Syanpse

Synapse | SOAR

Synapse is the incident response, case-management, and orchestration core of the ecosystem. It converts high-confidence detections from Amygdala XDR® and Locus NDR into structured, collaborative cases: reconstructing the incident timeline, tracking indicators, assets, and evidence, and coordinating responders,while driving orchestrated and automated response through its API and integration modules. Every action is captured in an auditable case record, so investigation, containment, and reporting all happen in one governed workspace rather than across scattered notes and consoles.Where a detection tool tells an analyst that something happened, Synapse organises the entire response around it. Cases can be opened automatically from a detection, enriched on ingest, worked collaboratively by a team, and closed with an audit-ready report, all while playbooks and connected tools carry out approved response actions.

From Detection to Governed Response

A detection from Amygdala XDR® or Locus NDR can open a case automatically, carrying its evidence, ATT&CK context, and indicators with it. Enrichment modules run on ingest to add threat-intelligence and reputation context. Responders then work the case collaboratively, building the timeline and assessing scope, while the orchestration layer invokes response actions through connected systems, such as isolating an endpoint via Amygdala XDR® active response or blocking an address at the firewall. High-impact steps pause for human approval, so speed never comes at the cost of control.

Key Features

IOC and asset management

Indicators of compromise and affected assets are catalogued, linked to cases, nd correlated across incidents to reveal repeat infrastructure and campaigns.

Collaborative case management

Responders create, triage, investigate, and resolve incidents together in a shared workspace, with task assignment and role-based ownership so nothing falls through the cracks.

Modular enrichment pipelines

Pluggable modules enrich cases and process uploaded evidence, for example threat-intelligence lookups and file or URL detonation, extending the platform without changing the core.

API-driven automation and orchestration

A full-coverage API lets playbooks and connected tools drive investigations programmatically, orchestrating response across firewalls, EDR, identity providers, and ticketing systems.

Evidence tracking and preservation

System images, network captures, and logs are collected, preserved, and analysed under a defensible chain of custody.

Incident timeline reconstruction

Events are added manually or via API to build a precise, sharable timeline that reconstructs exactly what happened and when.

Confidence-scored, human-governed response

High-confidence containment executes automatically, while approval gates and role-based authorisation keep ambiguous or high-impact actions under analyst oversight. ​

Response analytics and reporting

Events are added manually or via API to build a precise, sharable timeline that reconstructs exactly what happened and when.

Benefits

Faster time-to-contain.

For threat classes such as ransomware detonation or confirmed credential abuse, containment triggers within seconds.

Faster time-to-understand.

The full case (timeline, indicators, and evidence) assembles itself in parallel with containment, reducing blast radius and recovery cost

Governed automation.

Confidence thresholds and approval gates preserve human oversight for lowconfidence or high-impact events.

Audit-ready by default.

Every action is captured in a defensible case record for leadership, auditors, and regulators.

One governed workspace

Investigation, containment, and reporting happen together, replacing scattered notes and consoles.

Use Cases

Coordinated incident response

Run a full investigation, from first detection to closure, in one shared, auditable workspace.

Automated containment with oversight

Contain clear-cut threats instantly while routing ambiguous cases to an analyst for approval.

Campaign and repeat infrastructure analysis

Correlate indicators across cases to expose adversaries that return under new guises.

Audit-ready reporting

Produce defensible incident records and metrics for leadership, auditors, and regulators.

Ready to take your business to new heights?

Get in touch, and let’s make it happen.

FAQs

1. What does Synapse do?

It is the incident response and case-management hub, turning detections into structured, collaborative
cases and orchestrating response across connected tools.

Automatically from a high-confidence Amygdala XDR® or Locus NDR detection, or manually by an analyst.
Enrichment runs on ingest.

Yes, through its API and playbooks. High-confidence containment runs automatically; high-impact actions
pause for human approval.

Firewalls, EDR, identity providers, and ticketing systems, plus Amygdala XDR® active response and Locus
NDR blocking

Yes. System images, network captures, and logs are collected and preserved under a defensible chain of
custody.

Yes. Responders triage, investigate, and resolve incidents together with task assignment and role-based
ownership.

Yes. Audit-ready reports and response metrics are generated directly from the case record.

Create your account