ekkOS Recall.
Memory For SOCs That Refuse To Forget.
Your senior analyst just quit. Your L1s don't know the forty tribal rules she used to apply to every alert. You'll discover which ones mattered when the next breach happens. Recall makes sure that never happens again.
Research noteMemory is not a wiki. It is structured experience with provenance, outcomes, and the judgment of the people who built it.
Why This Exists
The SOC Math Problem
Enterprise SOCs process 2,992 alerts per day. Forty-six percent are false positives. Sixty-three percent go unaddressed. Analysts spend the first ten minutes of every investigation rediscovering what their team already knows.
The institutional knowledge that would make every one of those investigations faster lives in Slack threads, Confluence pages, and the heads of senior analysts who leave every two years.
Recall captures it. Structures it. Makes it retrievable at the moment of decision — and learns from every closed ticket whether the retrieval was right.
Position in the stack
Underneath your SIEM. Alongside your SOAR. Complementary to agentic triage tools. Recall is the memory your existing stack is missing.
Five Moves That Turn Tickets Into Institutional Memory
Recall is built on the ekkOS substrate: forge, retrieve, outcome, directive, conflict. Five primitives that map directly onto how high-functioning SOCs actually think.
Primitive // Forge
Every Investigation Becomes Durable Memory
When an analyst closes a ticket, ekkOS Recall captures the reasoning, the evidence, and the outcome — automatically. No wiki edits. No Confluence rot.
Primitive // Retrieve
Have We Seen This Before?
New alert fires. In under a second, Recall surfaces the five most similar past cases with their outcomes, confidence scores, and the analyst decisions that closed them.
Primitive // Outcome
Patterns That Learn From Being Wrong
True positive or false positive — every ticket closure feeds back into the retrieval scoring. Patterns that mislead get demoted. Patterns that predict correctly compound.
Primitive // Directive
Operational Rules That Travel
MUST, NEVER, PREFER, AVOID — captured as first-class directives. When the senior analyst retires, their judgment doesn't leave with them.
Primitive // Conflict
Guardrails Against Repeat Mistakes
Before an analyst isolates a host or waivers a detection, Recall surfaces prior cases where that decision caused an outage, a missed threat, or a compliance finding.
Works With Your Existing Stack
Recall is not a rip-and-replace. It sits alongside your SIEM and SOAR, enriching alerts at triage time and capturing reasoning at ticket close. Connectors ship for the tools your team already uses.
Splunk
Design partnerBidirectional connector: ingests closed-notable events, enriches open ones through the Splunk SOAR workflow.
Microsoft Sentinel
Design partnerNative Logic Apps action + incident overlay. Analysts see Recall context in the Sentinel incident pane.
Elastic Security
RoadmapKibana overlay + detection rule enrichment. Scheduled after first Splunk and Sentinel design partners land.
Not Another AI SOC Tool
The AI-for-SOC market is crowded with agentic investigators. Recall is a different architectural layer — the memory underneath every agent your team already trusts.
What Recall Is Not
Not an AI SOC analyst
Dropzone, Prophet, and Intezer investigate alerts. Recall captures what their investigations teach you, so every future investigation — human or agent — gets faster.
What Recall Is Not
Memory-first, not agent-first
Your SOAR does automation. Your SIEM does detection. Your agents do triage. None of them remember what your team already knows. Recall is the layer underneath.
What Recall Is Not
Provenance you can audit
Every retrieved pattern carries its source ticket, outcome history, and analyst attribution. Built for regulators who ask how you made the decision, not just what the decision was.
We're Selecting Five Design Partners.
Recall is in early access. We are looking for five SOC teams willing to shape the product in exchange for hands-on access, preferential pricing, and direct founder collaboration.
Ideal fit: mid-market SOC (10–50 analysts), running Splunk or Microsoft Sentinel, with an operational pain around knowledge transfer or analyst onboarding.
Commitment: ~2 hours per week of feedback for 90 days. No license fee during the pilot.
01
Free 6-month pilot
No license fee during the design-partner phase. Give feedback; get the product built around your workflow.
02
Direct founder access
Weekly sync with the founding team. Ship requests become product decisions in days, not quarters.
03
Co-designed schema
Your SOC's incident taxonomy, severity model, and retention rules are preserved — not flattened into ours.
04
Lifetime design-partner pricing
Early collaborators lock in a preferential rate when the commercial tier opens.
Research That Earns Its Product.
Recall is the first applied output of ekkOS Labs. The memory substrate was built in production against a real workload before it was ever pointed at security. The research comes with receipts.