Frequently Asked Questions

D3 Morpheus is an autonomous AI SOC platform that investigates and responds to security alerts without human intervention. It ingests alerts from your entire security stack, performs full L2-depth Attack Path Discovery on every alert, generates a bespoke response playbook at runtime, and delivers a structured case file ready for analyst review — all in under two minutes. It includes a built-in SOAR engine, integrated case management, and self-healing integrations across 800+ tools, in a single platform with flat-rate pricing.

An AI SOC platform uses artificial intelligence to autonomously investigate, triage, and respond to security alerts across an organisation’s entire tool stack. Unlike legacy SOAR platforms that depend on static playbooks, AI SOC platforms apply specialised LLMs to analyse alerts in context, correlate signals across tools and time, and deliver complete investigation findings with minimal human intervention. D3 Morpheus delivers L2+ investigation depth on every alert using Attack Path Discovery and a purpose-built cybersecurity triage LLM.

SOAR platforms are workflow engines — they execute predefined playbooks that must be manually built, tested, and maintained. When integrations break or threats evolve, the playbooks fail. An AI SOC platform like D3 Morpheus eliminates the playbook dependency. Morpheus generates contextual playbooks at runtime, adapts to new threat patterns without human scripting, and uses self-healing integrations to maintain connectivity automatically.

Attack Path Discovery is an AI-driven investigation methodology developed by D3 Security that traces the full sequence of an attack across an organisation’s environment. Rather than examining each alert in isolation, it follows threats horizontally across tools (lateral movement) and vertically through time (privilege escalation, persistence), reconstructing the complete attack path from initial access through objective completion. Morpheus performs Attack Path Discovery on every alert in under two minutes.

L1 AI triage bots classify alerts and hand the investigation back to your analysts. Morpheus investigates — tracing the full attack path, mapping lateral movement and blast radius, generating a runtime response playbook, and delivering a closed case. L1 bots stop at the alert. Morpheus closes the case. The difference is not incremental — it is a fundamentally different operating model.

Morpheus autonomously handles L1 (alert triage and classification) and L2 (full attack path investigation, blast radius assessment, playbook generation) without analyst intervention. Your team picks up at L3 — reviewing validated incidents, approving response actions, and closing cases with a complete evidence chain already assembled. Human judgment is applied where it actually matters, not on every alert in a queue.

No. Morpheus does not replace your existing detection tools. It sits on top of your stack — ingesting alerts from your SIEM, EDR, IAM, cloud, email, NDR, and DLP tools, then investigating and responding across all of them. No rip-and-replace. Your existing investments are preserved; Morpheus connects them, investigates across them, and drives response through them.

Yes. Morpheus integrates with over 800 security tools across SIEM, EDR, IAM, cloud, email, NDR, and DLP — including Microsoft Sentinel and Defender, Splunk, CrowdStrike, SentinelOne, Palo Alto, Okta, Fortinet, Elastic, and more. Self-healing integrations monitor every connection continuously and repair API drift autonomously, so your pipeline never goes dark.

Every alert. Morpheus performs full L2-depth Attack Path Discovery on 100% of alert volume with no sampling, no prioritisation queues, and no gaps. 95% of alerts are triaged in under two minutes.

Each investigation produces a structured case file containing: attack narrative, complete attack path (horizontal and vertical), risk score, blast radius assessment, MITRE ATT&CK mapping, entity relationship map, full-stack timeline, IR recommendations, and a runtime-generated response playbook — all ready for analyst review and approval.

D3’s cybersecurity triage LLM was developed over 24 months by 60 specialists — red teamers, data scientists, SOC analysts, and AI engineers. It was trained specifically on cybersecurity data: MITRE ATT&CK techniques, incident response patterns, threat intelligence, and real-world attack telemetry. It understands how attacks propagate — from phishing payload to credential theft to lateral movement — at a foundational level. General-purpose LLMs understand language. D3’s LLM understands how attacks unfold across your environment.

Yes. Because Morpheus’s investigation capability is embedded in the LLM — not encoded in static playbooks — it can reason about novel attack patterns it was never explicitly programmed to handle. The LLM understands attacker intent and technique at a foundational level, not just pattern matching against known signatures.

Horizontal investigation (East-West) traces lateral movement — following an attacker’s path from one compromised asset to the next across your tools, identity systems, cloud, and network. Vertical investigation (North-South) traces activity within a single system — following privilege escalation, persistence mechanisms, and credential harvesting from initial access to objective completion. Morpheus performs both simultaneously on every alert.

