For MSSPs & MDR teams

One analyst.
Every client.
Every action provable.

Vyrox triages the EDR alerts your team already manages, contains the real threats on your approval, and hands each client a tamper-evident record their auditor can verify.

Request early access See it work

● Human-approvedSHA-256 auditedMIT open-core

console.vyrox.dev / queue

Live

Tenant:AllSeverity:AnyStatus:Any

Tenant	Alert	Verdict	Conf	Status
Meridian Health	Credential dumping via LSASS access	CRITICAL	94%	Needs you
Northwind Capital	Lateral movement over SMB	HIGH	77%	Needs you
Meridian Health	Encoded PowerShell, crown-jewel host	HIGH	81%	Needs you
Northwind Capital	nmap against staging subnet	BENIGN	88%	Auto closed

Stream activeCrowdStrike · SentinelOne

Section 01 / The Engine

A pipeline built to silence the noise.

Four stages, in order of decreasing certainty. Anything resolvable by code is. Anything resolvable by pattern is. Only the irreducibly ambiguous reaches the LLM, and never the human until it has to.

Ingestion

Every alert, normalized into one cross-client queue.

Heuristics

Rust drops known-benign patterns in under 5 ms.

Triage

Only the irreducibly ambiguous reaches the model.

Human override

Containment waits for your approval, then it is chained.

01 · Ingestion

console.vyrox.dev / queue

Live

Tenant:AllSeverity:AnyStatus:Any

Tenant	Alert	Verdict	Conf	Status
Meridian Health	Credential dumping via LSASS access	CRITICAL	94%	Needs you
Northwind Capital	Lateral movement over SMB	HIGH	77%	Needs you
Meridian Health	Encoded PowerShell, crown-jewel host	HIGH	81%	Needs you
Northwind Capital	nmap against staging subnet	BENIGN	88%	Auto closed

Stream activeCrowdStrike · SentinelOne

02 · Heuristics

console.vyrox.dev / queue / alr_0xC5

4.8 ms

BENIGNAuto closed

Developer ran nmap against staging subnet

NW-DEV-12 · m.ortiz · Northwind Capital

Heuristic score contributions

sanctioned_scanner_subnet92%

known_dev_account74%

internal_destination_only55%

Aggregated by Noisy OR; verdict by severity rank.

Deterministic matchSUPPRESSdropped before the model

Resolved in 4.8 ms · Rust0 tokens

03 · Triage

console.vyrox.dev / alerts / alr_0xC1

220 tok

CRITICALNeeds you94%

Credential dumping via LSASS access (mimikatz)

MERIDIAN-DC-02 (crown jewel) · svc_backup

LLM reasoning

The process tree shows comsvcs.dll MiniDump invoked against LSASS, the canonical mimikatz technique, run under a backup service account on a crown-jewel domain controller. With an unsigned parent and a rare outbound destination, this is consistent with active credential theft before lateral movement.

MITRE ATT&CK

T1003.001LSASS MemoryT1003OS Credential DumpingT1071.001Web Protocols

Verdict · Critical220 tok · $0.0011

04 · Human override

console.vyrox.dev / alerts / alr_0xC1

awaiting sign-off

Recommended actionIsolate host

Isolates MERIDIAN-DC-02 from the network. Reversible via rollback.

Audit chainSHA-256 · append-only

verdict CRITICALa4f1c9e2b7d8

approved · r.mehta018b7c3d6e5f

host isolated4a2b1c0d9e8f

chain verified continuous

Requires human sign-offSLA · 5 min

Design Principle

The system that never wakes you up is the one you trust. Vyrox earns silence by being right.

Section 02 / The Moat

Anyone can triage. We prove it.

The triage is table stakes. The moat is the record you hand back: an owned, tamper-evident audit trail per client, and autonomy you turn up one safe rung at a time.

Evidence pack

A record their auditor can verify.

Every action Vyrox takes is written to an append-only, SHA-256 chained log the client owns. Generate a per-client pack, re-hash the chain, check the signature. It either verifies or it does not. No black box, no trust-me.

Owned by the client, not locked in our platform
Tamper-evident since generation, independently verifiable
One pack per client, scoped to their tenant

See it on your alerts

console.vyrox.dev / evidence / Meridian Health

SHA-256 · signed

✓

VERIFIED

44 records re-hashed, chain continuous, signature valid.

