Platform · AI Assistant
One assistant across all eight modules. It draws your architecture, proposes your threat model, drafts your risks, assets, plans, and policies, and pauses on an approval card before anything is written. You bring the model. You keep the pen.
On it: one trust boundary, six nodes, four numbered flows.
Why it matters
Security teams spend their weeks extracting artefacts from other teams: an architecture diagram from engineering, the reasoning behind a design decision, a recovery plan from operations, a policy draft that everyone will review and nobody wants to write. Each one is a meeting, a follow-up, and a quarter of waiting. The expertise was never the problem. The friction was.
Alvor's assistant removes the friction without removing the people. Ask engineering for ten minutes, not a diagram: the Design Studio draws the architecture live while they describe it, and the interview behind Write with AI turns their answers into the design explanation. The threat model arrives as a proposal to review, not a workshop to schedule. And across every module, the record you'd otherwise type by hand, the risk, the asset, the plan, the exercise, arrives as a draft waiting for your approval. Stakeholders stop being bottlenecks and start being reviewers.
And the team stays in charge of every decision. The assistant is an alternative interface for the signed-in user, not a new principal: it sees only what you can see, writes only with your approval, and leaves an audit trail for everything it touches. The hours it saves go where they belong, into the judgment calls only your team can make.
Beyond the studios
The assistant works the entire platform, not just the studios. It answers from your data anywhere, and it can raise risks, register assets, draft plans and policies, schedule exercises, and escalate findings. Reads run inline; every write pauses on an approval card with the exact payload.
Every action maps one-to-one to something you could do in the UI, through the same permission-scoped services. If you can't do it, neither can the assistant.
“Raise a risk for the unpatched payments database.”
Approval required
Risk ManagementThe studios
A studio is the assistant docked beside the artefact, building it with you in real time rather than describing it back at you in chat.
Real, editable shapes on the live canvas: zones, nodes, numbered flows, icons, and a legend, in the style of an AWS or Azure reference diagram. Paste a whiteboard photo and a vision model recreates it as shapes you can edit.
It reads the diagram, registers STRIDE elements, proposes threats from your library before inventing new ones, and maps the controls that mitigate them. One approval card per batch; mapped controls become required, threat-driven build controls.
The studio describes what it sees on the diagram, asks a few focused questions at a time, and writes the structured design explanation into the live editor. One click exports the full design document, diagrams, BIA, threat model, and sign-offs, as a PDF.
An interview about your organization, audience, and frameworks, then a draft grounded in the compliance controls you actually run, applied to the editor step by step. You review, save, and publish through the normal approval flow.
The three design-side studios chain into one governed workflow: intake, diagram, explanation, threat model, sign-off. See solution architecture with AI.
The control model
The assistant is the signed-in user, never a new principal. It sees what you see, and permissions are re-checked on every call, so a revocation holds mid-conversation.
Nothing executes until you approve a card showing the exact payload. Typing 'yes' in chat approves nothing; only the button does.
Anthropic, OpenAI, Google, Azure OpenAI, Amazon Bedrock, or any OpenAI-compatible endpoint. Your keys, your data path, your provider's bill.
Every tool call, approval, and rejection lands in the audit log. Admins can switch write actions off, globally or per tool.
Ask across the whole program
The assistant joins records across modules, risk to asset, policy to control, process to vendor, so questions that span your program get answers from your data, not a stitching exercise.
Questions
Yours. Alvor is bring-your-own-model: an admin connects your organization's model provider, whether that is Anthropic, OpenAI, Google, Azure OpenAI, Amazon Bedrock, or any OpenAI-compatible endpoint. Requests go to the provider you configured, and model usage is billed by that provider rather than marked up by us. Vision features, like recreating a pasted diagram, require a vision-capable model.
Get started
Whether you lead security, run IT, manage compliance, or sit in the C-suite - we'll show you your view.