Watchtower platform documentation
Log in at getwatchtower.io/login. Navigate to the Tools tab and connect your first security tool. Switch to Live mode using the toggle in the top bar. Alerts from your connected tools will begin appearing within 60 seconds.
The dashboard has 7 tabs: Overview (SOC health summary), Alerts (AI-triaged alert feed), Coverage (estate visibility), Vulns (vulnerability intelligence), Intel (threat intel), Incidents (correlated cases), and Tools (integrations). A sidebar with icon shortcuts is on the left.
Go to the Tools tab, click the tool you want to connect, enter credentials, click "Test Connection", then "Save". Supported tools: CrowdStrike, Defender, SentinelOne, Carbon Black, Splunk, Sentinel, QRadar, Elastic, Darktrace, Taegis XDR, Tenable, Nessus, Qualys, Wiz, Zscaler, Okta, Proofpoint, Mimecast.
Every alert is automatically triaged with a verdict (True Positive, False Positive, or Suspicious), a confidence score, an evidence chain, and recommended actions. In Live mode, expanding an alert triggers on-demand AI triage using your configured Anthropic key.
Three levels: Recommend Only (AI advises, humans act), Auto + Notify (AI acts and notifies you), Full Auto (AI acts silently). Available from Essentials plan and above. All automated actions are fully audited and support one-click revert.
Go to Settings to add your Anthropic API key. The key is encrypted immediately and never shown again. For MSSPs, each client tenant can have their own key configured via Admin to ensure complete data isolation.
Visible to Enterprise/Enterprise/MSSP users. Shows all client tenants in one view with posture, alert counts, and revenue. Use the tenant switcher in the top bar to drill into any client context.
support@getwatchtower.io. Community plan: community support. Essentials/Professional/Enterprise: direct email support with 24h SLA.