Morpheus for Elastic Security: From Attack Discovery to Governed Response
D3 Morpheus, the autonomous SOC platform from D3 Security, completes Elastic Security by carrying Attack Discovery’s findings into governed, cross-stack autonomous response. The reasoning engine and model are included, so you’re not running investigation on a customer-supplied LLM connector you have to fund and maintain.
See Morpheus in Action

Morpheus AI implements the Unified Intelligence Model architecture: one purpose-built cybersecurity LLM performing complete autonomous investigation within a single reasoning context, producing one unified audit trail per incident. Where playbook flexibility is needed, Morpheus’s Agentic Task nodes run bounded agentic reasoning, autonomous reasoning with explicit iteration, cost, tool-scope, and approval-gate limits, inside the parent workflow’s audit trail. This is architecturally distinct from Elastic’s workflow-builder approach, which provides automation primitives without an investigation reasoning layer. For regulated environments under NIS2, DORA, or the EU AI Act, the UIM produces one audit trail per incident, mapping structurally to Article 20 and Article 14 oversight obligations without additional governance tooling.
The pain: Elastic finds the attack. Then what runs the response?
Elastic Security has earned its reputation. The open, scalable data platform and the strong detection engineering are genuinely good, and Attack Discovery does real work surfacing attack chains from your data. The open-source community around it is one of the best in the industry. We respect that, and Morpheus is built to extend it.
Two practical gaps show up when teams try to operationalize Elastic end to end.
Attack Discovery requires a customer-supplied LLM connector. Per Elastic’s documentation, Attack Discovery runs against an LLM you connect, so the model cost sits with the customer. Elastic also allows a self-hosted LLM.1 Either way, you provision, secure, tune, and pay for the inference. The quality and cost of your AI investigation now ride on a model relationship you have to own.
Native Workflows automation is a comparatively recent capability. This is where Morpheus adds breadth: self-healing integrations, four governed autonomy modes, and one unified audit trail per incident. That’s the operational depth it takes to run response across a mixed estate.
Morpheus picks up where Attack Discovery leaves off and runs governed response across your whole stack, model included.
Why isn’t Attack Discovery plus Workflows enough?
For many teams, Attack Discovery finding the chain and Workflows kicking off a basic automation is a real step forward. If your environment is Elastic-centric and your response needs are light, that combination does useful work.
What it leaves open is depth, cost ownership, and governance.
The model is yours to fund.
Attack Discovery’s quality depends on a customer-supplied LLM connector, and the inference cost lands on your bill.1 Morpheus brings its own Cybersecurity Triage Reasoning Graph, purpose-built SOC reasoning developed over 24 months by 60 specialists, so you don’t assemble, fund, or tune a general-purpose model for security investigation.
Cross-stack response, governed.
Morpheus’s Attack Path Discovery (APD) traces an Elastic finding across identity, endpoint, cloud, and email, maps blast radius, aligns to MITRE ATT&CK, and drafts remediation. Then it runs that response at your chosen autonomy level, behind approval gates. Every step is a timestamped, attributed, challengeable tool query, and each incident has one unified audit trail.
Mature integration fabric.
800+ self-healing integrations with an 18-minute drift MTTR against a 4 to 6 week baseline. That’s breadth Morpheus adds on top of native Workflows.
Keep Elastic as your data platform and detection engine.
Keep Attack Discovery for what it surfaces. Add Morpheus as the governed autonomy layer that investigates and responds, with the model included and the audit trail unified.
Morpheus AI Capabilities Elastic Cannot Match
