Webinar: From Alert Overload to Automated Triage

Register Now
Get a Demo

Morpheus AI platform

Four Autonomy Modes. One Audit Trail.
Choose Your Path to True Autonomous Operations.

Deterministic, AI-Assisted, AI-Led, fully Autonomous. Same engine. Same audit format. Configure per use case, per regulator, per MSSP customer.

Agentic on architecture. Autonomous on outcomes. Accountable on every decision. The autonomous SOC is the outcome (investigation, triage, and response running without constant human intervention, under human-defined governance). Morpheus delivers that outcome through four configurable modes on the same agentic engine, under one audit trail. Pick the mode that fits your environment, your regulator, your risk tolerance, or your MSSP customer, and migrate between modes without rebuilding anything.

Designed for SEC, NYDFS, HIPAA, NERC CIP, NIS2, DORA, and the EU AI Act. Autonomy is a control surface, not a switch you flip once.

See the modes run on your stack
4modes

Deterministic · AI-Assisted · AI-Led · Autonomous

1engine

no architectural fork — migrate between modes without rebuilding

1audit format

identical across all four modes — one trail per incident

7regulators

SEC · NYDFS · HIPAA · NERC CIP · NIS2 · DORA · EU AI Act

The thesis

Autonomy is a design choice, not a switch.

The market sells SOC teams a binary — adopt an AI-only platform, or stand still. Both answers fail under modern regulation. Morpheus ships the third path.

A SOC director running a 10,000-person enterprise doesn’t have one risk tolerance — they have several. Phishing alerts are a different risk surface than identity-compromise alerts. Critical-infrastructure workflows are a different governance surface than cloud-resource cleanup. The right autonomy for one alert class is the wrong autonomy for another.

Most AI SOC platforms ignore this. They ship one autonomy posture — usually “AI runs the alert end-to-end” — and expect the buyer to live with it across every workflow. The platforms that do offer multiple postures often split them into separate products with separate audit formats, leaving the GRC team to stitch governance evidence across architectures the platform pretends are different.

Morpheus inverts that. One engine. Four configurable autonomy modes. Same audit format across all four. The mode is a configuration of the same Reasoning Graph and the same deterministic playbook engine — not a separate product, not a separate SKU, not a separate audit trail format your regulator has to read twice.1

Run Level 1 on the workflows your board demands stay deterministic. Run Level 4 on the L1 alert categories that drain your analyst shift. Run different modes on different queues in the same SOC, on the same day, against the same regulator.

The binary the market sells

“Adopt AI everywhere, or do nothing.”

One autonomy posture across every alert class. The buyer has to choose once, then live with the consequences across regulated workflows, MSSP customer environments, and high-judgment investigations alike.

The third path: configurable autonomy

Four modes. Configurable per workflow.

Same engine, same audit format. Phishing triage can run autonomously while critical-infrastructure response stays AI-assisted — in the same SOC, on the same day, against the same regulator.

1 Recent academic research on AI agent design supports this position — that an agent’s level of autonomy is best treated as a deliberate design decision, separate from its capability. See Feng, McDonald & Zhang (University of Washington, 2025), Levels of Autonomy for AI Agents. Morpheus operationalizes this principle as a SOC-specific four-mode product design.

The four modes

At a glance.

Four configurations of the same engine. Different autonomy postures, identical audit format.

LEVEL 1

Deterministic

No AI in the response chain. The deterministic playbook engine runs solo. Rule-based, scripted, predictable.

Best fit: Regulated workflows · migration baseline · highest-risk playbooks
LEVEL 2

AI-Assisted

Morpheus investigates and recommends. The analyst approves every state-changing action.

Best fit: SOCs new to AI · identity, EDR, cloud alerts · regulated environments
LEVEL 3

AI-Led

Morpheus drafts the response plan. You approve; the engine executes. Command-risk tiers gate high-impact actions.

Best fit: Mature SOCs · phishing, malware, DLP triage · scaling L3 judgment
LEVEL 4

Autonomous

End-to-end triage and response. Configurable approval gates at every command-risk tier. Tier-1 work, eliminated.

Best fit: Mature SOCs · MSSPs · 24/7 coverage · high-volume L1 categories
LEVEL 1

Deterministic.
No AI in the response chain.

The deterministic playbook engine runs solo. Rule-based, scripted, identical behavior on every execution. The same engine, same audit format — minus the AI reasoning step.

