Close the loop.
Case management, a live war room, an evidence vault with chain-of-custody, playbooks, and an AI runbook generator — the analyst's home for working and closing incidents.
What Elm does.
Case management
Track every incident from first alert to closure with a structured case record — timeline, assignees, severity, and outcome all in one place.
War room (live collaboration)
Give the whole response team a shared real-time workspace — notes, tasks, and status updates without switching to a chat tool mid-incident.
Evidence vault with SHA-256 chain-of-custody
Attach artifacts, screenshots, and logs with cryptographic hashes so your evidence survives legal review and post-incident scrutiny.
Playbooks and runs
Author response playbooks in a visual editor, run them against live cases, and track every step with a full execution log.
AI runbook generator
Describe an incident type and get a draft runbook back in seconds — a starting point tuned to your stack that your team can own and extend.
MITRE coverage and SLA tracking
Map closed cases back to ATT&CK techniques and track mean-time-to-respond against SLA targets so leadership has the numbers they need.
How Elm works
- 1
Alert becomes a case
Alerts from Sandworm tools or your connected SIEM are promoted to structured cases with a single action. Elm populates the initial context — severity, affected assets, related alerts — so analysts start from a complete picture rather than a blank record.
- 2
Team convenes in the war room
The war room opens a shared workspace for the case: real-time notes, assigned tasks, and a live timeline. Every participant sees the same state, eliminating the parallel-Slack-thread problem that slows coordinated response.
- 3
Playbook runs the response steps
Elm triggers the relevant playbook — containment actions, stakeholder notifications, evidence collection — and executes steps automatically where automation is configured, queuing manual steps for the assigned analyst.
- 4
Case closes with a signed record
At closure, Elm produces a case record with a full timeline, all attached evidence with their SHA-256 hashes, the outcome classification, and the ATT&CK technique mapping — ready for an auditor, a post-incident review, or a legal hold.
Built for teams that work incidents, not just track them.
IR teams managing incidents end-to-end
One place to open, work, escalate, contain, and close — from the first triage action to the final post-incident report.
Automating the repetitive response steps
Wire playbooks to triggers and let Elm handle containment and notification steps your team runs the same way every time.
Leaders tracking SLA and ATT&CK coverage
Get MTTD, MTTR, and technique coverage in a dashboard instead of a spreadsheet built the night before a board meeting.
Regulated environments that require evidence integrity
Chain-of-custody hashing on every evidence artifact means you can hand an investigator or auditor a case record that accounts for every file, screenshot, and log from the moment it was attached.
Integrations
- SIEM
- ticketing (Jira / ServiceNow)
- Slack
- Truthsayer
- CloudGuard
- Sandworm SIEM
- Stillsuit
- Sandworm EDR
- Sandworm SASE
- Sandworm BAS
- Sandworm SCA
- Sandworm AI Security
- Sight
Frequently asked questions
- Where does Elm run — does it need its own infrastructure?
Elm runs as a backend service inside your Sandworm tenant, either on Sandworm-managed cloud or on-premises for Sovereign-tier deployments. There is no standalone SOAR appliance to provision. The war room and case workspace are delivered through the Elm desktop application — nothing to host separately.
- How is case evidence protected?
Every artifact attached to a case is hashed with SHA-256 at the moment of upload. The hash is recorded in the case ledger so any tampering is immediately detectable. Case data — notes, artifacts, analyst communications — lives in your tenant schema and is never accessible to other organizations. Storage is encrypted at rest; transit uses TLS.
- Is Elm sold separately or only in a bundle?
Elm is included in the Platform and Sovereign bundles. If you only need case management and SOAR, a standalone a-la-carte license is available. Visit /pricing for current rates — there is no per-case or per-playbook-run charge.
- What makes Elm different from using Jira or ServiceNow for incidents?
General-purpose ticketing tracks work items. Elm is built around the security incident lifecycle: structured timelines, cryptographic evidence integrity, ATT&CK technique attribution, playbook execution with step-level audit logs, and SLA tracking that maps to MTTD and MTTR — not sprint velocity. Alert context from the other ten Sandworm tools flows into a case automatically rather than being copy-pasted by an analyst.
- What does the AI runbook generator actually produce?
When you describe an incident type, Mendicant (which runs on frontier AI models — the in-house engine is in development) drafts a structured runbook: response steps, decision branches, and escalation criteria tuned to the scenario you described. The output is a draft, not a directive. Your team reviews, adjusts, and owns the runbook before it is ever triggered against a live case.
- What is coming next for Elm?
Active development includes richer automated playbook triggers that respond to real-time alert signals rather than manual activation, bidirectional sync with Jira and ServiceNow for teams that need both systems current, and a case-outcome analytics dashboard that surfaces false-positive rates and analyst workload trends over time. None of these are shipped yet.
Also in Sandworm.
Sandworm SIEM
Security information and event management with real-time correlation.
See Sandworm SIEM →Automate the boring half of response.
Wire playbooks to your stack and let Elm handle the steps that eat analyst hours without adding value.