Bolt for your role
Bolt for the SOC — the SuperAgent that triages at the speed of paste
Triage at the speed of paste.
The crux
An alert fires. You paste the indicator. Bolt already knows what it is — hash, CVE, IP, JWT — defangs it, decodes it, identifies it on-device, and the background watches you set up are already running. One keystroke instead of six tabs.
Defang a URL or IP before it leaves your hands
Drop a live malicious URL or IP and Bolt hands you the defanged form — no auto-clicking, no accidental detonation — ready to paste into the incident ticket or the email to the team. Need it back? =refang reverses it.
Recognize a hash the moment you paste it
A bare hex blob in a log line is named on sight — Bolt recognizes it as MD5, SHA-1, SHA-256 or SHA-512 by length, no sigil needed — and the “Read as” switcher lets you flip a 32-hex value between MD5 and a compact UUID when you’re not sure which it is. Need it explicit? =hashid spells out the candidate types.
Decode a JWT locally — never paste it on a site
Paste a JSON Web Token from a captured request — no sigil, Bolt recognizes the shape — and it decodes the header and claims right in front of you, so you can read the alg and subject without pasting a credential into jwt.io or any other site.
base64 / hex decode an obfuscated payload
A base64 or hex blob from a phishing lure or a script is recognized on sight — no sigil — and decodes in place, revealing the URL or command hiding inside. Chain it: decode, then =defang the result before it goes in the ticket. No CyberChef round-trip.
Spot a CVE on sight — Tab to the advisory
A CVE id in an alert or a vendor email is recognized instantly as a vulnerability reference — typed bare, no sigil — and Tab opens the advisory page, so you stop copying it into a search bar just to find out what it is.
IPv4, IPv6, CIDR, ASN, MAC — named the instant you paste
Every network shape that lands in your queue — an IPv4 or IPv6, a CIDR range, an ASN, a MAC address — is recognized and classified on sight, typed bare with no sigil. Private vs public, how many hosts a block covers, whose AS it is. The cheat sheet you used to keep is built in.
Spot — and redact — a leaked secret in seconds
Run =secret over a blob from a leaked config or a pastebin and Bolt names the secret it contains — Stripe key, AWS key, token — and flags it sensitive so you can hand off a masked, shareable version instead of the live credential. =pem inspects a leaked certificate or key the same way.
Set a watch once — it runs in the background
Set a watch once with the `:` sigil and a native checker runs it in the background — TLS cert expiry (:cert), CISA KEV additions (:kev), new certificates in the transparency log (:crt), breach exposure (:hibp), domain expiry (:domain), file changes (:file). They surface in Bolt when something moves, so the slow-burn signals stop slipping through.
Ask a security question — get a cited answer
When you do need to reach out, =ask runs a real web search and gives you a short answer with numbered [1][2] citations you can open — so you can sanity-check a claim or get context on a fresh threat without leaving Bolt, and without taking the answer on faith.
You handle the most sensitive IOCs. It stays on-device.
Defang, decode, hash-ID and secret detection run locally, with zero network and zero tokens — the indicator you’re triaging never leaves your machine just to be understood. The watches (:cert :kev :crt :hibp) query their sources on your behalf, from your machine, never through Sparcle.
Recognition, decoding and defanging are pure local logic — no egress, no model, no waiting . The fastest answer is the one that never left the box.
If you escalate an IOC to AI, sensitive values are tokenized before the model sees them and restored in the answer — automatically, every time.
Every AI action is masked on-device before any model — so the analyst’s speed never becomes the security team’s exposure.
Detected sensitive values are tokenized before the prompt leaves your boundary
Use AI on real work without leaking the identifiers in it. Emails, card and account numbers, SSNs, phone numbers and keys are masked before anything reaches the model and restored in the reply — and when you point it at your own LLM, the rest stays inside your boundary too.
Put it on every SOC desk. Triage gets faster today.
Bolt is free to roll out across the team — defang, decode, hash-ID, CVE recognition and the native watches all work on day one. Every IOC you escalate to AI is masked before it ever reaches a model.
See it on your own data
Bolt runs inside your perimeter, on the LLM you choose.