Operations at conversational speed. Onboard sources, forge rules, replay history one config file at a time.
Caver Intelligence is a chat-style admin orchestrator built into the Caver platform. Type a natural-language command and the planner decomposes it into tool calls against the live stack: search, write configs, author CAVERN rules, backtest against 90 days of history, generate compliance artifacts. Every step is audited as an OCSF 6003 event. Ask a question and the assistant answers with a real, bounded query it ran against your lake, scoped to your own permissions.
13 operator primitives
11 operator · 2 foundationEach primitive is a discrete, audited tool call. The planner chains them to complete multi-step operator requests. All calls require explicit approval before dispatch.
onboard_sample operator Walk through adding a new log source end-to-end: collector config, OCSF mapping, index setup, smoke-test search.
nl_to_config operator Convert a natural-language description of a desired behavior into a caver.toml or collector pipeline stanza.
forge_rule operator Author a new CAVERN detection rule from a threat description, CVE, or ATT&CK technique. Commits to the rules store.
replay_against_history operator Backtest a proposed rule or SPL query against up to 90 days of stored events. Returns match count and sample hits.
lint_config operator Validate a caver.toml, collector pipeline YAML, or CAVERN rule file against the current schema before deployment.
enrich_text operator Resolve IOCs, CVEs, vendor names, and ATT&CK identifiers inline. Returns structured enrichment data from the TI feeds.
explain_rule_silence operator Diagnose why a CAVERN rule has not fired in a given window. Checks index presence, field mapping, threshold config, and schedule.
tune_threshold operator Analyze a rule's recent fire rate and false-positive ratio, then propose and apply a new threshold or risk-score adjustment.
start_canary operator Deploy a rule or config change to a designated canary search peer before rolling it to the full fleet.
pipeline_diff operator Compare two caver-collector pipeline configs (e.g., staging vs production) and surface semantic differences.
compliance_report operator Generate a point-in-time compliance artifact: enabled rules, covered ATT&CK techniques, coverage gaps, and data-retention status.
search foundation Run an SPL, SQL, KQL, ES|QL, or LSQL query against the OCSF Parquet lake, the same engine behind Sigma content and the grounded AI assistant. Used internally by most operator primitives.
write_config foundation Atomically write or update a config file in the live Caver config store. Requires MANAGE_INTEL capability. Always audited.
Operator session screencast coming soon. Watch a new operator go from “I'm adding Zscaler proxy logs” to a deployed source config, a custom CAVERN rule, a backtest against 30 days of history, and a canary rollout in under 10 minutes. Sign up for evaluation access and we'll send the recording when it ships.
Grounded answers, open protocol
Two design decisions keep Intelligence honest: the assistant is grounded in real query execution, and every capability is exposed over an open protocol instead of a private API.
Every answer is a real query you can keep.
The assistant does not paraphrase documentation, it runs real queries. Ask a question and it first discovers which indexes are accessible under the caller's own permissions, generates and validates SPL, then runs a live bounded preview against the lake before it answers. The answer arrives with the query that produced it: keep it, re-run it, schedule it, or hand it to forge_rule. Discovery, validation, and execution all run RBAC-scoped, so the assistant can never exceed the caller.
The same 13 primitives over MCP.
The Caver MCP server wraps the 13 operator primitives as tools and exposes them over the Model Context Protocol, so Caver Intelligence works from any MCP-compatible client (Claude.ai desktop, Cursor, VS Code Continue) or from your own agents. Orchestrator and MCP server share one capability model: a tool visible in Intelligence is visible over MCP and vice versa, with the same plan approval gates and the same OCSF 6003 audit trail.
Frequently asked questions
Caver Intelligence ships as part of the main Caver commercial license. LLM inference costs are operator-supplied via your own API key. Contact matt@redeyesecurity.com to start an evaluation.