A 10-minute tour

The dashboard at a glance

You walk in and the CP shows you the state of the fleet. Federated CPs at the top (this one aggregates 2/2 children), counts of daimons heartbeating, finding queues stratified by severity, and chart strips for events / severity / automation runs over the last 24 hours.

Okesu Control Plane dashboard — federated daimon counts, finding charts, automation runs by status.

The dashboard at a glance — federated, refreshes every 15 seconds.

A finding lands

Your sre-health daimons across the fleet detect a connection-failed pattern hitting your public health endpoints. They emit one finding each. The Findings page bundles them by severity and clusters by IOC; you see 761 CRITICAL open across 9,381 total. The first row is what fired most recently.

Findings page — severity-stratified counts, per-category and per-agent breakdowns, paginated finding list.

Findings emitted by daimons across the fleet.

Reach for a playbook

You don't triage by hand. The Orchestrations library is the catalog of playbooks already authored on this CP — drift remediation, login-noise dedup, fleet IOC hunts, cert rotations, the EDR critical-response we walked through on the recipes page. Each one has its trigger filter visible at the top; many fire automatically when a matching finding lands.

Orchestrations library — list of authored playbooks with auto-trigger filters and Run buttons.

The playbook library — auto-trigger filters at the top, manual Run buttons on the right.

The spec, visualised

Click into edr-critical-response and the editor renders the YAML spec as a directed graph. Agents on the left palette; the DAG in the middle. Notice the third step has a brand-purple border and reads FAN-OUT · 3 HOSTS — that's the engine telling you it'll dispatch on three hosts in parallel. The fourth step reads GATED in amber — the run will pause there until you approve it.

Orchestration editor — agent palette on the left, DAG in the middle including a fan-out step and an approval-gated step.

The spec, made visible. Drag to add agents; the YAML and the canvas stay in lockstep.

Watch it run

Click Run. The CP dispatches step 1 immediately and the run-detail page lights up. The blue pulsing ring on triage is the platform's signal that this step is happening right now; the others sit pending. As each step settles you see the stripe color shift — slate (pending) to blue (running) to green (done) or red (failed). When a fan-out step kicks off, its card grows a per-host dot strip that fills in left-to-right as each host returns.

Run detail — a four-step orchestration DAG mid-execution. The first step pulses blue (running); the others wait pending.

A run in progress. Triage running, the rest queued. Refreshes every 2.5 seconds.

The case file

When a finding gets serious enough — operator-confirmed, escalation-tagged, or matched by a cross-CP IOC supervisor — the platform creates an investigation. It's the case file that links the finding, the runs that worked it, the IOCs that match, the daimons reporting in, and your notes. One closed loop. Every action taken on the case lands on the Audit tab so the response is replayable.

Investigation detail — header with status, six tabs (Overview, Findings, Runs, IOCs, Daimons, Orchestrations, Notes, Audit), summary, and identity panel.

The case file shape: tabs across the top, identity + linked entities on the right.

That was the loop.

Daimon emits a finding. CP routes it. Orchestration triages it. Investigation files it. Daimons keep ticking; the same loop runs the next time something interesting happens.

What you saw is what ships. There's nothing demo-only above — the daimons, the orchestrations, the investigation page are all in the platform's defaults; the screenshots came from a CP started fifteen minutes before this page was written.

Install Okesu → Browse the recipes The daimon deep dive

From a finding to a closed investigation, in seven screens.