Morpheus AI platform

The Cybersecurity Triage Reasoning Graph.

D3’s domain-specific reasoning architecture for SOC investigation. Built into Morpheus AI, consistent across every customer tenant. Bounded reasoning inside deterministic governance, the agentic architecture that makes autonomous SOC outcomes accountable under SEC, NYDFS, NIS2, DORA, and the EU AI Act.

See it run on your stack

Up to 95%

of alerts triaged at L2+ depth in under 2 minutes

24months

of graph development by 60 SOC specialists

800+

self-healing integrations as the reasoning tool surface

99% alert reduction

reported by customers

The architecture

What the Reasoning Graph is, and what it isn’t.

A pre-built reasoning architecture, not a prompt template or a fine-tuned chat model. The Reasoning Graph encodes how a senior SOC analyst reasons about an alert, captured once, applied consistently across every Morpheus customer.

What it is

A domain reasoning architecture for SOC investigation, built into Morpheus AI.

The Reasoning Graph encodes how a senior SOC analyst reasons about an alert, captured once and applied consistently across every Morpheus customer. D3 spent 24 months building it, with 60 SOC specialists, against real customer alert workloads.

The graph is what lets Morpheus triage up to 95% of alerts at L2+ depth in under 2 minutes, correlating signals across tools, validating IOCs, and reconstructing attack timelines before an analyst opens the case.

It integrates with a frontier LLM as the language interface and with Morpheus’s 800+ self-healing integrations as the tool surface. The frontier LLM handles language. The graph handles SOC.

What the graph encodes

EntitiesWhat to extract from the alert payload

EvidenceWhat to gather from which integrated tool

SignalsWhat to correlate across the response set

ConclusionsWhich verdicts are supportable by the evidence

ActionsWhat’s appropriate at which command-risk tier

What it isn’t

Most “AI SOC” tools are actually one of these. None of them is a reasoning graph.

Not a system prompt Not a fine-tune Not a chain-of-thought template Not RAG over docs Not an agent mesh

The defensible asset

The graph is the moat. The LLM is interchangeable.

TranslationWhen a faster, cheaper, or more capable frontier model lands, D3 swaps it underneath without changing the graph, the audit trail, or your playbooks. Customers see better reasoning. The architecture above the LLM does not change. Your investment in D3 doesn’t depend on one AI vendor’s roadmap.

The pipeline

How the graph reasons about an alert.

Five stages, one unified audit trail, roughly ninety seconds end to end on a typical alert.

Ingest

Alert lands from any connected source

Parse

Extract entities, relationships, context

Enrich

Query 800+ integrated tools in parallel

Correlate

Validate IOCs · rebuild attack timeline

Recommend

Verdict + next action + command-risk tier

An alert lands in Morpheus from any connected source. The Reasoning Graph parses it semantically, extracts entities, users, hosts, hashes, domains, processes, sessions, then enriches each entity by querying every integrated tool with relevant context.

EDR for endpoint posture. Identity provider for session history. Email gateway for related messages. Cloud control plane for resource state. Threat intelligence for IOC reputation.

The graph correlates signals across tools, validates IOCs against authoritative sources, and reconstructs the attack timeline. It assigns a verdict, drafts a recommended action with a command-risk tier, and writes every reasoning step to one unified audit trail.

Where the playbook author pre-scripted the path, Morpheus follows the deterministic branch. Where the alert presents novel evidence the playbook could not anticipate, an Agentic Task node runs bounded reasoning inside the same audit trail. See how Agentic Task fits →

Link-analysis graph showing the reasoning output of a single Morpheus investigation. Nodes represent entities (HR Report phishing email, HR_Report.rar archive, HR_Report.xlsm Excel file, EXCEL.EXE process PID 9484, cmd.exe process PID 11780, tmp.vbs script, http callout to 20.56.84.2017, IP 20.86.84.207, d3commander.msi installer, commander.exe payload). Edges represent reasoning relationships discovered by the graph: attached-to, extracted, opened, launched, created, contacted, resolved-to, downloaded, installed. — The graph’s output isn’t a chat transcript, it’s **a structured case file with entities, relationships, and confidence-weighted verdicts**. Click any node to see the underlying evidence the graph used.

The governance layer

Bounded reasoning inside deterministic governance.

The graph reasons. The deterministic playbook engine governs. Roughly 70 to 80 percent of every Morpheus run is deterministic.

Free-running agents are easy to build and impossible to certify. They wander, retry, escalate cost, and produce reasoning paths nobody can audit. Morpheus refuses that pattern.

