All services available
PricingAboutDocsConsole
Open the console →
h3llo cloud/products/Security
● security platformSIEM · EDR · MITRE · MDR

A singlecybersecurity hub.No zoo of tools

(translation pending)

Compare tiers →Platform modules
Community OSS · Enterprise · Managed SOC 24×7
SOC · MSK · live · containment stage
active
EPS · live1.24M+15%
Alerts/24h2,184+18.6%
Open inc5MTTR 18m
Coverage84%+5%
h3 sec live
$

Why another security platform

A SOC stitched together from 8 products means 8 invoices, 8 data models, 8 different APIs. Outsourced MSSP is a black box. We tried to take the best of both approaches.

alternative A

8 stitched-together products

  • Splunk + CrowdStrike + Palo Alto + Imperva + ...
  • Each one a separate API, dashboard, invoice
  • MITRE coverage tracked by hand in an Excel sheet
  • War-room in Slack without a structured incident timeline
  • Compliance — a separate consultant, billed extra
h3llo · security

Single platform

  • SIEM, EDR, NGFW, IPS, WAF, DLP — one console
  • MITRE ATT&CK coverage derived automatically from the rule feed
  • IRP with ready playbooks and an AI incident commander
  • Compliance dashboard for FZ-152/FSTEC/PCI/ISO
  • 1 data model, 1 invoice, 1 SLA
  • MDR 24×7 optional — our SOC stands watch
alternative B

Outsourced MSSP

  • Someone else's engineers on duty
  • Black box: unclear what they catch and miss
  • Industry MTTR median 1–4 hours
  • No access to raw logs or rule customization
  • Years of vendor lock-in
● platform modules15 in one console

SIEM, EDR, NGFW and 12 more — without tab switching

Connected data model: SIEM alert → incident with killchain → playbook → action item → compliance control. Not 8 products with integrations, but one platform with categories.

Operations · live SOC
01

SOC overview

Live event timeline, attack geo-map, KPIs: EPS, alerts/24h, MTTR, riskscore. Single pane of glass.

0224/7

MDR · live console

Chat with the on-duty SOC engineer + AI Atlas. Quick-actions: containment, isolation, blocklist push.

03

Incidents

Killchain timeline with MITRE tags at each step. Alert → incident → post-mortem → action item, fully linked.

04

SIEM

1.24M EPS · 90 days hot-storage · ECS format · ad-hoc query language. Saved hunts.

05

MITRE ATT&CK

14 enterprise tactics. Coverage in %, hits over 30 days, hot-techniques. Mapping derived automatically from the rule engine.

06

IRP · Playbooks

Ready playbooks: ransomware, credential stuffing, BEC, supply-chain, web defacement. Launch from an incident in 1 click.

07

Threat Intel

STIX 2.1 feed, MISP-compatible. IOC matching on streams. AI hunter agents: beaconing, DGA, LOLBin.

Defense · perimeter and hosts
01

NGFW

Zone-based, app-id, TLS decrypt optional. Auto rule generation from ML.

02

IPS / IDS

Suricata-style rules + our ML feed. Inline blocking, MITRE-mapped signatures.

03

WAF

OWASP Top 10 coverage, anti-bot, custom rules per site. Geo-blocking.

04

EDR

1,842 endpoints, process-tree analytics, behavior rules, isolation in 1 click.

05

DLP

Content classification (PII, code, secrets), DLP policies on endpoints and in traffic.

Management · risk + compliance
01

Vulnerability Mgmt

Continuous scan, CVE feed, exploit weather. Prioritization by asset criticality + KEV.

02

Assets

Auto-discovery: cloud, on-prem, endpoints. Inventory linked to incidents and compliance controls.

03

Compliance

FZ-152 / FSTEC / PCI DSS / ISO 27001 / GOST. Failed controls show up as incidents, action items auto-generated.

● MITRE ATT&CK14 tactics · live

Coverage — not on paper, but in the matrix

Every detection rule is mapped to a technique. Here are 5 of 14 tactics as a preview, numbers are live coverage in %. Hot techniques are highlighted — there's real traffic on those over the last 30 days.

tactic
technique 1
technique 2
technique 3
technique 4
technique 5
technique 6
technique 7
TA0001Initial Access
T119092%
T156696%
T107884%
T113378%
T119942%
T109156%
T120038%
TA0002Execution
T105990%
T120482%
T156970%
T161064%
T110648%
T112960%
T164840%
TA0006Cred Access
T111094%
T100378%
T155566%
T155272%
T155858%
T118752%
T160644%
TA0008Lateral
T102186%
T157076%
T153462%
T121074%
T108046%
T155058%
T156338%
TA0011C2
T107188%
T157382%
T109074%
T156876%
T121970%
T109562%
T157250%
coverage ≥ 80%baseline coveragehot — real traffic seenFull 14×6 matrix — in the dashboard →
● use cases

Who this is for

01 / regulated
Regulated markets
Banks, public sector, telecom. Compliance dashboards for FZ-152/FSTEC/PCI/GOST out of the box. Air-gapped install optional.
02 / cloud-native
Cloud-native teams
K8s/serverless workloads, OTel logs, CI/CD incidents. EDR agents for containers and VMs, eBPF telemetry.
03 / mid-soc
Teams without a SOC
No 24×7 staff on duty? The Managed SOC tier: our SOC stands watch, you get ready-to-act incidents in Slack.
04 / hybrid
Hybrid infrastructure
On-prem servers + h3llo cloud + third-party providers. Universal SIEM collector + a single data model.
● 3 tiers

Community · Enterprise · Managed SOC

Community — the full platform up to 100K EPS. Enterprise — no limits and air-gapped. Managed SOC — our SOC is on duty 24×7, MTTD ≤ 5 min.