The following six capabilities are core to Morpheus’s architecture. Elastic Security is not designed to deliver them.
Beside Any SIEM (No SIEM Lock-In)
Morpheus AI works beside Elastic Security, Splunk, Microsoft Sentinel, QRadar, Chronicle, or any SIEM. The customer’s existing data layer stays in place. Autonomous investigation is added across the stack on one audit trail. Elastic Security is itself the SIEM and compounds value only when more data is committed to the Elasticsearch data lake.
Attack Path Discovery (Across 800+ Tools)
Morpheus maps N-S (external-to-critical) and E-W (lateral) attack paths on every alert in real time, across 800+ integrated tools from any vendor, with MITRE ATT&CK references to adversary tactics and techniques. Elastic’s Attack Discovery correlates inside Elastic-ingested data and stops at the SIEM boundary.
Contextual Playbook Generation (Runtime)
Morpheus generates response playbooks at runtime from live evidence, specific to the attack, the customer’s environment, and available tools. Elastic ships case management and built-in response actions; complex orchestration is analyst-authored or requires third-party SOAR.
Autonomous Investigation (Not Assistive AI on SIEM Data)
Morpheus investigates up to 95% of alerts at L2+ depth in under two minutes, autonomously, before an analyst opens the case. Elastic’s AI Assistant and Attack Discovery accelerate analyst review inside the Elastic console but require the analyst to drive the investigation.
Cybersecurity Triage Reasoning Graph
Morpheus runs on D3’s purpose-built SecOps reasoning system: 24 months and 60 specialists in the build. The graph is the moat; the LLM underneath is interchangeable. Elastic’s AI Assistant routes natural-language queries to a customer-selected general-purpose LLM.
Four Autonomy Tiers (One Engine, One Audit Trail)
Morpheus operates across four tiers on one engine: Tier 1 Deterministic, Tier 2 AI-Assisted, Tier 3 AI-Led, Tier 4 Autonomous. Each tier produces evidence trees, logic chains, and confidence scores on one audit trail. See d3security.com/morpheus/autonomy-modes/.
Feature Comparison: Morpheus vs. Elastic Security
Morpheus AI is an AI SOC Platform for autonomous investigation and accountable response across every tool in the stack. Elastic Security is a SIEM and endpoint detection suite with assistive AI features. The table below shows what each delivers.
| Capability | D3 Morpheus AI | Elastic Security |
|---|---|---|
| Alert Investigation | Up to 95% in <2 min (L2+ quality) | Detection inside Elasticsearch; investigation analyst-driven with AI assist |
| Attack Path Discovery (N-S + E-W) | Every alert | Attack Discovery correlation within Elastic-ingested data only |
| Contextual Playbook Generation | Runtime from live evidence | Case management + built-in response actions; no native playbook generation |
| Orchestration & Remediation Engine | Built-in (800+ tools) | No dedicated SOAR; third-party SOAR or webhook required |
| Triage component | Cybersecurity Triage Reasoning Graph (24 months / 60 specialists) | AI Assistant + Attack Discovery using customer-selected general LLM |
| Autonomous Self-Healing | Verify & retry | Not available |
| Integrated Tool Ecosystem | 800+ self-healing integrations, any vendor | Broad log-source coverage; cross-tool action via webhook or third-party |
| Autonomy Spectrum | Four tiers, one engine, one audit trail | Analyst-driven workflow with AI assistance |
| Governance & Explainability | Evidence trees, logic chains, confidence scores — supports GDPR, EU AI Act, NIS2, SEC, CISA | Elastic audit logging; AI reasoning chain depends on customer-selected LLM |
| MTTR (Mean Time to Remediation) | 80% reduction | Dependent on analyst response and third-party SOAR |
| Single-Vendor Solution | Investigation + Orchestration + Remediation | Detection + analytics; SOAR partner required for response |
| Pricing Model | Platform Subscription + User Licenses | Resource-based cloud or tiered subscription; AI features add usage-based variable cost |
WHY MORPHEUS
Why SOC Teams Choose Morpheus AI

