// INTEGRATIONS

Every tool your team uses.
Governed from day one.

ARX connectors are not API wrappers. Each one is a governance-aware integration that classifies operations by risk level, enforces per-agent permission scope, and captures structured compliance metadata from every call. Your agents use the tools they already call — with full governance wrapped around every action.

Every call intercepted before execution Risk-classified by operation type Full compliance metadata captured
// HOW ARX CONNECTORS WORK

Not a wrapper.
A governance layer.

Intercepts before execution

Every API call your agent makes passes through the ARX policy engine before it reaches the external system. Not logged after the fact — evaluated before it runs.

Risk-classified by operation

ARX knows that CrowdStrike contain_host is a higher-risk operation than get_detections. That classification is built into each connector. The policy engine uses it to decide what to permit, escalate, or block — automatically.

Compliance metadata captured

Every connector call writes structured metadata to the audit trail — system, operation, data type, risk score, human approval if required, result. This is what makes the Compliance Package Generator work.

// TIER 1 — CORE CONNECTORS

Ten connectors. Your core security stack.

Full governance layer. Available day one.

EDR / XDR
CrowdStrike Falcon
Detection retrieval, host containment, incident management, threat intelligence, and IOC submission. contain_host classified as high-risk — requires human approval by default.
INCLUDES HIGH-RISK OPERATIONS
SIEM / LOG MANAGEMENT
Splunk
SPL search execution, notable event retrieval, alert management, and Enterprise Security integration. Query scope enforced per agent to prevent cross-tenant data access.
READ-OPTIMIZED
SIEM / SOAR
Palo Alto Cortex XSIAM
Alert ingestion, incident management, automated playbook triggering, and XSOAR workflow integration. Playbook execution classified as high-risk.
INCLUDES HIGH-RISK OPERATIONS
CLOUD SECURITY / CNAPP
Wiz
Cloud vulnerability queries, misconfiguration retrieval, asset inventory, risk score access, and issue management. Primarily read operations with full compliance metadata.
READ-OPTIMIZED
ITSM
ServiceNow
Incident creation, update, and closure. Change request management. CMDB queries. Incident closure classified as medium-risk — escalation available.
MEDIUM-RISK OPERATIONS
IDENTITY / PAM
Okta
User session queries, MFA status checks, group membership retrieval, and application access management. Session revocation classified as high-risk.
INCLUDES HIGH-RISK OPERATIONS
SIEM
Microsoft Sentinel
Incident retrieval and management, KQL query execution, analytics rule access, and threat intelligence integration. Full Microsoft security perimeter compatibility.
READ-OPTIMIZED
ITSM / PROJECT
Jira
Issue creation, update, status transition, and comment management. Security ticket lifecycle governance. Transitions enforced by policy rule per project key.
MEDIUM-RISK OPERATIONS
COMMUNICATIONS / HITL
Slack
Human approval routing, alert notifications, and incident channel management. Slack is the primary human-in-the-loop channel for ARX approval gates. Inbound approval decisions fed back into agent execution.
HITL CHANNEL
INCIDENT MANAGEMENT
PagerDuty
Alert triggering, incident escalation, on-call routing, and service status queries. Alert triggering classified as medium-risk with configurable escalation threshold.
MEDIUM-RISK OPERATIONS
// ALL SUPPORTED INTEGRATIONS

100+ tools supported.
More added every sprint.

The following tools are supported via the ARX connector framework. Governance features (policy enforcement, audit trail, human approval gates) apply to all integrations. Tier 1 connectors include full security-domain risk classification. All others use the standard governance layer.

EDR / XDR
CrowdStrike Falcon, Microsoft Defender, SentinelOne, Carbon Black, Palo Alto XSIAM, Cybereason, Trellix, CrowdStrike CSPM, CrowdStrike Identity
SIEM / LOG MANAGEMENT
Splunk, Splunk SOAR, Microsoft Sentinel, Google Chronicle, Elastic Security, IBM QRadar, Cortex XSOAR, Datadog Security, Sumo Logic, Exabeam, LogScale, Securonix, Swimlane
CLOUD SECURITY (CNAPP / CSPM)
Wiz, Prisma Cloud, AWS Security Hub, AWS GuardDuty, AWS WAF, GCP Security Command Center, Lacework, Orca Security, Microsoft Defender for Cloud, Azure Sentinel SOAR
IDENTITY / PAM / ACCESS
Okta, Microsoft Entra ID, CyberArk, BeyondTrust, SailPoint, Duo Security, JumpCloud, OneLogin, Ping Identity, Microsoft Intune, Jamf, Varonis, BigID
APPSEC / VULNERABILITY MANAGEMENT
Checkmarx, Snyk, Tenable, Qualys, Rapid7, SonarQube, Veracode, Semgrep, GitHub Security, GitLab Security, Aqua Security, Trivy, Falco, Wazuh
NETWORK / EMAIL SECURITY
Proofpoint, Mimecast, Abnormal Security, Fortinet, Zscaler, Cloudflare, Netskope, Cisco Umbrella, Cisco Secure Endpoint, Claroty, Nozomi, Snort, Tanium
THREAT INTELLIGENCE
VirusTotal, Recorded Future, Mandiant, Shodan, GreyNoise, MISP, ThreatConnect, Hunter.io, Censys
ITSM / SOAR / COMMUNICATIONS
ServiceNow, Jira, Slack, Microsoft Teams, PagerDuty, Opsgenie, Twilio, Freshservice, Linear
GRC / COMPLIANCE
Drata, Vanta, Secureframe, OneTrust, KnowBe4, Atlassian Guard
SECRETS / VAULTS
HashiCorp Vault, 1Password, Bitwarden, AWS Secrets Manager, Azure Key Vault, Akeyless, Doppler, Infisical
Don't see your tool? Request a connector → · New connectors ship every sprint.
// MCP SUPPORT

Any tool via MCP.
Still governed.

ARX accepts agents that connect via the Model Context Protocol (MCP) — the emerging industry standard for agent-to-tool connectivity supported by Anthropic, OpenAI, Google, and Microsoft. Any MCP-connected agent gets the full ARX governance layer: policy enforcement, audit logging, and human approval gates.

TIER 1 NATIVE CONNECTORS

Security-domain risk classification built in. Know that contain_host is higher risk than get_detections. Full compliance metadata capture. Per-agent scope binding. Auto-generated compliance documentation.

MCP GATEWAY

Universal governance for any MCP-compatible tool. Policy enforcement, audit logging, and human approval gates applied to every call. Standard risk classification. The long tail of tools — governed.

// RISK CLASSIFICATION

Not all actions are equal.
ARX knows the difference.

LOW RISK — PERMIT AND LOG

Read operations. Data queries. Status checks. Alert retrieval. These are logged to the audit trail and permitted automatically. No human intervention required. Examples: Splunk search execution, Wiz vulnerability query, Jira issue retrieval.

MEDIUM RISK — CONFIGURABLE ESCALATION

Write operations and status changes. Ticket creation, incident updates, alert triggering. Configurable per agent — permit automatically or route to Slack for human review depending on your policy rules. Examples: ServiceNow incident creation, PagerDuty alert trigger, Jira status transition.

HIGH RISK — HUMAN APPROVAL REQUIRED BY DEFAULT

Operational actions with immediate real-world consequences. These pause agent execution and route to a human approver via Slack before any action is taken. Examples: CrowdStrike host containment, Okta session revocation, Splunk SOAR playbook execution.

// LET'S TALK

Ready to govern your agents?

Schedule 30 minutes with the founder.
Schedule 30 Minutes
mershard@arxsec.io · 945-372-8711