Built by SOC practitioners,
for SOC teams.
LockBase Cyber builds production-grade security agents for Microsoft Security Copilot. Our work is grounded in years of cross-vendor SOC operations — running CrowdStrike Falcon as the active EDR, Microsoft Defender as the passive telemetry layer, and Microsoft Threat Intelligence for enrichment — and the daily reality that one console is never enough.
What we stand on.
- [ WHAT WE BELIEVE ] 01 / 03
Most XDR is just dashboard consolidation.
The hard part — treating two vendors' detections as complementary signals on the same incident, surfacing what neither alerted on, and coaching an analyst from question to closed ticket — still requires real engineering. That's the gap we close.
- [ WHO WE SERVE ] 02 / 03
SOC managers, detection engineers, and threat hunters.
We target the practical Falcon-active / Defender-passive deployment that most enterprises actually run, not a vendor-pure ideal. Our agents come out of real triage queues, designed by analysts who needed answers, not more dashboards.
- [ HOW WE SHIP ] 03 / 03
Production-grade, source-labeled, no marketing fluff.
Every agent we publish goes through the same Microsoft Partner Center review as Microsoft's own. Every finding our agents return is labeled with its data source — Falcon, Defender, MDTI — so analysts can trace any claim back to the underlying alert or telemetry.
What we ship today.
- [ AGENTS ]02
Agents shipped to the LockBase catalog — LOX (cross-EDR investigation) and LEX (exposure intelligence).
- [ HUNTING SKILLS ]171
Named hunting and enrichment skills across the catalog — one named capability the agent invokes inline, never raw KQL.
- [ INTEGRATIONS ]09
Distinct security products our agents talk to today — CrowdStrike, the full Microsoft Defender suite, Entra, Intune, MDTI, Sentinel.
Want to talk to a human?
We work directly with security teams to deploy agents, build custom hunting skills, and develop detection engineering for cross-vendor gaps. Email us — we read every message.