SOCVault — AI Security Assistant (Claude-Powered)

Conversations

Today

Why is my health score 68?

07:14 · 3 actions-8 credits

Fix my DMARC configuration

06:50 · 2 actions-5 credits

Show my AWS S3 exposure

05:30 · 1 action-3 credits

Yesterday

GDPR compliance gaps for audit

14:22 · 4 actions-12 credits

Explain SQL injection finding

11:08 · 1 action-3 credits

Run L2 scan on api.acmecorp.com

09:15 · 2 actions-7 credits

This Week

Approve malware quarantine #INC-0421

Mon · 1 action-2 credits

How to fix Nuclei CVE-2024-1234?

Mon · 0 actions-1 credit

US-121US-122US-123US-124US-125US-126US-127US-128US-129

🤖

SOCVault AI Assistant

claude-sonnet-4-6 · Aware of your assets, findings, and scan history · Context: acmecorp.com

acmecorp.com 8 credits used this session

🔒 This session is private to your tenant · Context loaded: 12 open findings, 8 agents, 4 domains

Why is my security health score 68? What are the biggest issues dragging it down?

-1 credit07:02 · Jane Doe

✦

SOCVault AI claude-sonnet-4-6

🧠 Reasoning — Analysing scan data for acmecorp.com 1.2s ▼

Let me look at what's pulling the score down. The tenant has 12 open findings across L1–L6. The scoring algorithm weights Critical findings at -8 pts each, High at -3 pts, Medium at -1 pt. Starting from 100: 3 Criticals = -24, 4 Highs = -12, 5 Mediums = -5, bonus for active SOC/SIEM = +8, bonus for 8 layers active = +5. That gives roughly 100 - 24 - 12 - 5 + 8 + 5 = 72... rounding to 68 when FIM and compliance gaps are factored in. Let me surface the exact top contributors clearly.

Your score of 68/100 (Grade C+) is being dragged down by 3 critical vulnerabilities that together account for approximately -22 points. Here's what's hitting you hardest:

1. SQL Injection on /api/search (L2) — worst offender
This is the single biggest score penalty. Any unauthenticated attacker can extract your entire database using a tool like sqlmap in under 5 minutes. This alone costs you 8 score points and puts £18,000 of liability on your exposure total.

2. BOLA vulnerability on /orders/{id} (L4)
Any logged-in customer can view any other customer's orders by changing the ID. Classic broken access control — costs you another 8 points.

3. Subdomain takeover on staging.acmecorp.com (L1)
A dangling CNAME pointing to an unclaimed Heroku endpoint. Attackers could host phishing content on your subdomain. -6 points.

The good news: your SOC is excellent — 12/12 agents active, SOAR working (+8 pts). Fix the three criticals and you'd jump to approximately 90/100.

🔍 Run fresh L2 Web AppSec scan to confirm SQL injection 3 credits

Triggers a targeted Nuclei + OWASP ZAP scan on /api/search and related endpoints. Results shown here when complete (~20 min).

📋 Show me all 12 open findings ranked by impact 1 credit

Pulls your current open findings from all layers, ranked by financial exposure.

🔧 Generate fix scripts for all 3 criticals 2 credits

Claude will generate copy-paste remediation scripts for SQLi, BOLA, and subdomain takeover.

07:02 · 1,842 tokens · cached: 1,104 · cost: 0.8 credits

Show me all 12 open findings ranked by impact

-1 credit07:04 · Jane Doe

✦

SOCVault AI claude-sonnet-4-6

🧠 Reasoning — Querying findings API, sorting by financial exposure 0.4s ▼

Here are all 12 open findings across your estate, ranked by financial risk. The top 3 alone account for £37,200 — over 78% of your total exposure:

📊 Open Findings — acmecorp.com · All Layers · Ranked by Exposure LIVE DATA

#	Finding	Layer	Severity	Exposure	Fix Time
1	SQL Injection — /api/search	L2	CRITICAL	£18,000	30 min
2	Subdomain takeover — staging.acmecorp.com	L1	CRITICAL	£10,000	5 min
3	BOLA — /orders/{id} access control	L4	CRITICAL	£9,200	2 hrs
4	DMARC policy set to 'none'	L1	HIGH	£9,500	5 min
5	IAM privilege escalation — dev-ci-role	L6	HIGH	£6,800	1 hr
6	3 S3 buckets with public access	L6	HIGH	£5,400	5 min
7	No rate limiting on /auth/login	L4	HIGH	£3,800	1 hr
8	Reflected XSS — /search?q=	L2	HIGH	£2,900	30 min
9	WordPress 6.3.1 outdated (3 CVEs)	L1	MEDIUM	£2,100	5 min
10	EBS volumes unencrypted (3)	L6	MEDIUM	£1,800	30 min
11	5 email addresses in data breach	L1	MEDIUM	£1,200	1 day
12	Directory listing on /uploads/	L2	MEDIUM	£800	5 min

