Skip to content

Merlin AI

Merlin AI is the preemptive, intent-aware AI engine of the Excalibur platform. It intercepts threats before they reach the target system by analyzing the intent behind every user action in real time. Merlin also enables deep historical investigation across sessions.

Why Merlin AI

Traditional security tools detect threats after they have already executed on the target system. Merlin takes a fundamentally different approach: because Excalibur sits as a streaming proxy between the user and the target, Merlin evaluates every action before it reaches the target system. Threats are intercepted and stopped preemptively — not detected after the damage is done.

For security teams:

  • Stop threats before they reach the target system — not after execution
  • Enforce JIT access scope in real time — Merlin knows what the user is supposed to do and detects deviations
  • Investigate user behavior across sessions with natural language queries through Merlin Investigate
  • Reduce alert fatigue with context-rich explanations instead of raw event data

For CISOs and compliance officers:

  • Enforce Zero Trust at the application layer, not just at the network perimeter
  • Maintain a complete audit trail of every flagged action and its resolution
  • Deploy AI entirely on-premise — your data never leaves your infrastructure

For partners and evaluators:

  • Differentiate from competitors with intent-aware detection that goes beyond pattern matching
  • Offer AI-powered security without requiring customers to share data with third-party cloud services
  • Support multiple protocols: web, SSH, and RDP sessions through a single platform

Key Capabilities

  • Merlin Detect

    Every user action is evaluated against its surrounding context — including the task description from JIT access requests. Merlin Detect flags actions that violate the intent of the application or the approved scope of the session, producing an ALLOW or CHALLENGE result in real time.

    Learn more

  • Intent-aware Architecture

    Merlin analyzes intent from two perspectives: the context of the action (what the application expects) and the content of the action (what the user actually does). This dual-perspective approach catches threats that rule-based systems miss.

    Learn more

  • Merlin Investigate

    An agentic investigation mode that lets security analysts query historical session data using natural language. Merlin Investigate combines intent-aware contextual data with cross-session analysis for rapid threat investigation.

    Learn more

  • Privacy-first Deployment

    No data is sent to external frontier LLMs. Use Excalibur SaaS with Merlin included — no GPU hardware needed — or deploy on-premise or within your own cloud subscription.

    Learn more

Protocol Coverage

The following table shows which protocols Merlin currently supports for real-time detection and historical investigation.

Protocol Merlin Detect Merlin Investigate
Web (Vitro)
SSH
RDP

Supported | Not yet supported

How It Fits Into the Excalibur Platform

Excalibur provides Streamed Access Management (SAM) built on Zero Trust Architecture. The platform isolates access to resources through protocol-agnostic streaming for SSH, RDP, VNC, and web targets.

Merlin AI adds an intelligence layer on top of this foundation. Every streamed session generates contextual data that Merlin analyzes — either in real time through Merlin Detect for immediate threat detection, or historically through Merlin Investigate for post-session investigation.

For details on how Merlin processes this data, see Intent-aware Architecture.

Next Steps