Yes. Every investigation produces a structured report your team can review, override, or refine. Approval gates, audit trails, and human-in-the-loop controls are built in at every stage. High-impact response actions require analyst approval. AI speed without sacrificing human accountability.

Yes. Every step of Morpheus’s investigation — the evidence gathered, the reasoning applied, the conclusions reached — is fully visible, editable, and auditable. The platform is not a black box. Analysts can inspect, override, and refine every AI decision. Full audit trails are maintained for compliance, governance, and post-incident review.

Yes. Morpheus includes built-in orchestration, case management, playbook generation, and response execution in a single platform. Organisations migrating from Cortex XSOAR, Splunk SOAR, Tines, or Torq can deploy Morpheus on top of their existing detection stack with 800+ out-of-the-box integrations. Most teams find they no longer need their legacy SOAR within weeks of deployment — but the pace is yours to set.

Fundamentally different. Legacy SOAR executes pre-built workflows. Morpheus investigates the alert — tracing the full attack path and generating a runtime playbook per incident. It is not an upgrade to SOAR. It is a different operating model. That said, Morpheus also includes a full SOAR engine for organisations that need deterministic playbooks for compliance-mandated workflows — so both models run simultaneously.

D3’s proven SOAR migration program re-platforms your playbooks, converts Python scripts into native Morpheus commands, rebuilds integrations as self-healing connectors, and validates ingestion — in approximately one week, using D3’s team resources, not yours.

No. Morpheus sits on top of your existing SIEM, EDR, IAM, and cloud tools — zero rip-and-replace. Your stack stays. Morpheus connects it, investigates across it, and drives response through it. Your existing tools are preserved; SOAR is what gets replaced.

SOAR routes alerts based on rules. Morpheus investigates them — correlating the alert vertically into the source tool and horizontally across your full stack before reaching a conclusion. The result is L2-depth triage on every alert, cutting noise by up to 99%. Those are customer numbers, verified in production deployments.

D3 offers a legacy SOAR migration programme for organisations at renewal. Contact D3 to discuss eligibility. The migration uses D3’s team resources, not yours — so your analysts continue working during the transition.

Self-healing integrations continuously monitor every connection between Morpheus and your security tools. When a vendor pushes an API update, changes a schema, or rotates credentials, self-healing integrations detect the drift and generate corrective code without human intervention — eliminating the integration maintenance burden that makes traditional SOAR so expensive to operate.

SOC engineering teams typically spend 20–40% of their capacity on integration maintenance — detecting breaks, debugging vendor changes, and rebuilding connectors. Self-healing integrations reduce this to near zero. Your engineers focus on security, not plumbing.

Morpheus detects the API drift within minutes, diagnoses the schema change, and generates corrective integration code autonomously. Connectivity is restored before investigations are affected. Your alert pipeline never goes dark — regardless of how frequently vendors update their products.

Morpheus integrates with over 800 security tools across SIEM, EDR, IAM, cloud, email, NDR, and DLP. All integrations are maintained by D3’s technical team and covered by the self-healing capability. There are no integration maintenance costs passed to customers.

Yes. Morpheus ingests alerts from Azure Sentinel, performs autonomous L2 attack path investigation across your Defender, Entra ID, Exchange Online, and Intune telemetry, and responds across your full Azure and on-premise stack. Morpheus is available on the Azure Marketplace and purchasable with existing Azure credits. D3 Security is a Microsoft Intelligent Security Association (MISA) member.

For SOC teams that need full attack path investigation — not alert summarisation — Morpheus is the leading alternative. In a controlled head-to-head benchmark across three MITRE ATT&CK scenarios, Morpheus identified root cause in all three. Microsoft Security Copilot identified root cause in none. Morpheus also investigates across non-Microsoft tools, has no entity volume limitations, and does not charge per Security Compute Unit.

Morpheus is available on the Azure Marketplace. Organisations with existing Azure Marketplace credits can apply them to a Morpheus deployment. For customers with a Microsoft Azure Consumption Commitment (MACC), contact D3 to confirm eligibility.

Yes. Morpheus integrates with Sentinel and the full Azure stack alongside on-premise tools, creating a single autonomous SOC interface. It investigates alerts wherever they originate, correlates across the cloud and on-premise boundary, and responds across both environments from one platform.

Morpheus pricing is a platform subscription plus user licenses — that is the complete cost structure. There are no AI fees, no per-alert charges, no token meters, no per-investigation limits, and no overage charges. D3 absorbs all LLM token and compute costs internally. We don’t publish a price list because we value 1:1 engagement with SOC leaders and CISOs. Reach out and you’ll know your exact annual cost.

