ClearSOC brings together monitoring, analysis, review, investigation, reporting, and governance in one workspace. It is designed to help teams move from signal to decision without switching constantly between disconnected tools or views.

In practice, most users will use ClearSOC to answer four questions:

• What is happening now? Use the Dashboard and Analysis views to understand posture and traffic patterns.
• What needs attention? Use AI Decisions to review the current queue of blocked, watchlisted, and analyst-touched entities.
• Should we act? Use Investigation Workspace to validate evidence before changing enforcement.
• How should the platform behave? Use the Admin control plane to manage settings, prompts, notifications, roles, and guardrails.

Most users begin with the Dashboard, then move into Analysis, AI Decisions, or Investigation Workspace depending on what they find.

1. Sign in and open the left navigation to see the main product areas.
2. Start on Dashboard to understand the current operating state and what changed most recently.
3. Open Analysis when you need to explore traffic behavior in more detail.
4. Open AI Decisions when you need to review the current mitigation queue.
5. Open Investigation Workspace before making a higher-impact decision, especially for ASN or TLS actions.
6. Use Reports for summaries, historical review, and shift handoff.
7. Use Admin only when you need to change controls, policies, prompts, or user access.

ClearSOC is easiest to understand as a repeatable workflow.

Best used for: quick situation awareness, prioritization, and deciding where to go next.

The Dashboard is the main command view. It brings together overall posture, recent changes, activity highlights, and shortcuts into the rest of the workspace.

• Check whether the platform is stable, elevated, or under active pressure.
• See the most recent changes that may require attention.
• Use the recommended next action to move into the right workflow quickly.
• Review summary metrics and visual context before starting deeper analysis.

Best used for: pattern review, telemetry exploration, and deeper validation before acting.

Analysis gives you a wider operational view than the Dashboard. It is meant for understanding traffic behavior, narrowing scope, and identifying what deserves closer review.

• Filter by time range and hostname to focus the review.
• Study charts and KPIs without the urgency framing of the Dashboard.
• Use it to confirm whether a spike, pattern, or concentration is meaningful.

Do not expect: Analysis is not the main action queue. When you are ready to review or change entity decisions, move to AI Decisions or Investigation Workspace.

Best used for: reviewing what the platform has already flagged, blocked, or kept under review.

AI Decisions is the working queue for current entity decisions. It helps you separate what needs immediate attention from what simply needs careful review.

• Filter by entity, type, state, severity, confidence, and hostname.
• Review high-priority items first, then work through review-heavy entities.
• See whether the workspace is in a mode that allows analyst overrides.
• Open an entity in Investigation Workspace before making a higher-impact change.

Best used for: entity-level review, evidence validation, and careful decision-making.

Investigation Workspace is where you verify the recommendation on a specific IP, ASN, or TLS fingerprint. It brings together supporting evidence, relationships, and recent context in one place.

• Review the recommended action, confidence, and reasons.
• Inspect related hostnames, paths, ASNs, TLS fingerprints, and linked entities.
• Use the evidence view to decide whether the recommendation is justified.
• Apply a manual override when the current mode allows it.

Use extra caution: ASN and TLS actions can affect a broader footprint than an IP action. Validate carefully before blocking.

Best used for: daily review, weekly trend checks, monthly summaries, and shift handoff.

Reports provide AI-generated summaries of recent activity. They are useful for understanding what happened over a period, what stood out, and what might require follow-up.

• Switch between daily, weekly, and monthly summaries.
• Review key metrics, notable events, and major patterns.
• Use reports to support communication, trend review, and operational continuity.

Do not expect: Reports are not the right place for real-time triage. Use Dashboard, Analysis, and AI Decisions when you need to respond to current activity.

Best used for: quick questions, summarized findings, and guided investigation support.

The AI Assistant lets you ask ClearSOC questions in plain language. It is useful when you want a faster read on recent activity, entity context, or queue behavior without manually assembling the answer yourself.

• Ask about suspicious entities, recent attacks, confidence levels, or traffic patterns.
• Use it to speed up review and summarization.
• Use the answer as support for investigation, not as the only basis for a high-impact enforcement decision.

Best used for: configuration, policy control, prompt management, and operational guardrails.

The Admin area controls how ClearSOC behaves. It is where admins manage settings for models, mitigation behavior, reporting, notifications, prompts, and scheduler-related controls.

• Core Controls: review and manage the main runtime settings.
• Prompts: adjust the instructions used by assistant, mitigation, and reporting workflows.
• Advanced: manage lower-frequency settings and secondary controls.

Not every setting takes effect the same way. Some apply immediately, some take effect on the next run, and some require a later service restart or scheduled cycle to become active.

Best used for: routing alerts, summaries, and operational signals to team channels.

Notifications lets admins configure outbound delivery to supported collaboration channels. Each destination can have its own filtering and noise-control rules.

• Define what each destination should receive.
• Set thresholds and suppression behavior to reduce noise.
• Send tests and review recent delivery health from the same page.

Best used for: controlling how the platform recognizes meaningful attack conditions and changes operating posture.

Attack Scenarios define the conditions that move the platform from normal monitoring into elevated or attack-focused review. They help determine when activity should be treated as more urgent.

• Review which scenarios are enabled and which have triggered recently.
• Create or tune rules to reflect the types of activity your team cares about most.
• Use this page to reduce blind spots, but also to avoid creating noisy rules that over-escalate routine traffic.

Best used for: operational oversight of AI usage, request health, and model assignment.

AI Operations gives admins visibility into how AI-powered workflows are behaving. It is primarily a monitoring and audit surface for AI activity inside the platform.

• Review request volume, usage patterns, and failures.
• See which models are assigned to which workflows.
• Use it when troubleshooting AI behavior or confirming that workflows are healthy.

Best used for: access control, password hygiene, and reviewing who changed what.

These pages support governance. Admins can manage user access and review recent administrative actions without leaving the product.

• Users: create accounts, assign roles, activate or deactivate access, and require password resets.
• Activity: review the administrative history of changes, filtered by user, target, or date.
• Password: manage credential updates for the active account.

Best used for: external review, validation, and low-level inspection when the main UI is not enough.

Some views support export so teams can move queue results into other review or reporting workflows. ClearSOC also provides raw table views for selected operational data.

• Use exports when you need to share current queue state outside the app.
• Use raw tables for troubleshooting, validation, or direct inspection.
• Prefer the main operational pages first. Raw tables are supporting tools, not the primary workflow.

A strong ClearSOC workflow is deliberate. The goal is to move quickly without skipping the evidence review that prevents unnecessary enforcement.

• Prefer evidence-backed actions over speed when the blast radius is large.
• Be more cautious with ASN and TLS actions than with IP actions.
• Use AI Assistant as support, not as a replacement for operator judgment.
• Review notification routing and AI health after important configuration changes.
• Keep the workflow simple: monitor, analyze, review, investigate, act, report, then adjust controls if needed.