AIDR Platform v4: What's New Under the Hood

A Year of Shipping

The AIDR platform has seen over 30 major feature releases in recent months, culminating in v4.0. Here are the highlights that matter most for our customers — and the nerds who want to know what powers their security monitoring.

Multi-Provider AI Architecture

The biggest change in the platform is the shift to provider-agnostic AI. Organizations can now choose between Google Gemini for cloud-based analysis or Ollama for fully local, air-gapped AI processing. Switching between providers takes one click in the admin UI. Every AI action — from alert analysis to rule generation — is fully audit-logged for compliance and traceability.

Visual Playbook Builder

The SOAR component now includes a drag-and-drop workflow editor. Security playbooks can be built visually with action steps, conditional branches, and approval gates. An IntelliSense-style autocomplete suggests available variables from alert fields and previous step results, making playbook creation accessible even without scripting knowledge. Playbooks can be imported, exported, and backed up with full sync semantics.

Inline MITRE ATT&CK Mapping

Detection rules can now be mapped to MITRE ATT&CK techniques directly from the rule editor. AI assists with technique suggestions based on the rule logic. A full coverage navigator shows which techniques are covered and where gaps remain — down to the sub-technique level across all 609 items. Rules can be created directly from identified gaps with one click.

VirusTotal and MISP Integration

The AI Indicator Analyzer now enriches every IOC with VirusTotal reputation data, including vendor flagging thresholds and well-known IOC filtering to reduce noise. Indicators can be exported via MISP feed format for sharing with external platforms and partner organizations.

Cowrie Honeypot Configuration UI

The integrated SSH honeypot now has a full admin UI for configuration — SSH version presets, credential rules, and container lifecycle controls. No CLI access needed. Session intelligence feeds directly into the SIEM for campaign fingerprinting and attacker profiling.

Proxy Management and ICAP Scanning

The SSL-intercepting web proxy gained a complete admin interface. Domain policy groups manage categories like Social Media, Streaming, and Gambling with 405 preset domains. ICAP scanning now runs ClamAV and TIP hash lookups in parallel with per-stage timing metrics, providing full visibility into download inspection performance.

Auditd Noise Reduction

For Linux environments, expanded default ingestion filters now drop approximately 57% of auditd log volume while preserving all MITRE ATT&CK-relevant detections. This dramatically reduces storage costs and alert noise without sacrificing detection capability — a critical optimization for high-volume deployments.

Onboarding Guides

The admin interface now includes comprehensive onboarding guides covering 12 source types — from email (Gmail, Outlook, Microsoft 365 OAuth) to endpoint agents, DNS monitoring, and network devices. Each guide walks through setup step by step, replacing the old static policy pages.

Under the Hood

Thread safety improvements across the ingestion pipeline include monotonic clock-based batch flushing and shutdown safety nets. Syslog NUL-byte stripping handles malformed input from network devices gracefully. Twenty Python dependency updates address security patches. Database health monitoring now spans four dedicated tabs: overview, storage, optimization, and TIP database views.

What This Means for AIDR Customers

Every AIDR and MAIDR deployment runs on this platform. When we ship a new feature or security patch, it rolls out to all customer appliances automatically as part of our managed update process. You benefit from continuous improvement without lifting a finger.