What runs Event intake, correlation, deduplication, deterministic playbooks, ticket creation, notifications, SLA tracking — every classic SOAR capability you already trust.
What AI does not do Nothing. Zero AI authority. No reasoning step, no Agentic Task, no copilot recommendations. The playbook engine produces the same output it would have produced before AI existed.
Approval pattern
Per playbook author’s design
Reasoning
None — rule-based logic only
Audit trail
One unified trail per incident
Reversibility
N/A — already the baseline
Best fit
The most heavily regulated SOCs that want Morpheus as their case management and SOAR platform without AI in execution. Also the indefinite home for critical-infrastructure playbooks, hard-realtime response, and legally privileged evidence collection. A SOC can run Level 1 forever and still get the full deterministic D3 Morpheus product.
Common scenarios
Migration baseline from legacy SOAR · NERC CIP–scoped electric utility workflows · executive-account compromise procedures · evidence-collection playbooks in litigation contexts · MSSP customers whose contracts prohibit AI in the response chain
LEVEL 2

AI-Assisted.
Morpheus investigates. You approve every action.

Morpheus runs full investigation on every alert before the analyst opens the case — L2-depth context, recommended remediation, command-risk-tagged action proposals. The analyst reviews; the analyst clicks approve; the platform executes.

What AI does Investigates every alert, correlates evidence across the connected stack, reconstructs the attack timeline, drafts a remediation plan with command-risk tags, and presents the case file for analyst review.
What AI does not do Execute state-changing actions on its own authority. Every isolate-host, disable-account, block-IP, or revoke-session command requires explicit analyst approval before it runs. The AI’s role ends at the recommendation.
Approval pattern
Analyst approves every state-changing action
Reasoning
Full — Reasoning Graph runs end-to-end
Audit trail
Same format as Level 1
Reversibility
Drop back to Level 1 per-queue
Best fit
SOCs adopting AI for the first time. Also the long-term home for identity-compromise alerts, EDR escalations, and cloud workload anomalies — alert classes where the cost of a wrong autonomous action is higher than the cost of analyst review time. The most common production posture for enterprise SOCs in regulated industries.
Common scenarios
Bank phishing-to-credential-theft investigations · cloud identity escalations · DLP alert validation · supply-chain compromise triage · executive-VIP user-behavior anomalies
LEVEL 3

AI-Led.
Morpheus drafts. You oversee at each tier.

Morpheus drafts the full response plan at runtime — investigation, scoping, action sequence, command-risk classifications — and surfaces it for analyst review. Low-risk steps execute on the analyst’s signal; high-risk steps pause for explicit approval at the named command-risk tier.

What AI does Drafts the response plan, executes low-risk steps under the analyst’s signed-off plan, and handles enrichment, evidence collection, and contextual reporting autonomously. The analyst becomes the reviewer-and-approver, not the executor.
What AI does not do Take high-risk state-changing actions without explicit per-tier approval. Account disable, host isolation, and any action above the configured command-risk threshold pauses for analyst sign-off — even within an AI-drafted plan the analyst already approved at the top.
Approval pattern
Plan-level approval + per-tier gates
Reasoning
Full + Agentic Tasks where novel
Audit trail
Same format as Levels 1 & 2
Reversibility
Drop to Level 2 per-queue
Best fit
Mature SOCs ready to scale L3 judgment — where the analyst’s time is best spent reviewing AI-drafted plans rather than building them. Also a strong fit for SOCs with a 24/7 mandate where graveyard-shift analysts need a draft plan in front of them within seconds, not minutes.
Common scenarios
Phishing-to-malware investigations · cloud workload compromise · supply-chain attack scoping · IR-team handoff at shift change · MSSP analyst-to-customer escalation workflows
LEVEL 4

Autonomous.
End-to-end. With every gate you configure.

Morpheus runs the full triage-to-closure workflow without analyst involvement on the alert classes you’ve configured for autonomous execution. Configurable approval gates by command-risk tier, queue, customer tenant, or any combination — autonomy you can govern, not autonomy you have to trust blindly.

What AI does Investigates, reasons, executes through 800+ self-healing integrations, closes the incident, files the report, and posts the audit trail — all without analyst involvement on the alert classes you’ve authorized for autonomous handling.
What AI does not do Operate outside the command-risk-tier gates you’ve configured. Level 4 isn’t “AI runs everything” — it’s “AI runs everything up to the gates you set,” with the same approval primitives available in Level 3 still gating any action you mark as analyst-required.
Approval pattern
Configurable gates per tier / queue
Reasoning
Full + Agentic Tasks at every step
Audit trail
Same format as Levels 1, 2 & 3
Reversibility
Drop to Level 3 per-queue or per-tenant
Best fit
SOCs concentrating human judgment at L3. Also the most common posture for MSSPs scaling across many customer tenants, and for any enterprise where the L1 alert backlog has become the bottleneck on real security work. The mode that eliminates Tier-1 SOC analyst work structurally — not by hiring more analysts, but by handing the repetitive work to an engine that runs the same audit format the rest of your SOC does.
Common scenarios
High-volume phishing triage · DLP false-positive disposition · malware containment for known patterns · MSSP multi-tenant routine alert handling · vulnerability batch triage · L1 commodity-alert autonomous closure

The architectural moat

Same engine, same audit format, no architectural fork between modes.

