[{"content":" Built by an MSP, for MSPs # Hal was created by Bitstream, a managed service provider that has been in the trenches since 2003. Eight employees, roughly 100 clients, about 3,500 users, about 3,500 endpoints.\nWe couldn\u0026rsquo;t afford a SOC. Native alerts were siloed across a dozen admin portals. Existing SIEM products were either too expensive or had no AI. So we built the tool we needed.\nWe built the four-tier detection pipeline to give our eight-person team the coverage of a 24/7 SOC. Then we realized every MSP our size has the same problem.\nWhy We Built This # MSPs are drowning in admin portals. M365, Google Workspace, Entra ID, RMM, documentation platforms, network gear — each one has its own alerting, its own console, its own blind spots.\nA suspicious sign-in in Entra ID doesn\u0026rsquo;t know about the forwarding rule in Exchange. A brute force attempt on a server doesn\u0026rsquo;t connect to the phishing alert in Google Workspace. The data exists, but nobody is correlating it.\nHal connects it all. One AI analyst that reads every log source, every five minutes, and tells you what actually matters.\nPhilosophy # Code must be beautiful, elegant, simple, and correct. We don\u0026rsquo;t ship shortcuts. Deterministic logic over fuzzy heuristics. If a problem has a structured solution, we use it. Open detection rules, not a black box. You can read every Sigma rule we run. Guaranteed read-only. We stake our reputation on it. MSPs only. We focus where we\u0026rsquo;re the obvious choice. ","externalUrl":null,"permalink":"/about/","section":"About","summary":"Built by an MSP, for MSPs # Hal was created by Bitstream, a managed service provider that has been in the trenches since 2003. Eight employees, roughly 100 clients, about 3,500 users, about 3,500 endpoints.","title":"About","type":"about"},{"content":"","externalUrl":null,"permalink":"/blog/","section":"Blog","summary":"","title":"Blog","type":"blog"},{"content":" Request a Demo # We\u0026rsquo;ll reach out within one business day to schedule a live demo with your own data.\nNo chatbot, no AI on this page. Simple form, human follow-up.\nFor immediate inquiries: support@runhal.com\n","externalUrl":null,"permalink":"/contact/","section":"Contact","summary":"Request a Demo # We\u0026rsquo;ll reach out within one business day to schedule a live demo with your own data.\nNo chatbot, no AI on this page. Simple form, human follow-up.","title":"Contact","type":"contact"},{"content":" Four-Tier Detection Pipeline # Every event flows through four layers — each one cheaper and more targeted than the next.\nTier 1: Noise Suppression — Static rules filter ~70% of known-safe events before anything else runs. Password changes, routine admin operations, service heartbeats. Zero cost, zero latency.\nTier 2: Pattern Detection — 574 open-source SigmaHQ community rules match known attack signatures. Brute force, credential stuffing, privilege escalation, suspicious mailbox rules. Deterministic, auditable, updated weekly from the public SigmaHQ repository. Zero AI cost.\nTier 3: AI Triage — A fast AI model reads the remaining events every five minutes. It evaluates each event summary in context: is this routine, or does it warrant investigation? Routine events are logged and dismissed. Suspicious events are escalated.\nTier 4: AI Investigation — A powerful AI model takes over. It autonomously searches logs, correlates across sources, checks device inventory, looks up documentation, verifies network IPs — and produces a detailed, client-ready report with severity rating and recommended actions.\nMulti-Source Coverage # Hal ingests and correlates across every major MSP log source:\nMicrosoft 365 — Exchange, SharePoint, OneDrive, Teams, Azure AD audit logs Google Workspace — Reports API audit logs and Alert Center security alerts Microsoft Entra ID — Sign-in logs, risk detections, directory audits via Graph API Windows Servers — Event logs via Sidecar/Winlogbeat (no kernel agent) Network Devices — FreeBSD router syslog over encrypted VPN tunnels Meraki WAN IP Correlation — Automatic tagging of corporate WAN IPs in investigations Cross-source correlation is where Hal excels. A suspicious sign-in leads to a device check in your RMM, a forwarding rule in M365, and a KB article in your documentation platform — all in one investigation.