Audit chainappend-only

genesisgenesis::0000

alert ingesteda4f1c9e2b7d8

verdict CRITICAL0631f5ac24e9

approved · r.mehta018b7c3d6e5f

host isolated4a2b1c0d9e8f

rolled back7a6b5c4d3e2f

signer · 9F2A 4C71 8E0B 6D3Asynthetic reference

Graduated autonomy

Turn it up one safe rung at a time.

Default is L2: a human approves every containment action. When you trust it, let Vyrox auto-handle the high-confidence, low-blast-radius, reversible cases per client. The owned audit trail is what makes climbing the ladder safe.

Per-tenant policy, default human approval
Auto-execute only reversible, low-blast-radius actions
Every rung change recorded in the audit chain

See it on your alerts

console.vyrox.dev / autonomy / Meridian Health

default L2

Observe only

Triage and explain. No actions surfaced.

Recommend

Recommend an action; human executes.

Human approves everything

Containment queued for one-click approval.

current

Auto-execute reversible

High-confidence, low-blast-radius, reversible.

settable

Run operations

Runs within policy; humans handle exceptions.

locked

per-tenant policyreversible · audited

Same promise, two ways

For MSSPs & MDR

One analyst safely covers many clients.

Run your whole book from one console. Triage, contain, and prove every action across every client tenant, with isolation enforced at the query.

Cross-client work queue, one screen
A per-client evidence pack their auditor can verify
White-label, per-tenant volume pricing

Become a partner

For lean security teams

The reach of a far larger SOC, no extra headcount.

You own security and you are the one triaging alerts. Vyrox takes the first pass in milliseconds and only surfaces what genuinely needs you.

Triage you do not have to staff for
Human-approved containment, reversible by rollback
Flat pricing, live in minutes

Request access

Section 03 / Trust

Open-core. Total transparency.

Black-box decisions are a liability in the SOC. Vyrox's heuristics are inspectable, the Rust proxy is MIT-licensed, and every action is written to an append-only, SHA-256 chained log. The record you hand each client's auditor is tamper-evident since generation and independently verifiable.

0%Auditable logic

0Hidden prompts

0 minTo first alert

View on GitHub Read the docs

01The logictriage_engine.rs

Rust · MIT

1pub struct TriageEngine {

2heuristics: HeuristicSet,

3llm_client: LLMTriage,

6impl TriageEngine {

7pub async fn evaluate(&self, alert: EDRAlert) {

8if self.heuristics.is_false_positive(&alert) {

9return Action::Suppress;

10}

11// only the ambiguous reaches the LLM

12Ok(ctx.verdict())

13}

14}

02The rulesheuristics.yaml

Open-core

1name: Global Suppress List

2rules:

3- match: "process.name == 'updater.exe'"

4action: SUPPRESS

5confidence: 1.0

7- match: "network.dest == '10.0.0.0/8'"

8action: IGNORE

03The proofaudit_log.json

Append-only · SHA-256

[10:42:01]INFOAlert evt_992 ingested

[10:42:01]INFOEval rule 42a

[10:42:02]WARNNo deterministic match

[10:42:02]INFORoute → LLM

[10:42:05]RESOLVEDVerdict applied

[10:42:05]INFOhash = a7c…f12 (chain ok)

Chain continuous · signature valid

Section 04 / Pricing

Start with a free
30-day pilot.

We're onboarding design partners, not publishing a price list yet. Run Vyrox on your own EDR alerts for 30 days, free. We set pricing with you afterward, scaled to your environment, never a number off a web page.

Design-partner pilot

Freefor 30 days

No card, no commitment. Bring the EDRs you already run; we triage, you approve, and you keep the audit trail whether you continue or not.

Request your pilot

The pilot includes

Your EDRs, your tenants, your real alerts
Triage + human-approved containment from day one
An owned, SHA-256 evidence pack you keep
No credit card, no commitment, cancel anytime

Built for

MSSPs & MDRLean security teamsMid-market SOCsEnterprise

Every engagement includes the owned, SHA-256 audit trail. No black-box verdicts. Pricing is set with design partners and scales with your book.

One analyst.Every client.Every action provable.