The four modes are configurations of the same reasoning engine and the same deterministic playbook engine — not separate products, not separate audit trail formats. This is the property your GRC team will care about most.

Most platforms in the autonomous SOC market that offer multiple autonomy postures split them across separate products with separate audit formats. A buyer who wants “AI-assisted on identity workflows, autonomous on phishing” ends up running two architectures, with two audit trails the GRC team has to reconcile.

Morpheus inverts that. The same Cybersecurity Triage Reasoning Graph and the same deterministic playbook engine sit underneath all four modes. The mode is a configuration layer above the engine — it controls whether the AI reasoning step runs, whether the analyst sees the plan before execution, and which command-risk tiers gate which actions. It does not change what’s underneath.

The practical consequence: migration between modes is a configuration change, not a re-platforming. A SOC running Level 2 on phishing alerts that decides to advance phishing to Level 4 doesn’t rebuild anything — they flip the configuration on the phishing queue and the existing audit trail format keeps recording. Their NIS2 Article 21 examiner reads the same document either way.

The architectural consequence: the audit trail is the product. The same one-incident-one-trail evidence record is produced whether Level 1 or Level 4 ran the workflow. SEC, NYDFS, HIPAA, NERC CIP, NIS2, DORA, and EU AI Act examiners read the same record format regardless of which mode handled the incident.

Architecture stack
LEVEL
1
LEVEL
2
LEVEL
3
LEVEL
4
Reasoning Graph
Same Cybersecurity Triage Reasoning Graph runs underneath Levels 2, 3, and 4. Bypassed in Level 1.
Shared
Deterministic playbook engine
Same engine across all four modes — runs alone in Level 1, integrates with AI reasoning in Levels 2–4.
Shared
800+ self-healing integrations
Same integration catalogue underneath every mode. Self-healing operates identically regardless of mode.
Shared
Unified audit trail format
One trail per incident. Same evidence record format. Same GRC surface. Read by examiners the same way at every mode.
Shared

Day 1 to peak accuracy

The Per-Tenant Self-Learning Pipeline.

Morpheus arrives pre-trained, then self-learns from your team’s best practices, threat and vulnerability reports, and SOPs — reaching peak accuracy in your environment within weeks, not months.

The single most common procurement-stage objection to AI SOC platforms is the deployment-timeline question: how long before this is actually accurate in our environment? Morpheus’s answer is structural — the Per-Tenant Self-Learning Pipeline tunes the Reasoning Graph against your specific environment using three input streams that already exist in your SOC.

Day 1 deployment
Morpheus arrives pre-trained on cybersecurity-native reasoning. Investigation and triage produce L2-depth output on every alert from the first ingress, against your connected stack. The Reasoning Graph runs identically to the production deployments in other tenants.
Week 1–2 orientation
The pipeline ingests your existing SOPs and incident response runbooks. Adaptive Tasking interactions with your analysts begin generating tenant-specific signal. Investigations start reflecting your team’s prioritization patterns — which alert categories matter, which IOCs your team has already disposition-categorized, which playbooks your team prefers.
Week 3–4 tuning
Analyst-confirmed outcomes from the first two weeks feed back into the per-tenant reasoning surface. Morpheus’s recommendations align increasingly with your team’s judgment calls. This is the point where Level 3 and Level 4 candidates become production-ready on your highest-volume alert categories.
Week 6+ peak accuracy
Continuous improvement against your specific threat landscape, your specific stack, your specific SOPs. New analysts joining your team benefit from accumulated tenant context immediately. The accuracy curve doesn’t plateau — it keeps tuning as your environment evolves.
INPUT 01

Adaptive Tasking interactions

Every analyst exchange with the AI copilot — questions, redirections, approvals, rejections — becomes training signal. Your team coaches Morpheus in natural language, not via tuning parameters. The platform records what your team trusts and what your team challenges.

INPUT 02

Ingested SOPs & runbooks

Your existing playbook documentation, incident response procedures, and threat-specific runbooks feed the per-tenant context layer. Morpheus learns your organization’s documented practice before it ever needs to be corrected on it.