The Reasoning Graph operates inside a deterministic playbook engine that enforces four explicit bounds on every AI reasoning step. When an alert needs reasoning that the playbook author could not pre-script, an Agentic Task node runs the AI inside a defined envelope, and the deterministic playbook resumes control either way.

Typical run · execution split

70-80%
Deterministic playbook execution

20-30%
Bounded AI reasoning steps

Iteration bound

The reasoning loop has a hard cap on how many times it can run before producing an output or handing control back to the deterministic playbook. No infinite chains. No silent retries.

Cost bound

Token spend per reasoning step is capped at the platform level. The bound is enforced before the LLM call, not reconciled afterward, so a runaway loop can’t escalate compute consumption without the deterministic engine knowing.

Tool-scope bound

Each Agentic Task can call only the integrations the playbook author granted it. The AI cannot reach for tools outside its envelope, and every tool call writes to the audit trail with parameters and response.

Approval-gate bound

State-changing actions above a configured command-risk tier pause for analyst approval. The graph can propose isolating a host, disabling an account, or revoking a session, but the deterministic engine holds the action until a human signs off.

Working memory

The per-client context knowledge graph.

A tenant-isolated working memory that grows with every investigation. Solves cold start. Stays in your environment.

The Reasoning Graph ships pre-trained. The per-client context knowledge graph fills in as your Morpheus instance runs. Every entity it touches, every relationship it observes, every verdict an analyst confirms or overrides becomes a node and an edge in your tenant’s persistent working memory.

The platform on day 90 knows things the platform on day 1 did not. It learns the parts of your environment that no generic model can have seen: your VIP user list, your normal-looking authentication paths from your remote contractors, the false positives your previous SIEM kept generating, the legitimate operational scripts that ten other vendors keep flagging as malware.

The context graph lives inside your tenant. It is not pooled into a central model, not used to train anyone else’s reasoning, and not shared across customers. You can reset it. On contract termination, it is exportable.

The combination of a pre-trained reasoning graph and a tenant-owned context graph is what lets Morpheus be competent on day one and grow from there, without becoming a privacy or data-sovereignty problem.

Tenant isolation

Pre-trained baseline, tenant-isolated learning. Day one competence and day 90 fit, without the privacy trade-off.

Versus the alternative

Reasoning Graph vs LLM wrapper.

Why a purpose-built reasoning graph is architecturally different from an LLM with a SOC system prompt, across six properties that matter to procurement.

Morpheus Reasoning Graph vs. generic LLM-wrapper AI SOC, architectural property comparison
Architectural property	Morpheus Reasoning Graph	Generic LLM-wrapper AI SOC
Domain reasoning structure	Pre-built graph encoding entity types, evidence relationships, validation rules	System prompt plus retrieval, no formal reasoning structure
Training provenance	24 months · 60 SOC specialists · real customer alert workloads	Foundation model training data plus optional fine-tune on public alert corpora
Audit trail granularity	Every reasoning step, tool call, and verdict captured in one unified incident trail	Chat transcript of LLM input and output · no formal evidentiary structure
LLM swappability	Yes. Graph and context layer above the LLM, the model is interchangeable	Tightly coupled to the foundation model · swap means rebuild
Tenant data isolation	Per-client context graph in customer tenant · not pooled · not used for cross-customer training	Varies. Many platforms pool reasoning traces for model improvement
Compliance footprint	One unified audit trail per incident · structurally mappable to NIS2 Article 20, DORA Article 17, EU AI Act Article 14	Audit story built in spreadsheets after the fact · oversight obligations require bolt-on governance tooling

Foundational reading Whitepaper · 12 min read

What is an Autonomous SOC Platform?

A research-backed definition of the autonomous SOC category, why SOAR hit its ceiling, what an autonomous SOC platform actually does that L1 triage bots and XDR can’t, and how the Cybersecurity Triage Reasoning Graph fits into the architectural picture.

Read the whitepaper Or talk to us instead →

Deployment

Across the four autonomy levels.

The same Reasoning Graph runs at every level. What changes is how much of its output your analysts approve before it acts.

LEVEL 01

Deterministic

No AI in the response chain. The graph still triages and investigates; deterministic playbooks handle the actions.

Right for the most heavily regulated SOCs that want Morpheus without AI in execution.

LEVEL 02

AI-Assisted

The graph investigates every alert before the analyst opens it. The analyst approves every state-changing action.

Right for SOCs new to AI-led response and for regulated environments.

LEVEL 03

AI-Led

The graph drafts playbooks at runtime. The analyst reviews and approves before they run. High-severity actions still require explicit sign-off.