No. Morpheus investigates every alert with no cap, no per-alert charge, and no AI tier that limits coverage. Your bill is the same whether Morpheus handles 1,000 alerts a month or 1,000,000.

No. D3 absorbs all token and compute costs internally. Morpheus’s architecture is designed to minimise token consumption, and D3 does not pass any of those costs to customers. What you pay is your platform subscription and user licenses — nothing else.

Nothing. A breach attempt that generates 10x your normal alert volume costs the same as a quiet week. Morpheus is designed for peak load — that is precisely when you need maximum AI coverage, and it is not the moment your bill should spike.

Morpheus MSSP pricing is based on the platform and user licenses — not per client, not per alert volume, not per tenant. MSSPs that deploy Morpheus report achieving gross margins of 70–85% at scale, because human investigation costs stay flat as client volume grows. Contact D3 for MSSP-specific pricing.

D3’s purpose-built cybersecurity triage LLM is included in the platform subscription. No API keys, no model costs, no configuration required. Morpheus also supports customer-preferred LLMs for organisations that require it — without changing the pricing structure.

Morpheus is built for MSSP-scale operations with native multi-tenancy, complete data isolation, segregated client views, and client-specific configurations. MSSPs of all sizes — from regional providers to global enterprises — rely on D3. Morpheus processes over 500,000 alerts per day — the equivalent of approximately 6,000 analyst FTEs.

Morpheus provides native multi-tenant architecture with complete data isolation between client environments, per-tenant configurations, segregated client views, and aggregated or individual reporting. There is no per-client licensing fee — you pay for the platform and users across your operation, not per tenant.

Yes. Morpheus processes alerts at machine speed, so client capacity scales with compute — not recruiting. MSSPs using Morpheus report transitioning from fully reactive to 70% proactive operations and tripling client capacity without adding headcount.

Morpheus supports client-specific configurations, investigation parameters, and reporting formats. Contact D3 to discuss white-label and customisation options available for MSSP deployments.

Yes. Every Morpheus investigation produces a complete evidence chain: what triggered it, what data informed the AI’s reasoning, what actions were taken, and who approved them. Full audit trails are maintained for compliance, cyber insurance, regulatory examinations, and post-incident reviews.

D3 Security is SOC 2 Type II certified. Morpheus is also a member of the Microsoft Intelligent Security Association (MISA) and is MITRE ATT&CK and MITRE D3FEND aligned.

Morpheus supports cloud, on-premise, hybrid, and air-gapped deployments. Organisations in regulated industries — financial services, government, defence, and healthcare — can deploy Morpheus in configurations that meet their data residency and sovereignty requirements. Contact D3 to discuss deployment options for your environment.

D3 has multiple deployment regions and supports data residency configurations for customers in jurisdictions with specific requirements (including GDPR, EU data sovereignty, and regional government mandates). Contact D3 to confirm available regions and deployment configurations for your requirements.

Yes. Morpheus includes a full built-in SOAR engine alongside its autonomous AI capabilities. Organisations can run static, deterministic playbooks for compliance-mandated processes and autonomous AI investigation side by side — from the same platform. You do not need to choose between AI autonomy and regulatory compliance.

Most organisations are running investigations in their environment within days of deployment. The SOAR migration programme — for teams transitioning from legacy SOAR — completes in approximately one week. D3’s Customer Success team supports onboarding from day one.

D3 offers a structured Proof of Value engagement that deploys Morpheus against a defined subset of your alert stream, measures triage accuracy, investigation depth, and time-to-resolution against your current platform, and provides a quantified comparison of analyst productivity and investigation quality. Typical POV duration is four weeks.

Yes. D3 offers live demos using alert types and tool stacks representative of your environment — not canned scenarios. You can bring your own alert types and see exactly what Morpheus does with them. No slides, no scripted walkthrough.

Every Morpheus deployment includes a Customer Success Manager as part of the AI SOC Success Program — with regular strategy sessions, power user and team-wide training, integration optimisation, and access to D3’s technical documentation and SOC automation knowledge base. D3 Security provides support across North America, Europe, and the Middle East.

Morpheus supports a phased adoption model. Organisations can start with traditional SOAR playbooks for familiar alert categories and progressively enable autonomous AI investigation across additional categories as confidence grows. Each step is reversible — if performance in a specific category needs adjustment, the playbook can be reverted to deterministic mode without affecting other categories.