13 operator primitives · OCSF 6003 audit trail · any LLM provider

Operations at conversational speed.
Onboard sources, forge rules, replay history one config file at a time.

caver Intelligence is a chat-style admin orchestrator built into the caver platform. Type a natural-language command and the planner decomposes it into tool calls against the live stack: search, write configs, author CAVERN rules, backtest against 90 days of history, generate compliance artifacts. Every step is audited as an OCSF 6003 event.

Request evaluation access →Per-deployment pricing
how it worksoperator prompt → planner → tool registry → dispatch → audit
OPERATOR INTENT
Add Zscaler proxy source
Forge rule: lateral RMM
Why is rule X silent?
Generate SOC-2 report
Diff staging vs prod
Tune threshold to 3-sigma
Intelligence Planner
plan · approve · dispatch · audit
13 operator primitives
safety gates · OCSF 6003 audit
LIVE STACK CHANGE
onboard_sample runs
forge_rule commits
explain_rule_silence
compliance_report
pipeline_diff shows
tune_threshold applies
primitives
13
11 operator + 2 foundation
plan approval
always
operator confirms before dispatch
audit
OCSF 6003
every tool call logged
LLM
BYO
Anthropic · OpenAI · Ollama

13 operator primitives

11 operator · 2 foundation

Each primitive is a discrete, audited tool call. The planner chains them to complete multi-step operator requests. All calls require explicit approval before dispatch.

onboard_sampleoperator

Walk through adding a new log source end-to-end: collector config, OCSF mapping, index setup, smoke-test search.

nl_to_configoperator

Convert a natural-language description of a desired behavior into a caver.toml or collector pipeline stanza.

forge_ruleoperator

Author a new CAVERN detection rule from a threat description, CVE, or ATT&CK technique. Commits to the rules store.

replay_against_historyoperator

Backtest a proposed rule or SPL query against up to 90 days of stored events. Returns match count and sample hits.

lint_configoperator

Validate a caver.toml, collector pipeline YAML, or CAVERN rule file against the current schema before deployment.

enrich_textoperator

Resolve IOCs, CVEs, vendor names, and ATT&CK identifiers inline. Returns structured enrichment data from the TI feeds.

explain_rule_silenceoperator

Diagnose why a CAVERN rule has not fired in a given window. Checks index presence, field mapping, threshold config, and schedule.

tune_thresholdoperator

Analyze a rule's recent fire rate and false-positive ratio, then propose and apply a new threshold or risk-score adjustment.

start_canaryoperator

Deploy a rule or config change to a designated canary search peer before rolling it to the full fleet.

pipeline_diffoperator

Compare two caver-collector pipeline configs (e.g., staging vs production) and surface semantic differences.

compliance_reportoperator

Generate a point-in-time compliance artifact: enabled rules, covered ATT&CK techniques, coverage gaps, and data-retention status.

searchfoundation

Run an SPL, KQL, LogQL, ES|QL, or SQL query against the OCSF Parquet lake. Used internally by most operator primitives.

write_configfoundation

Atomically write or update a config file in the live caver config store. Requires MANAGE_INTEL capability. Always audited.

Operator session screencast coming soon. Watch a new operator go from “I'm adding Zscaler proxy logs” to a deployed source config, a custom CAVERN rule, a backtest against 30 days of history, and a canary rollout in under 10 minutes. Sign up for evaluation access and we'll send the recording when it ships.

Frequently asked questions

13
operator primitives
4+
LLM providers
OCSF 6003
audit event class
always
plan gate
commercial
license

caver Intelligence ships as part of the main caver commercial license. LLM inference costs are operator-supplied via your own API key. Contact [email protected] to start an evaluation.

Request eval →Pricing