Right for mature SOCs ready to scale L3 judgment across more alert categories.

LEVEL 04

Autonomous

End-to-end execution gated by command-risk tier policy plus confidence scores.

Right for SOCs concentrating human judgment at L3, MSSPs, and 24/7 coverage without night-shift headcount.

You do not have to pick once. Start in Level 2 on low-risk alert categories. Graduate to Level 3. Move specific workflows to Level 4. The Reasoning Graph and the audit trail are identical at every level.

Explore the four autonomy levels →

Common questions

Provenance, swappability, isolation, audit trail.

Six questions the SOC architect, the CISO, and the procurement team ask before they sign.

What is the Cybersecurity Triage Reasoning Graph?

The Cybersecurity Triage Reasoning Graph is D3’s domain-specific reasoning architecture for SOC investigation. It encodes how a senior SOC analyst reasons about an alert, which entities to extract, which evidence to gather from which integrated tool, which signals to correlate, which conclusions are supportable, and which actions are appropriate at which command-risk tier.

The graph integrates with a frontier LLM as the language interface and with Morpheus’s 800+ self-healing integrations as the tool surface. The frontier LLM handles language. The graph handles SOC.

Built over 24 months by 60 specialists in red teaming, data science, AI engineering, and SOC operations. The graph is the moat; the LLM is interchangeable.

Is this a wrapper on GPT, Claude, or another general-purpose LLM?

No. An LLM wrapper is a system prompt plus retrieval over a foundation model with no formal reasoning structure. The Reasoning Graph is a pre-built reasoning architecture that constrains what the LLM considers at every step of an investigation.

Without the graph, a general-purpose LLM has no domain structure to lean on, it generates a plausible-sounding verdict and stops. With the graph, the LLM operates inside a defined envelope: nodes encode security entities and concepts, edges encode reasoning patterns, and the deterministic playbook engine governs the whole run. That is the architectural difference between a wrapper and a reasoning graph.

How does Morpheus actually reason about an alert?

Five stages, one unified audit trail, roughly 90 seconds end to end on a typical alert.

Ingest: the alert lands from any connected source. Parse: the graph extracts entities (users, hosts, hashes, domains, processes, sessions). Enrich: Morpheus queries 800+ integrated tools in parallel (EDR, identity, email, cloud, threat intel). Correlate: the graph validates IOCs and reconstructs the attack timeline. Recommend: verdict, next action, command-risk tier, written to the unified audit trail.

Where the playbook author pre-scripted the path, Morpheus follows the deterministic branch. Where the alert presents novel evidence, an Agentic Task node runs bounded reasoning inside the same audit trail. The deterministic playbook resumes control either way.

What stays inside our tenant?

Your per-client context knowledge graph. Every entity Morpheus touches in your environment, every relationship it observes, every verdict your analysts confirm or override becomes a node and edge in your tenant’s persistent working memory. The platform on day 90 knows things the platform on day 1 did not.

This context graph is not pooled into a central model, not used to train anyone else’s reasoning, and not shared across customers. You can reset it. On contract termination, it is exportable.

What’s shared across customers is the pre-trained Reasoning Graph, the architecture itself. The data your graph learns is yours.

Can we swap the LLM underneath Morpheus?

When a faster, cheaper, or more capable frontier model lands, D3 swaps it underneath without changing the graph, the audit trail, or your playbooks. Customers see better reasoning. The architecture above the LLM does not change.

This is what we mean by “the graph is the moat; the LLM is interchangeable.” Our defensible IP is the cybersecurity domain modeling captured in the graph, not the specific LLM doing inference. Your investment in D3 doesn’t depend on one AI vendor’s roadmap.

How does the audit trail map to NIS2, DORA, and the EU AI Act?

Morpheus produces one unified audit trail per incident: every reasoning step the graph took, every query issued, every tool call with parameters and response, every action recommended or executed, every analyst decision, in a single document, structurally mappable to specific oversight obligations.

NIS2 Article 20 (governance), DORA Article 17 (ICT incident management and reporting), and EU AI Act Article 14 (human oversight of high-risk AI systems) all require evidence of human oversight, documented decision logic, and traceable AI behavior. The unified audit trail provides this evidence as a normal byproduct of SOC operations, not as a separate compliance artifact built after the fact.

See it run

See the Reasoning Graph run
on your stack.

Bring your last week of alerts. We’ll show you how Morpheus would have triaged them, what it would have recommended, and what the unified audit trail would look like.

Book your Morpheus demo 30-minute walkthrough · Live on real alerts · No slides