INPUT 03

Analyst-confirmed outcomes

The disposition every analyst applies to every incident — true positive, false positive, escalation, closed — feeds the tenant-specific accuracy model. The Reasoning Graph tunes to your team’s ground truth, not a vendor’s idea of it.

The decision

Choosing your mode.

Three questions a SOC director should answer before deciding the mode for a given workflow.

Question 01

What’s the cost of a wrong autonomous action on this alert class?

M1 Catastrophic — production outage, regulatory event, evidence destruction
M2 High — major user impact or executive escalation
M3 Moderate — recoverable in minutes by the analyst
M4 Low — bounded by command-risk-tier gates regardless
Question 02

How frequent are alerts in this class, and how repetitive is the response?

M1 Rare and unique — every instance demands fresh judgment
M2 Moderate volume — variations within a recognizable pattern
M3 High volume — recognizable patterns with edge cases
M4 Very high volume — same response pattern, repeatedly
Question 03

What does your regulator, contract, or board demand?

M1 No AI in the chain — NERC CIP, legally privileged workflows
M2 Human approval on every action — most enterprise defaults
M3 Human oversight at tier boundaries — EU AI Act Article 14 compliant
M4 Configurable gates only — board has signed off on autonomous handling

The path forward

Migrating between modes.

Migration is a configuration change, not a re-platforming. Every mode boundary is independently reversible, per queue, per tenant, or per workflow.

Most SOCs begin at Level 1 or Level 2 — the deterministic baseline or the AI-assisted posture — and advance through the modes as operational confidence and tenant-specific tuning accumulate. The typical six-month advancement pattern is: deploy at Level 2 across most queues, advance phishing and DLP queues to Level 3 in week 4–6, advance the highest-volume L1 categories to Level 4 by month 3, hold mature workflows at Level 3 indefinitely.

Reversibility is the property regulated SOCs care about most. Every mode boundary is a documented reversibility line. If Level 4 surfaces an unexpected analyst-friction pattern on a specific queue, that queue drops back to Level 3 without rebuilding anything — and the same audit trail format keeps recording.

Heterogeneity within a single SOC is supported by default. Different queues can run different modes, against the same regulator, with the same audit trail format. An MSSP running 60 customer tenants can sit at Level 4 on commodity-alert handling for 40 tenants, Level 3 for 15, and Level 2 for 5 — and produce one audit format the GRC team reads identically across all 60.

For the deeper governance framework — including phase-by-phase rollback procedures and per-regulator advancement guidance — see the Hybrid Adoption Model whitepaper below.

Common migration paths
M1 M2
The legacy SOAR migration path. Most common starting move. Add AI investigation to existing playbooks; analysts approve every action while the team builds confidence.
M2 M3
The L3-scaling path. After 4–6 weeks of tenant tuning, low-risk steps execute autonomously under the analyst’s signed-off plan. High-risk steps still pause for approval.
M3 M4
The L1-elimination path. High-volume commodity alert categories — phishing, DLP false positives, malware containment for known patterns — advance to end-to-end autonomous handling.
M4 M3
The reversibility path. Drop back to Level 3 on any queue at any time. Same engine, same audit format — no rebuilding, no governance reset.

Compliance mapping

Level-by-regulator architectural fit.

Seven jurisdictions, one architecture. The same audit format reads across SEC, NYDFS, HIPAA, NERC CIP, NIS2, DORA, and the EU AI Act.

How each mode maps to the 2026 U.S. and E.U. regulatory environment
Regulator Obligation Level-by-level architectural fit
EU AI Act Article 14High-risk AI systems Human oversight required; humans must be able to intervene, override, or stop the system. M1 No AI authority — N/A by construction. M2 Read-only AI; zero authority over destructive action. M3 Explicit approval gates at every command-risk tier. M4 Configurable gates preserve human override at any tier. Compliance is structural across all four, not bolted on.
SEC Item 1.05 (Form 8-K)Public companies Material cybersecurity incident disclosure within four business days; defensible evidence chain on materiality determination. Every mode produces the same unified audit trail per incident. Materiality determination is made by the analyst (or playbook) using AI-generated context — never by the AI alone, regardless of mode. The evidence chain is documented end-to-end at every mode.
NYDFS 23 NYCRR 500N.Y. financial institutions CISO certification of cybersecurity program; incident reporting; documented governance. The mode model itself is the governance documentation. The CISO certifies which mode operates on which workflow, what guardrails apply, and what the rollback procedure is. Each mode boundary is a documented control.
HIPAA Security Rule45 CFR 164.312(b) Audit-trail mechanisms that record and examine access to electronic protected health information. M1 Produces the deterministic audit trail. M2M4 add AI-attributed entries to the same trail, never replacing or modifying baseline entries. Tamper-bounded by design at every mode.
NIS2 Article 21E.U. essential & important entities Appropriate and proportionate technical, operational, and organizational measures. The mode model is itself proportionate-by-construction: the organization advances to the mode its risk tolerance, technical maturity, and regulatory exposure justify. Article 21 examiners read this as evidence of measured adoption rather than reckless automation.
DORA Article 6E.U. financial sector ICT risk management framework; documented governance for ICT-related dependencies. The mode boundary is the dependency governance line. M1 has no ICT-AI dependency; M4 has fully documented AI dependencies with named approval gates. Auditors trace the dependency map directly to the mode.
NERC CIP-007 / CIP-008Bulk electric system operators System security audit + cybersecurity incident reporting. Level 1 is the indefinite home for NERC CIP–scoped workflows. The unified audit trail at every mode produces evidence for CIP-007 audit-log requirements; the per-incident structure maps to CIP-008 incident-reporting structure.