Total exposure: £71,500 across 12 findings Fixable in <1 hour: £43,500 (61%)

⚡ Fix the top 3 quick wins (DMARC, subdomain, S3) now 4 credits

These 3 fixes take <15 minutes total and eliminate £25,000 of exposure. Claude will generate exact DNS records, CLI commands, and config files.

07:04 · Action executed: GET /api/findings?tenant=T-0A3F · 2,104 tokens · 1 credit used

Generate the fix script for the SQL injection. I want to apply it now.

-2 credits07:08 · Jane Doe

✦

SOCVault AI claude-sonnet-4-6

🧠 Reasoning — Generating context-aware SQLi fix for FastAPI + SQLAlchemy stack 1.8s ▼

Based on your tech stack (FastAPI + SQLAlchemy detected by L2 scan), here's the exact fix for POST /api/search. I've included three layers of defence:

🔧 SQLi Remediation Script — /api/search · FastAPI/SQLAlchemy AI GENERATED

Layer 1 — Parameterised query (eliminates root cause)

# ❌ VULNERABLE — current code in /api/routes/search.py @router.post("/api/search") async def search(q: str = Body(...)): result = await db.execute(f"SELECT * FROM products WHERE name = '{q}'") # ✅ FIXED — parameterised query from sqlalchemy import text @router.post("/api/search") async def search(q: str = Body(..., min_length=1, max_length=200)): # Validate input first if not q.replace(" ", "").isalnum(): raise HTTPException(400, "Invalid search characters") result = await db.execute( text("SELECT * FROM products WHERE name ILIKE :q"), {"q": f"%{q}%"} ) return result.fetchall()

Layer 2 — nginx WAF rule (immediate protection while deploying code fix)

# Add to /etc/nginx/conf.d/waf.conf location /api/search { if ($args ~* "(union|select|insert|drop|delete|update|exec)") { return 403; } proxy_pass http://backend; }

Layer 3 — Test the fix

# Run this to verify fix is in place curl -X POST https://acmecorp.com/api/search -H "Content-Type: application/json" -d '{"q": "test''' OR 1=1--"}' # Expected: 400 Bad Request (not 200 with data)

✅ Verify fix — re-run targeted L2 scan on /api/search only 2 credits

After applying the fix, run this to confirm the SQLi is closed. Scan targets /api/search only — completes in ~3 minutes.

🎫 Create Jira ticket with this fix for your dev team 1 credit

Creates a Jira ticket in project SECURITY with this fix attached, assigned to dev team.

07:08 · Action executed: GET /api/findings/L2-SQLi-001/context · 3,241 tokens · 2 credits used

✦

SOCVault AI claude-sonnet-4-6

Analysing your security context…

Context:

🌐 acmecorp.com

🔍 Last L2 scan

☁️ AWS account

Run L1 recon scan now

Show my GDPR compliance gaps

What does CVE-2024-1234 mean for me?

Approve the pending malware action

Generate my board security report

Check if my SSL cert expires soon

Show SOC alerts from last 24h

Credits

Available Balance

247

credits

49% remaining of 500 bundle · expires 15 Jul 2026

Credit Bundles

$5.00 · $0.10/credit

200

$15.00 · $0.075/credit

Popular

500

$30.00 · $0.06/credit

Best value

2,000

$99.00 · $0.05/credit

What You Can Do

💬Ask any security question1 cr

📊Show findings / reports1 cr

🔧Generate fix script2 cr

🔍Trigger L1 recon scan3 cr

🕸️Trigger L2 VAPT scan5 cr

📋Compliance gap analysis3 cr

☁️Cloud posture check4 cr

✅Approve SOAR action2 cr

📄Board / exec report5 cr

🎫Create Jira ticket1 cr

This Session

Messages3

Actions triggered1

Credits used-8

Tokens (input)7,187

Cache hits82%

Findings addressed12