Community
Self-hosted platform without MDR. Full SIEM/EDR/NGFW/IPS/WAF/DLP, MITRE coverage, IRP. Up to 100,000 EPS.
0 ₽ · up to 100K EPS · up to 200 endpoints
  • SIEM up to 100K EPS
  • EDR up to 200 endpoints
  • NGFW · IPS · WAF · DLP
  • MITRE coverage · baseline playbooks
  • Compliance dashboards
  • Community support (Discord)
Download on GitHub →
popular
Enterprise
Self-hosted without limits. Air-gapped, RBAC/ABAC, SSO, tamper-evident audit log, custom playbook builder, threat intel feeds.
from 240,000 ₽ / mo · 1M EPS · 1,000 endpoints
  • SIEM from 1M EPS · 90 days hot
  • EDR from 1,000 endpoints
  • Air-gapped install
  • RBAC/ABAC · SSO + SCIM
  • Custom playbook builder
  • Premium TI feeds
  • 24×7 product support
Let's talk →
Managed SOC
Everything in Enterprise + our SOC on duty 24×7. MTTD ≤ 5 min (median), MTTR ≤ 20 min on typical incidents.
from 480,000 ₽ / mo · 24×7 SOC
  • Everything in Enterprise
  • L1/L2/L3 SOC on duty 24×7
  • Tier-1 response ≤ 60 seconds
  • MTTR ≤ 20 min on typical incidents
  • Threat hunting every week
  • Quarterly risk review
  • Dedicated SOC manager
Engage the SOC →
● materialsfree

Guides and case studies on SOC and detection

Real practices from the h3llo SOC team and our Managed customers. No fluff, no marketing.

All materials →
Guide · 32 pp
MITRE ATT&CK coverage from zero

How to measure coverage without lying to yourself

Methodology, mapping the rule engine to techniques, hot-techniques, how to find gaps. With formulas and examples.

PDF~30 min
Checklist · PDF
28 items before launching a SOC

SOC readiness checklist for 24×7

Roster, escalation, runbooks, MTTD targets, on-call rotations. What you must set up before day-1.

12 pp~18 min
Case · bank
Splunk → h3llo in 8 weeks

Bank customer case study: SIEM migration

1.2 TB/day of logs, 14 sources, with zero SOC downtime. What we rewrote in detections, what we invested in.

case~25 min
Guide · 24 pp
Playbook against ransomware

Ready playbook for each kill-chain stage

Containment, eradication, recovery. With real pre-conditions and wins/losses from 18 cases.

PDF~30 min
Benchmark · 2025
MTTR medians across the industry

MTTD/MTTR/MTTC: what's normal, what isn't

Numbers from Verizon DBIR, M-Trends, our Managed SOC customers. Exactly where time is lost.

report~20 min
Templates · GitHub
Detection-as-Code repository

200+ Sigma rules with MITRE mapping

Open-source detection rules for our SIEM. Regular commits, community contributions accepted.

repo200+ rules
● quickstart

Launch a SOC in a day

Install the platform, connect sources, enable 500+ detectors with MITRE mapping, configure escalation. From zero to a production-grade SOC.

Download Community →
1

Install the collector

helm install h3llo-sec h3llo/security · 1 command. Supports any input (syslog, OTLP, ECS).
2

Connect sources

Cloud (CloudTrail/Audit), on-prem (Wazuh/agent), network (NetFlow), applications. Auto-discovery covers 80%.
3

Turn on detectors

500+ rules out of the box with MITRE mapping. h3 sec rules enable --all or selectively by tactic.
4

Configure escalation

Slack/Telegram/PagerDuty + war-room runbooks. The AI commander builds the incident timeline on its own.
● faq

What people usually ask

Is this XDR, SIEM, or what exactly?
It's a full-stack security platform: SIEM (1.24M EPS), EDR on hosts, NGFW/IPS/WAF at the perimeter, DLP, vulnerability management, MITRE ATT&CK coverage, IRP with automated playbooks, threat intel, and compliance reports — in a single console with a single data model.
Is there MDR (managed detection & response)?
Yes. On the Managed SOC tier, our SOC is on duty 24×7. MTTD ≤ 5 min (median), MTTR ≤ 20 min on typical incidents. Real engineers in the war-room, not a voice menu.
What MITRE ATT&CK coverage do you ship?
All 14 enterprise tactics. 4–6 techniques per tactic with real telemetry: coverage in %, hits over the last 30 days, hot-techniques highlighted. The full matrix is in the dashboard — the page shows a preview.
Which frameworks can we report against?
Out-of-the-box controls and dashboards: FZ-152 / FSTEC, PCI DSS 4.0, ISO 27001/27017, GOST R 57580, SOC 2, GDPR-ready (for AM/RS regions). Failed controls are tracked like regular incidents.
Can we integrate our own SIEM / EDR / TI feed?
Yes. SIEM — we accept Splunk HEC, ECS, OTLP logs. EDR — we install our own agent, but the alternative integration with CrowdStrike/SentinelOne/Carbon Black works (via connectors). TI — STIX 2.1 feed, MISP-compatible.
Air-gapped / on-prem — is that possible?
It is. The Enterprise tier installs inside your perimeter, with updates delivered via an offline bundle. SOC dashboard, MITRE data, ML models — all local. Typical deployment takes 1 day.
● one hub · one MTTR

A SOC that won't
sleep through an attack

SIEM, EDR, NGFW, IPS, WAF, DLP, MITRE, IRP — in one console. Your SOC or ours is on duty. MTTD ≤ 5 min, MTTR ≤ 20 min on typical incidents.

Download Community →Engage Managed SOC