\nSlack Integration # Slack is the primary interface. No query language, no training required.\nAutomated alerts with severity levels posted to your team channel Plain English conversations — ask Hal about any client, any event Threaded investigations with full context Client notes: persistent facts injected into every analysis Watches: \u0026ldquo;check this user again in 20 minutes\u0026rdquo; Web chat available as a complement for browser-based access Self-Service Portal # A web portal for your team with full operational visibility:\nDashboard — health, costs, pipeline stats, infrastructure status Alerts — expandable security findings with report IDs and severity Usage — per-event AI cost tracking with API call drilldown Reports — PDF downloads for all investigations Log Sources — per-client source status with health badges Health — VM stats, service status, pipeline freshness, API reachability Settings — AI model selection, service management PDF Security Reports # Every investigation can produce a branded PDF report:\nPAdES-B-T digitally signed with RFC 3161 timestamps Cryptographic proof of when the report was generated and that it hasn\u0026rsquo;t been tampered with Client-ready — send directly without editing Verify any report online 365-Day Retention # Every log source, 365 days, fully searchable. Included in the platform fee — no premium tier required.\nSuitable for HIPAA, PCI, and CMMC compliance frameworks that require extended log retention.\nOpen Detection Rules # Tier 2 pattern detection uses SigmaHQ — the open-source, vendor-neutral, community-maintained detection standard. Every rule is publicly auditable. No proprietary black-box detection logic.\nRules update weekly from the public SigmaHQ repository. You can inspect exactly what is being detected and why.\n","externalUrl":null,"permalink":"/features/","section":"Features","summary":"Four-Tier Detection Pipeline # Every event flows through four layers — each one cheaper and more targeted than the next.\nTier 1: Noise Suppression — Static rules filter ~70% of known-safe events before anything else runs.","title":"Features","type":"features"},{"content":"","externalUrl":null,"permalink":"/","section":"Hal — AI Security \u0026 Operations for MSPs","summary":"","title":"Hal — AI Security \u0026 Operations for MSPs","type":"page"},{"content":" Core Log Sources — Included # Every Hal deployment includes ingestion and analysis for these sources:\nMicrosoft 365 # Audit logs from Exchange, SharePoint, OneDrive, Teams, and Azure AD. Detects mailbox rule changes, forwarding rules, file sharing anomalies, admin operations, and OAuth app consents.\nGoogle Workspace # Reports API audit logs plus Alert Center security alerts. Detects suspicious logins, forwarding rules, Drive sharing changes, admin operations, and phishing alerts.\nMicrosoft Entra ID # Sign-in logs, risk detections, and directory audits via Graph API. Detects credential attacks, impossible travel, risky sign-ins, MFA changes, and service principal activity. P1 license required for sign-in logs; P2 for risk detections.\nWindows Servers # Event logs collected via Sidecar and Winlogbeat — no kernel agent. Detects failed logons, privilege escalation, service installation, scheduled task creation, and security log clearing.\nNetwork Devices # FreeBSD router syslog over encrypted Tailscale tunnels — no public ports exposed. Detects firewall blocks, VPN connections, interface changes, and routing anomalies.\nMeraki WAN IP Correlation # Hourly polling of corporate WAN IPs from the Meraki Dashboard API. Hal automatically tags known client IPs in investigations — distinguishing office traffic from external threats.\nPaid Add-On Integrations # NinjaOne RMM # Real-time device intelligence during investigations:\nDevice lookup by hostname, IP, serial number, or username Patch status: pending OS and software updates Software inventory: full list of installed applications Active alerts: disk space, SMART failures, offline devices, AV issues Organization device listing with counts by type When Hal sees a suspicious sign-in, it verifies the device is managed and belongs to the expected client.