common questions

Autonomy modes, migration, accuracy.

What are the four autonomy modes in D3 Morpheus?

Morpheus ships with four configurable autonomy modes on the same engine with the same audit format. Level 1 — Deterministic (no AI in the chain; the deterministic playbook engine runs solo). Level 2 — AI-Assisted (the analyst approves every state-changing action while AI handles investigation and recommendation). Level 3 — AI-Led (Morpheus drafts the response plan; you oversee at each command-risk tier). Level 4 — Autonomous (end-to-end triage and response with configurable approval gates). Pick the mode that fits your environment, your regulator, your risk tolerance, or your MSSP customer — and run different modes on different queues in the same SOC.

Can a SOC run different modes on different queues simultaneously?

Yes — this is the most common production posture. Level configuration is per-workflow, per-queue, or per-tenant. A typical enterprise deployment runs Level 2 across identity, EDR, and cloud alerts; Level 3 on phishing and DLP triage; and Level 1 on critical-infrastructure workflows the GRC team has scoped out of AI handling. An MSSP running 60 customer tenants might sit at Level 4 on commodity-alert handling for 40 tenants, Level 3 for 15, and Level 2 for 5 — and produce one unified audit format the GRC team reads identically across all 60.

How does Morpheus reach peak accuracy in our specific environment?

Through the Per-Tenant Self-Learning Pipeline. Morpheus arrives pre-trained on cybersecurity-native reasoning and produces L2-depth investigation output from the first alert ingress on Day 1. Over the following weeks, three input streams tune the Reasoning Graph to your specific environment: (1) Adaptive Tasking interactions with your analysts — every question, redirection, and approval becomes training signal; (2) ingested SOPs and incident response runbooks — your documented practice feeds the per-tenant context layer; (3) analyst-confirmed outcomes — the disposition every analyst applies to every incident feeds the tenant-specific accuracy model. Peak accuracy is typically reached within weeks, not months, and continues tuning as your environment evolves.

Is migrating between modes a re-platforming effort?

No. Migration between modes is a configuration change, not a re-platforming. The four modes are configurations of the same Cybersecurity Triage Reasoning Graph and the same deterministic playbook engine — not separate products with separate audit formats. A SOC running Level 2 on phishing alerts that decides to advance phishing to Level 4 doesn’t rebuild anything; they flip the configuration on the phishing queue and the existing audit trail format keeps recording. Their NIS2 Article 21 examiner reads the same document either way.

What’s the reversibility plan if a mode advancement doesn’t work?

Every mode boundary is a documented reversibility line. If Level 4 surfaces an unexpected analyst-friction pattern on a specific queue, that queue drops back to Level 3 without rebuilding anything — and the same audit trail format keeps recording. The deterministic baseline at Level 1 is preserved across all modes, which means a SOC can drop any workflow back to fully deterministic handling at any time without losing the platform. This is the property regulated SOCs care about most: reversibility is structural, not bolted on.

How do the four modes map to EU AI Act Article 14?

EU AI Act Article 14 requires human oversight for high-risk AI systems — humans must be able to intervene, override, or stop the system. All four modes satisfy Article 14 structurally, not as a bolted-on overlay. Level 1 has no AI authority by construction. Level 2 is read-only AI with zero authority over destructive action. Level 3 places explicit approval gates at every command-risk tier. Level 4’s configurable gates preserve human override at any tier you mark as analyst-required. The architectural property is that human oversight is a configuration of the same engine across every mode — not a feature you have to enable separately.