Complete Platform, No Fragmentation
One vendor, one API, one training program, one audit trail. Investigation feeds into orchestration feeds into accountable response. Morpheus AI sits above Elastic Security and the rest of the security stack, not inside any one SIEM console. No integration glue, no vendor finger-pointing when something breaks.

80% Faster Remediation
Attacks are stopped in minutes, not hours. Playbooks are generated from live evidence and executed through 800+ integrated tools without manual handoffs. East-west lateral movement that an Elasticsearch-bound correlation cannot reach gets traced and contained on the same audit trail.

7,800 Analyst Hours Saved Annually
Per 1,000 alerts, Morpheus eliminates the busywork of triage, playbook authoring, orchestration planning, and post-incident forensics. Analysts focus on strategic threats, not alert fatigue inside the Elastic console.

99% False Positive Elimination
Morpheus’s contextual investigation cuts false positives to roughly 1%. No more investigating non-threats. Analysts work actual attacks and escalate with evidence trees and confidence scores, not hunches drawn from an LLM summary inside one SIEM.
Lower Total Cost of Ownership
Morpheus uses a subscription pricing model. The customer pays a Platform Subscription plus User Licenses that together form the Expected Cost of running an AI SOC. The model is designed to absorb the operational cost of token consumption and AI compute internally rather than passing it through as a usage meter. By contrast, Elastic Security’s ingest- and resource-based cloud pricing scales with data volume, retention, and features, and the AI Assistant and Attack Discovery introduce additional usage-based variable costs through a customer-selected LLM contract. One platform, one budget line. Visit d3security.com/morpheus/pricing/ for details.
Bounded Reasoning, Customer-Extensible
The Cybersecurity Triage Reasoning Graph encodes attack patterns, evidence-tree logic, and confidence scoring as a purpose-built SecOps reasoning system. The graph is the moat; the reasoning model underneath is interchangeable. Customers can extend the graph with their own playbooks, SOPs, and tool stack, without rebuilding the reasoning system or coupling to a single SIEM data layer.
Elastic Security alone vs. Elastic + D3 Morpheus
| Capability | Elastic + D3 Morpheus | Elastic Security alone |
|---|---|---|
| AI investigation model | Purpose-built Cybersecurity Triage Reasoning Graph, included, no BYO model | Attack Discovery needs a customer-supplied LLM connector; model cost on you¹ |
| L2 investigation | Up to 95% of alerts triaged and L2-investigated in under two minutes | Surfaces attack chains; analyst-led from there |
| Investigation scope | Cross-stack: identity, endpoint, cloud, email, any vendor | Strongest on data in Elastic |
| Response automation | Adds breadth: governed response, 800+ self-healing integrations, four autonomy modes, 18-min drift MTTR, one audit trail | Native Workflows, a comparatively recent capability |
| Explainability | Every step a timestamped, attributed, challengeable tool query | Discovery summaries depend on chosen LLM |
| Audit trail | One unified audit trail per incident | Per-product |
| Autonomy control | Four autonomy modes: Deterministic → AI-Assisted → AI-Led → Autonomous, by configuration | Basic workflow triggers |
How they fit together
Elastic ingests and detects, and Attack Discovery surfaces the chain. Morpheus consumes that finding, runs read-only L2 investigation through APD across your whole estate on its own purpose-built reasoning engine, returns an explained verdict with drafted remediation, and executes response at the autonomy level you choose. There’s no customer-supplied model to fund and no per-incident inference bill to manage. Agentic on architecture. Autonomous on outcomes. Accountable on every decision.

See it on your own alerts. A 30-minute walkthrough, live on real alerts, no slides.
Frequently Asked Questions
Do I need a SOAR if I have Elastic Security?
Elastic’s native Workflows automation is a comparatively recent capability. D3 Morpheus adds breadth on top of it: governed, cross-stack autonomous response with 800+ self-healing integrations, four autonomy modes, and one unified audit trail per incident. That is the operational depth needed to run response across a heterogeneous estate.
Isn’t Attack Discovery enough for AI investigation?
Attack Discovery is strong at surfacing attack chains, but it requires a customer-supplied LLM connector, so the model cost and tuning are yours. Morpheus brings a purpose-built Cybersecurity Triage Reasoning Graph, included in the platform, and carries findings into governed, cross-stack response with a full audit trail. Investigation doesn’t stop at discovery.
Does Attack Discovery require me to bring my own LLM?
Yes. Per Elastic’s documentation, Attack Discovery runs against an LLM you connect, so the inference cost is borne by you. With D3 Morpheus the reasoning engine is included and purpose-built for SOC triage, removing the need to provision, secure, tune, and fund a general-purpose model for security investigation.
Does Morpheus replace Elastic Security?
No. Morpheus completes Elastic, it doesn’t replace it. Elastic stays your data platform and detection engine, and Attack Discovery keeps surfacing chains. Morpheus adds the governed autonomy layer that investigates cross-stack and runs response. It’s designed to extend the open Elastic ecosystem.
How does Morpheus compare to native Elastic Workflows?
Workflows is a promising but recent automation feature. Morpheus offers a mature response fabric: 800+ self-healing integrations with an 18-minute drift MTTR against a 4 to 6 week baseline, four governed autonomy modes, and one unified audit trail per incident. It complements Workflows where you need depth, governance, and cross-vendor reach.
Will Morpheus’s autonomy stand up to an audit?
That’s the design goal. Every autonomous action is governed by your chosen autonomy mode and approval gates, every step is a timestamped, attributed, challengeable tool query, and each incident produces one unified audit trail, built to support SEC Item 1.05, NYDFS 23 NYCRR 500, NIS2, DORA, and EU AI Act Article 14.
Can Morpheus investigate across tools outside Elastic?
Yes. Attack Path Discovery takes an Elastic finding and traces it across identity, endpoint, cloud, and email regardless of vendor, maps blast radius, aligns to MITRE ATT&CK, and drafts remediation. Your investigation follows the attacker across the whole estate, including tools outside Elastic.
Sources
Elastic Attack Discovery requires a customer-supplied LLM connector, so model costs are borne by the customer, per Elastic’s published documentation (elastic.co/docs, Attack Discovery). Regulatory frameworks referenced reflect D3 Security’s published compliance positioning as of June 2026.
D3 Security is not affiliated with Elastic. Elastic and Elastic Security are trademarks of their respective owners. This comparison reflects publicly available information and our team’s evaluation as of June 2026.