Skip to content

Merlin AI — Frequently Asked Questions

Common questions about Merlin AI from customers, partners, and evaluators.

General

What is Merlin AI?

Merlin AI is the intent-aware AI engine of the Excalibur platform. It analyzes user actions within streamed sessions to detect anomalies in real time through Merlin Detect and enables historical investigation through Merlin Investigate, an agentic conversational interface. For a full overview, see Merlin AI.

How does Merlin differ from traditional threat detection?

Traditional tools rely on signatures, rules, or behavioral baselines. Merlin determines the intent behind each action — it evaluates whether a user's input matches the purpose of the application context. This approach detects novel threats without requiring predefined patterns. See Intent-aware Architecture for a detailed comparison.

Which protocols does Merlin AI support?

Merlin Detect is currently available for Vitro Web sessions. Merlin Investigate supports Web and SSH sessions. RDP support is planned. See the protocol coverage table for current status.

Privacy and Data Handling

Does Merlin AI send data to an external cloud for processing?

No. Merlin AI never sends data to external frontier LLMs or third-party AI services. For on-premise and private cloud deployments, all inference happens locally on your GPU hardware. For SaaS deployments, Merlin runs in the Excalibur-managed cluster — you do not need your own GPU infrastructure.

Does Merlin AI require a frontier LLM like ChatGPT or Claude?

No. Merlin AI uses locally deployed models optimized for security analysis. The models are installed on your infrastructure and do not require internet connectivity for operation.

Where is my data stored?

All data — session recordings, contextual bubbles, metadata, and AI analysis results — remains on your infrastructure. See Data Residency for details.

Deployment and Infrastructure

What hardware do I need to run Merlin AI?

For SaaS deployments, none — Excalibur manages all GPU infrastructure for you. For on-premise and private cloud deployments, Merlin AI requires a GPU with a minimum of 40 GB VRAM. A basic deployment uses an NVIDIA L40S (48 GB), while large-scale deployments benefit from an NVIDIA A100 (80 GB). See Hardware Requirements for full specifications.

Can I deploy Merlin AI on-premise?

Yes. Merlin AI supports SaaS, on-premise, and private cloud deployment. See Deployment Options.

How do I size my infrastructure?

Sizing depends on two factors: the number of concurrent sessions with Merlin Detect and the number of concurrent Merlin Investigate sessions. See Sizing Guidance.

Merlin Detect

What happens when an anomaly is detected?

The system flags the action with a CHALLENGE result. The detection appears in the triage dashboard with a context bubble explaining Merlin's reasoning — including what the user did, what the application expected, and why the action was flagged. See Triage Dashboard.

Can administrators configure automatic responses to detections?

Configurable response policies (e.g., automatically terminating sessions for high-risk detections) are a planned feature. Currently, all detections are surfaced in the triage dashboard for analyst review.

Does Merlin Detect slow down the user's session?

No. Contextual bubble construction and AI evaluation happen in real time without visible delay to the user. Allowed actions pass through transparently.

Does Merlin AI produce false positives?

Like any detection system, false positives can occur. However, the intent-aware approach significantly reduces false positive rates compared to rule-based systems. Each detection includes a context bubble with Merlin's reasoning, allowing analysts to quickly dismiss false positives through the triage dashboard.

Merlin Investigate

What is Merlin Investigate?

Merlin Investigate is the agentic investigation mode that lets security analysts query historical session data using natural language. Instead of manually reviewing recordings and logs, analysts ask questions and Merlin retrieves the relevant contextual information. See Merlin Investigate.

What kind of questions can I ask Merlin Investigate?

You can ask about specific users, sessions, time periods, anomaly patterns, and JIT access compliance. Merlin Investigate supports cross-session analysis — for example, identifying repeated anomalies for a user across multiple sessions. See Example Queries.

Does Merlin Investigate watch full session recordings to answer questions?

No. Merlin Investigate operates on contextual bubbles, metadata, and JIT ticket information from the cold-tier data layer. It retrieves only the data relevant to your query, making investigations faster than full recording review.

Integration

How does Merlin AI integrate with existing session recordings?

Merlin operates on top of the Excalibur platform's existing session recording infrastructure. Session recordings for web, SSH, and RDP sessions are enriched with contextual bubbles generated by Merlin Detect during real-time analysis. These enriched recordings are then available for Merlin Investigate.

Does Merlin AI work with JIT (Just-in-Time) access?

Yes. When a session originates from a JIT access request, the task description from the JIT ticket becomes part of the context that Merlin evaluates. This works across both Merlin capabilities:

  • Merlin Detect — uses the JIT task description during real-time evaluation. If a user's actions deviate from the approved scope (for example, performing administrative changes when the ticket specifies a diagnostic task), Merlin flags the action as a scope deviation.
  • Merlin Investigate — compares a user's actual session actions against the stated purpose of their JIT access request during historical analysis, identifying cases where actions deviated from the approved scope.

Can I export Merlin AI data to my SIEM?

Anomaly detection events are available as security events that can be streamed to your SIEM. For SIEM configuration, see SIEM Integration.

Business Value

How does Merlin AI reduce investigation time?

Manual investigation requires analysts to watch full session recordings and cross-reference logs — often hours per incident. Merlin Investigate condenses this to minutes by pulling only the relevant contextual data and presenting it through a conversational interface.

What compliance requirements does Merlin AI help address?

Merlin AI supports compliance by providing:

  • A complete audit trail of every flagged action and its resolution status
  • On-premise data processing with no external data transfers
  • Documented analyst review workflows through the triage dashboard

How does this compare to competing PAM AI solutions?

Merlin AI is unique in its intent-aware approach. While other solutions may offer AI-based monitoring, Merlin evaluates the purpose of each action rather than matching patterns or baselines. Combined with fully on-premise deployment, this provides both superior detection accuracy and complete data sovereignty.