’s accuracy compounds with use - your investment in triage stops evaporating at ticket-close.

What this means for your SOC

With ORACLE powering AVA, security teams get:

  • Faster clearance of noise - the majority of benign alerts adjudicated in seconds, not hours.
  • Deeper, consistent investigations - every real alert investigated with the rigor of your best analyst, every time.
  • Defensible decisions - five-grade verdicts backed by cited evidence, MITRE mappings, and a complete audit trail.
  • An organization that compounds knowledge - a system designed to get sharper with use, not staler.

Triage has always been the bottleneck of the modern SOC. ORACLE is how AVA dissolves it - by reasoning like your best analyst, at machine speed, and retaining what it learns.


Written by Ashfaaq Farzaan at Priam Cyber AI.