\nHudu Documentation # Human-written context that logs don\u0026rsquo;t contain:\nCompany contacts: names, titles, phone, email Asset documentation: servers, workstations, network devices, VLANs Knowledge base articles Network information: WAN circuits, Active Directory domains, DNS When Hal investigates an alert, it checks who works at the company, what their network looks like, and whether there\u0026rsquo;s a known change window — context that transforms a raw alert into an informed assessment.\n","externalUrl":null,"permalink":"/integrations/","section":"Integrations","summary":"Core Log Sources — Included # Every Hal deployment includes ingestion and analysis for these sources:\nMicrosoft 365 # Audit logs from Exchange, SharePoint, OneDrive, Teams, and Azure AD. Detects mailbox rule changes, forwarding rules, file sharing anomalies, admin operations, and OAuth app consents.","title":"Integrations","type":"integrations"},{"content":" Platform Fee # Starting at $715/month. Annual commitment.\nIncludes: dedicated server, storage, maintenance, updates, all core log sources, 365-day retention, self-service portal, Slack integration.\nPer-User Pricing # Scales with your client base:\nUsers Per user/month Up to 50 $14 150 $7 500 $4 1,000+ $3 AI Costs — Bring Your Own Key # You create your own AI provider account and provide API keys. AI costs are billed directly to you by the provider — we never mark up AI costs.\nYou control your own budget caps, rate limits, and usage alerts. Full cost visibility in the self-service portal: every triage run, every investigation, every conversation — with per-call breakdown.\nRoutine triage runs automatically on the fastest model. You choose the investigation tier. Change tiers anytime from the portal — immediate effect, no contract change.\nTier Best For Est. Monthly AI Cost Budget Cost-sensitive MSPs, routine monitoring ~$130–540 Standard Most MSPs — client-facing reports ~$400–1,040 Premium High-value clients, active threat environments ~$630–3,300 We recommend Standard for most MSPs. AI cost estimates based on production data (April 2026).\nTotal Cost by MSP Size # What you actually pay — platform + AI combined, compared to alternatives.\nSolution Small MSP Mid MSP Large MSP ~50 users, ~5 clients ~500 users, ~15 clients ~2,000 users, ~50 clients Hal (total) ~$1,750/mo ~$3,700/mo ~$10,000/mo — Platform $1,415 $2,715 $6,715 — AI (BYOK, Premium) ~$330 ~$1,000 ~$3,300 Huntress (EDR + ITDR) $1,000 $8,000 $15,000 Arctic Wolf $3,700 $8,300 $16,700 Junior Analyst $8,300 $8,300 $16,600 24/7 SOC (outsourced) $10,000 $10,000 $30,000 Hal AI costs based on production billing (~$1,200/mo for 35 tenants on Premium tier). Competitor pricing from public list prices and industry estimates (April 2026).\nWhat\u0026rsquo;s included vs. not # Capability Hal Huntress MDR Arctic Wolf Junior Analyst M365 audit logs Yes Add-on (ITDR) Yes If configured Google Workspace Yes No Partial If configured Entra ID sign-in + risk Yes Add-on (ITDR) Yes If configured Router/firewall logs Yes No Partial If configured Windows server logs Yes Via EDR agent Partial If configured Cross-source correlation Automatic (AI) No Limited Manual Searchable retention 365 days 30–90 days 90 days Depends on SIEM Investigation reports Seconds (signed PDF) Incident summary Monthly Manual (30–90 min) 24/7 coverage Yes (automated) Yes (SOC) Yes (SOC) No (business hours) Pricing sources # Huntress: Public list prices — EDR $8.99/endpoint/mo, ITDR $4.80/identity/mo (huntress.com/pricing, April 2026) Arctic Wolf: Public sector list $200/user/year; commercial negotiated estimates $8–18/endpoint/mo (public sector price list, Feb 2025; industry estimates) Junior Analyst: ~$100K/year fully loaded (salary + benefits + tools). 48% report exhaustion, 15–25% annual turnover (ISC2 Cybersecurity Workforce Study, 2024) 24/7 SOC: Outsourced entry-level ~$120K–360K/year; in-house minimum viable (5–6 FTEs) ~$500K–750K/year Hal AI: Bitstream production billing, Anthropic console, Mar–Apr 2026 Add-On Integrations # Integration Description NinjaOne RMM Real-time device lookup, patches, software, alerts Hudu Documentation Company contacts, assets, KB articles, network info Pricing available on request.\nSetup Fee # $2,000–$3,000 one-time — covers provisioning, tenant onboarding, and Slack workspace integration.