Five capabilities under one Security Control Plane. The lake stays where it lives. The platform reads it, ranks it, and writes it back as dispatches your SOC and your board can act on.
Snowflake, Databricks, ClickHouse, S3, Iceberg, BigQuery. Setu attaches to the warehouse you already use. No ingestion, no parallel data store, no agents on every endpoint.
Humans, machines, AI agents, service principals, and shared accounts resolve into a single graph. Expected Compromise Impact ranks every node so you triage by what would actually hurt.
Bipartite-CC clustering, Jaccard identity, and the cross-tenant TGN forecaster surface coordinated activity that single-event SIEM rules miss. Each campaign is one object, not fifty alerts.
A prompt-injection-scrubbed LLM narrator writes each campaign as a board-ready dispatch. The same artifact serves the SOC analyst at 3am and the audit committee at 9am.
Dispatches is the surface your SOC and your board see. These are the five capabilities that produce it.
The graph layer that powers Dispatches. Humans, machines, AI agents, service principals, all resolved across your data lake.
Setu is the layer that makes Dispatches possible. It reads your existing data lake, resolves humans, machines, AI agents, and service principals into a single graph, and ranks every node by exposure so the campaigns Dispatches surfaces are ordered by what would actually hurt, not by alert volume. Built for an enterprise that already paid for Snowflake or Databricks.
Detection content that ships with the platform, version-controlled and auditable.
Atlas is the detection-content surface. Rules, models, and narrators ship as a versioned canon you can review, audit, and override per tenant. No black-box detections, no "trust the vendor" debt, no surprise prompt changes after a CISO procurement review.
Active campaigns, matches, and intel sources, refreshed continuously.
Beacon is the operational surface. See what is currently lit up, where intel matches against your environment, and which campaigns are actively running. The dashboard your SOC opens at the start of the shift.
Outliers, similarities, and forecasted attack edges before they fire.
Horizon is the predictive surface. Outliers across the identity graph, similarity clusters across tenants, causal edges with confidence intervals, and forecasted edges from the cross-tenant TGN model. The signal CrowdStrike will not see because it sits on endpoints, not on the lake.
The algorithms that turn raw events into a versioned, ranked, narrated operation cluster. Each is a single function ingo/internal/dispatches/with paired tests — auditable end-to-end.
Events become nodes; entities and MITRE techniques become connecting nodes. Connected components reveal coordinated activity that single-alert pipelines miss because no single alert crossed a threshold.
A new cluster is matched against active dispatches by Jaccard overlap on entities and techniques. Same operation, fresher view bumps a version number; a new operation gets its own dispatch.
Personalized PageRank biased by recent events scores per-node activity inside the entity graph. Used to pick the bridge entity each dispatch points its narrative at.
Severity, blast radius, and freshness combine into a single rank. Decay pushes stale dispatches down the feed without auto-closing them — an analyst still gets the option to dismiss.
Cluster events feed a hardened LLM template. A scrubber strips injection patterns from event-derived strings before prompt assembly so a malicious payload can’t hijack the narrative an analyst reads.
Public share links carry an HMAC-signed nonce of the formv1.<id>.<exp>.<rnd>.<sig>with a tenant-scoped signing key. Path-independent: rotating the key invalidates outstanding links instantly.
Multi-tenant SaaS deployment, customer data stays in the customer's own data lake. Samyoga reads via service-principal credentials with least-privilege scopes. India data residency available.
Single-tenant on-prem deployment with embedded Ollama for the LLM narrator. Air-gapped, no outbound calls, audit trails for regulated industries. The same image runs in pharma manufacturing floors and Big-4 advisory engagements.
OCSF 1.0 throughout the schema. Detection content versioned and auditable through Canon. Per-tenant LLM keys when required.
Council is the operator surface. Tenants, roles, rollouts, secrets, and per-tenant configuration in one place. Built for the team that has to defend every config in front of a CISO.
We reply within one business day with two or three time slots.