ThreatBook Flocks

What is ThreatBook Flocks?

ThreatBook Flocks is a free, open-source, locally-deployed Agentic SecOps platform — a multi-agent system that runs SOC work autonomously. Where most "AI security" products are co-pilots that suggest next steps, Flocks is the analyst itself: it monitors alerts, queries devices, correlates findings across legacy and modern tools, files tickets, and closes the loop — without waiting to be prompted.

The pitch in the vendor's own words: "Your SOC needs a digital workforce, not another AI assistant."

The problem it tackles

Every SOC team in the world has the same four-headed problem:

• Alert overload — 80% of analyst time goes to triage, device queries, and chasing context
• Capability gaps — workflow orchestration needs senior expertise that doesn't scale
• Fragmented stacks — legacy and modern tools don't talk; investigations stay manual
• Knowledge loss — institutional know-how walks out the door with every role change

Flocks is built to absorb all four — by being the agent layer that operates across whatever stack you already own.

Architecture: 7 specialist agents

There's a Main Agent named Rex who plans and dispatches. Six specialist agents handle the actual work:

Plus 150+ integrated cybersecurity and coding tools baked in. When an API doesn't exist for a device, Rex can simulate a human logging into the web portal to retrieve the data.

How an alert flows through Flocks

The datasheet describes the autonomy mode in concrete terms: "Doesn't wait for prompts. Continuously monitors alerts, tasks, and progress, correlating events across time zones and accumulating institutional knowledge. Fully autonomous closed loop from data ingestion and triage to investigation and response."

In other words: alert in → verdict + remediation + ticket → closed. No analyst hand-holding required.

Six worked scenarios from the datasheet

1. Closed-Loop Alert Response. Triage decisions sit unactioned across scattered tools. Flocks chains platforms together to execute response and ticket routing — every alert reaches a verified outcome, not just a verdict.

2. Cross-Device Correlated Investigation. Stop logging into five tools to answer one question. Flocks pulls and correlates data from legacy and modern devices in one pass — "cutting investigation time from minutes to seconds."

3. Security Device Health Checks. Manual inspection leaves failures undetected for days. Flocks polls device status on a schedule, summarises findings, fully automates routine device ops.

4. Host Compromise Forensics. Emergency triage, compromise analysis, and forensic collection in one workflow — reconstructing the full attack chain "at machine speed before lateral movement spreads."

5. Intelligent Device Integration. Use natural language to integrate mainstream security devices via API — "cutting integration cost dramatically" compared to traditional onboarding.

6. Build Your Own Agents. Modular composition + low-code customisation + self-learning — build proprietary agents tailored to your enterprise's workflow without rewriting your stack.

"Investigates and responds autonomously. Orchestrates workflows intelligently. Operates devices like a human. Self-evolves over time."

Self-evolving capability accumulation

The "self-evolving" angle isn't marketing fluff — it's a specific architectural choice. Agents, skills, workflows, and tools can be generated in natural language and refined over time:

• Distils lessons from real-world operations (every closed incident updates the institutional model)
• Self-corrects on observed failures
• Builds SecOps capability tailored to YOUR enterprise — not a generic "AI SOC analyst" baseline

The lowered barrier-to-entry is the whole point: a junior analyst can teach Flocks a new playbook by describing it in English. No DSL, no YAML schema, no SOAR sales call.

Three ways to deploy

The unrestricted local-deploy + open-source codebase + API is the headline differentiator vs proprietary AI SOC products (SentinelOne Purple AI, Microsoft Security Copilot, CrowdStrike Charlotte AI) — Flocks runs on your hardware, you read the code, and you customise the agents.

Why APAC SOCs should care

ThreatBook's offices in Singapore, Hong Kong, China, and the UAE matter for regulated APAC enterprises in financial services, government, healthcare, and critical infrastructure. Same-region intelligence feeds + same-region engineering support + locally-deployed code = a vendor due-diligence story that maps cleanly onto MAS TRM (Singapore), HKMA cyber resilience (Hong Kong), RBI cybersecurity framework (India for ThreatBook's outreach), and PDPA frameworks across ASEAN.

The autonomy story also reads particularly well in the APAC labour market context: enterprise SOC teams in Singapore, Tokyo, Seoul, Sydney are perpetually short on senior analysts. Flocks is positioned as the work-multiplier rather than a hire-replacement, but the practical effect is the same — a small team can cover what would have needed a 24/7 staffed SOC of double the headcount.

Pricing

• Free + open source — GitHub clone, self-host on Windows/Mac/Ubuntu, full code control
• 10M free tokens/day for the first 30 days after onboarding the managed tier
• Enterprise — pricing on request via the ThreatBook Flocks product page

How it compares

Verdict

If you (a) run a SOC, (b) are tired of co-pilots that suggest things rather than do them, and (c) want code-control over the agents touching your security stack, Flocks is one of the only platforms in 2026 that ticks all three. The open-source / self-host posture is unique among the AI-SOC category — every competing product is closed-source SaaS. For APAC enterprises specifically, having the vendor in the same time zone with same-jurisdiction support is the closer.

Visit the ThreatBook Flocks product page or read the official datasheet for the demo + token-trial signup.