\nRequirements # Slack workspace — Hal posts all automated alerts and notifications to Slack AI provider API key — you provide your own key for full cost transparency Real-World Example: Same Investigation, Three Tiers # A credential attack against a financial services employee, analyzed at each tier:\nBudget Standard Premium Cost $0.15 $1.11 $1.66 Report length 3 pages 5 pages 4 pages Accuracy Overstated risk Deepest findings Most precise judgment Client-ready No — needs editing Yes Yes Standard delivers client-ready quality at 67% of Premium cost.\nRequest a demo →\n","externalUrl":null,"permalink":"/pricing/","section":"Pricing","summary":"Platform Fee # Starting at $715/month. Annual commitment.\nIncludes: dedicated server, storage, maintenance, updates, all core log sources, 365-day retention, self-service portal, Slack integration.\nPer-User Pricing # Scales with your client base:","title":"Pricing","type":"pricing"},{"content":"","externalUrl":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":"We are a security company. Our platform monitors your clients\u0026rsquo; most sensitive data. We take that responsibility seriously.\nGuaranteed Read-Only # Hal never writes to your clients\u0026rsquo; systems. No endpoint agents, no kernel drivers. All API tokens are read-only scoped — you control the permissions and can verify them yourself.\nThe July 2024 incident that crashed 8.5 million machines cannot happen here — there is nothing to push, nothing to break.\nComplete Data Isolation # Every customer gets a dedicated server instance — not a shared multi-tenant cluster. No noisy-neighbor performance impact. No shared database, no cross-customer data access.\nChoose your datacenter region. Your data stays in that region.\nCredentials Never Touch a Public Site # Client credentials (M365 tenant IDs, GWS service account keys) are entered on your dedicated instance, behind authenticated access. They never pass through our marketing site or any shared infrastructure.\nEncryption # In transit. All data encrypted via TLS 1.3. Client log data flows over encrypted VPN tunnels or HTTPS. No log data traverses the public internet unencrypted.\nAt rest. All stored data resides on encrypted NVMe block storage.\nCredentials. API keys and secrets stored in environment files on your dedicated instance, never in shared databases or third-party credential stores.\nOpen Detection Rules # Pattern detection uses SigmaHQ — open-source, community-maintained, auditable. No proprietary black-box detection logic. Every rule update comes from the public SigmaHQ repository.\nDigitally Signed Reports # PDF reports carry PAdES-B-T digital signatures with RFC 3161 timestamps. Cryptographic proof of when the report was generated and that it hasn\u0026rsquo;t been tampered with. Suitable for compliance evidence and legal proceedings.\nVerify a report →\nFull Cost Transparency # Bring your own AI API keys — costs appear on your invoice, not ours. The self-service portal tracks every AI action: start time, end time, API call count, exact cost. No hidden fees, no markup on AI usage.\nNo Vendor Lock-In # Open-source SIEM engine Standard detection rules (Sigma) Your data on your dedicated server Switch AI providers without platform changes Business Continuity # Automated daily backups to geographically separate storage Hourly health checks monitoring ingestion, storage, and platform components Automatic service recovery via container health checks Dynamic lookback in ingestion pipelines recovers missed data after outages Compliance # SOC 2. We are pursuing SOC 2 Type I certification.\nHIPAA. We offer a Business Associate Agreement (BAA) for customers with healthcare clients.\nVendor security questionnaires. We maintain current responses to standard questionnaires. Contact us for a copy.\nThird-Party Dependencies # Provider Purpose Compliance Cloud hosting provider Dedicated server and block storage SOC 2 Type II Cloudflare TLS termination, DDoS protection SOC 2 Type II, ISO 27001 Tailscale Encrypted VPN for log ingestion SOC 2 Type II AI provider (customer BYOK) AI analysis SOC 2 Type II ","externalUrl":null,"permalink":"/trust/","section":"Trust \u0026 Security","summary":"We are a security company. Our platform monitors your clients\u0026rsquo; most sensitive data. We take that responsibility seriously.\nGuaranteed Read-Only # Hal never writes to your clients\u0026rsquo; systems. No endpoint agents, no kernel drivers.","title":"Trust \u0026 Security","type":"trust"}]