The Argos Platform: Norbert, Ptolemy and Magnet

Why don’t we use the term SIEM?

This is because our platform is not a SIEM and consists of many parts that are not typically found in a SIEM. We don’t utilize a SIEM system to perform our services. Our platform is broken down into many components that can easily be swapped out as we improve our services. Regardless of whether the feature is off the shelf or custom created, we evaluate every section with every upgrade to provide the best services possible.

The platform is split into 3 distinct categories that represent the overall process:

Argos Platform


The Argos Platform is at the heart of the collection process. Our system collects data in many ways including Syslog, WMI, SMB Share, API connectors, etc. Argos can be quickly enhanced to accommodate almost any need. Data is compressed (up to 96%) and transmitted, securely keeping your data safe while reducing the load placed on your internet connection. Argos aids in the quick and easy collection of data from your satellite offices with low bandwidth connections.

Processing & Enhancement

Data retrieved is processed, categorized, and enhanced using our Pipeline of systems we call the Haystack. Data runs through our ML models, profiling systems, and prepared to be presented with enriched data to our SOC Analysts.  Data remains in a distinct segregated pipelines ensuring your data is never mixed with another customer at processing or at rest.

Presentation & Communication

Our analysts gather automated intel and perform scouts (looking for data and trends that look out of place), and perform Hunts for laser target items. Our SOC Analysts manually review each and every automated alert to eliminate false positives. Based on a Playbook set up around your policies, we evaluate and escalate events directly with you via our Suspicious Activity Alert system integrated with Slack and Microsoft Teams. Additional steps are defined by you.

Ptolemy is our Threat Intelligence Aggregation System. It gathers, organizes and prioritizes threat reports found in both paid and free sources as well as discoveries from our 1MC Labs team.  We analyze IPs, URLs, Application Hashes, Virus & Malware Alerts and Signatures, and much more. This data is then used to encrich the data gathered from our customers.

Norbert provides AI/ML at scale looking for the unknown, odd patterns.  Norbert attempts to expose the “final bucket” that just doesn’t fit your corporate patterns.  Enhanced with the intel cateloged in Ptolemy,  norbert utilizes the latest in AI and ML practices to locate anomolies in real time as well as evaluate past data for newly emerging IoCs.

Like looking for a needle in a haystack, a Magnet can find the small items stuck in the belly of big data.  Magnet strips away the standards, looking for and identifying patterns in data that fit known IoCs.  The alerts are then sent directly to SOC Analysts to evaluate the larger picture and escalate as necessary.  Magnet utilizes intel directly from Ptolemy to ensure its looking for the most up to date IoCs.

Customer Portal

Our customer portal gives you direct access to your service level items such as the Playbook, Suspicious Activity Alerts, Tickets, Analyst Logs, Assets, Reports, and portions of our Ptolemy System.

The Customer Portal allows you to monitor your maturity growth and mold the services our SOC Teams provide you. We are in this together and we work hard to provide the tools to provide the best service possible for you.