F

Features

Eight systems, in order.

Aorka isn't one thing. It's a handful of pieces that hand work off to each other — the agent goes on the machine, the knowledge base remembers what it found, the model proposes a script, an evaluator scores it, you approve, the engine sequences the phases. Here is each piece, in the order it fires on a typical request.

01
Chat

Plain English in, plain English out.

Aorka starts in the chat window. You describe a problem in the words a tech would use to describe it — not a cmdlet, not a ticket template, not a structured query. The model reads what you said, pulls the relevant facts out of the knowledge base for the endpoint or unit in question, drafts a script when one is needed, and waits for you to say go.

Conversations are scoped to a unit by default, so the context the model gets is the context for the place you're working — not an opaque corpus and not the entire fleet.

  • Conversational, with full environment context. The model can see facts, understandings, procedures, and recent script history for the endpoints in scope.
  • Microsoft 365 integration. Query mailboxes, licenses, Entra users, and group memberships from the same chat window.
  • Conversation history is preserved per-unit, so the next tech to pick up the ticket starts where the last one left off.
  • Free-form target resolution. Say "the print server at Lakewood" and Aorka finds it; you don't pick an endpoint from a dropdown.
You A bunch of users at Greenfield are reporting Outlook hangs today. What's going on?
Aorka 11 of 14 chat tickets in the last four hours mention Outlook. All eleven are on Windows 11 23H2 with yesterday's cumulative update (KB5037771); the three users without symptoms are still on 23H1. Microsoft published an advisory yesterday about a Defender / Outlook interaction in that build. Want me to roll back the update on one machine to confirm before we decide on the rest?
You Yes, start with GD-WS-12.
Aorka Rolling back KB5037771 on GD-WS-12. I'll verify Outlook launches cleanly and report back before touching the other ten.

See it move

Real chat, replayed end to end.

Plan cards, risk scores, the approval the operator clicked, the script behind it. Pick a session from the gallery and it plays.

Watch a session
02
Knowledge

Documentation that revalidates itself.

The agent on each endpoint collects facts and runs them again on a schedule. The knowledge base is not a wiki — it's a record of what the agent measured, when it measured it, and how confident it is that the measurement is still true. Stale insights decay and surface themselves; the things that matter get revalidated automatically.

Three kinds of insights live in the base: facts for measurable values, understandings for lessons and operational context that wouldn't be obvious from a config, and procedures for known-good recipes. The model retrieves all three when it's working on something for you.

  • Continuous collection from Windows endpoints. Network devices are reached through an SSH gateway on the agent.
  • Salience scores. Insights age out gracefully and are re-checked when they get used. The corpus tells you what's growing cold without being asked.
  • Semantic search via vector embeddings. Find by meaning, not exact wording.
  • Hierarchical unit tree. Organize by client, site, function, or anything else — insights inherit down the tree.

A sample from the knowledge base for LW-DC-01

  • fact Windows Server 2022 Standard, build 20348. 2h · 0.98
  • fact Print Spooler service is running. 4h · 0.95
  • understanding The Ricoh MP C3004 driver crashes the spooler intermittently. Same pattern at LW-PRINT01. 6d · 0.71 · decaying
  • procedure Recover the spooler: stop service, clear spool\PRINTERS, restart, verify queue. 8d · 0.84
  • fact Backup agent: Veeam 12.0.0.1420. 45d · 0.34 · stale
03
Safety

Three layers between the model and the machine.

Every script the model proposes is read three times before anything touches an endpoint. A regex command filter classifies the operation by what it does. An AI evaluator scores the blast radius. An approval gate routes the script by risk tier — some auto-execute, some need an operator to acknowledge, and some are rejected outright with no override.

Units are read-only by default. A tenant admin unlocks a unit for writes only after the deployment has been verified end to end. New clients onboard locked.

  • Layer 1. A regex command filter classifies every cmdlet. Get-* is read-only. Restart-* writes. Format-Volume is blocked at the parser.
  • Layer 2. An AI evaluator reads the script in context and scores intent, scope, and reversibility from 0 to 100.
  • Layer 3. The approval gate routes by score — 0–30 read-only auto-runs, writes require browser approval, 51 and above is rejected.
  • Unit lock. New units start read-only. The tenant admin unlocks writes deliberately, once.

The shape of the pipeline is sketched on the home page. The diagram is the same thing in fewer words.

04
Library

A library that's been used.

The first time the model writes a script to solve a particular kind of problem, it goes through the safety pipeline like any other script. When it works, it gets kept. When it gets reused, its success ratio gets tracked. Over time the library becomes a record of what actually works on real fleets — not a list of suggestions from a manual.

Search is semantic. Describe the problem in plain English and the library returns scripts whose past descriptions match the meaning of what you said. The success ratio is shown alongside the result so you know what you're picking up.

  • Thousands of scripts, scored by real execution history across real infrastructure.
  • Parameterized for general use. Hostnames, paths, and thresholds are injected at run time.
  • Network effect across tenants. A script that proved itself on one fleet is available to all.
  • Author lock on new scripts. The script's author gets an exclusive iteration window before others can overwrite it.
Script Success Runs Purpose
Restart-PrintSpooler 94% 847 Clears stuck queue, restarts service, verifies recovery.
Get-DiskSpaceReport 99% 2,341 All volumes, free percentage, largest files, week-over-week trend.
Repair-ADReplication 87% 412 Force sync, check status across DCs, report replication lag.
Clear-TeamsCache 72% 1,156 Stop Teams, purge cache directories, restart, verify sign-in.
05
Vault

Secrets that never leave the vault.

Domain admin passwords, firewall logins, SQL sa — the credentials your techs need to do their work, kept out of shared spreadsheets and shoulder-surfed sticky notes. The vault encrypts each credential with its own key, requires a second factor to view, and injects secrets into agent sessions at run time so they never touch the endpoint's disk.

Every read is logged. Webhook alerts fire when a high-trust credential is accessed outside its expected pattern.

  • AES-256-GCM at rest, with per-credential keys.
  • MFA required to view or use a secret. Per-session, not per-day.
  • Run-time injection into agent sessions. Secrets are streamed to memory and never written to disk on the endpoint.
  • Break-glass access with full audit logging. Webhook alerts on credential access.
06
Deploy

Deploy through whatever you already use.

The agent ships as a signed MSI. Push it through GPO, Intune, NinjaRMM, JumpCloud, or anything else that can push an MSI. The agent talks outbound only — no inbound firewall rules, no VPN, nothing for the security team to argue about.

Once the agent is on a machine, it shows up in the console within a minute. You can also push from the console directly — no RDP, no manual steps, no watching a progress bar.

  • Signed MSI. Deploys through any tool that pushes MSIs.
  • Active Directory and Entra ID sync. Auto-discover machines that don't have the agent yet.
  • Remote push from the console. Useful for one-off endpoints or repairing a stuck install.
  • Outbound-only. The agent initiates the connection; the server never reaches into the customer network.
07
Orchestrate

Runbooks that actually run.

Multi-phase work — patch rollouts, migrations, onboarding sequences — runs as a directed graph of phases and steps. The engine handles sequencing, fan-out across endpoints, and failure propagation. Between phases, the model reads the results and decides whether it's sensible to keep going.

A runbook fails like a runbook should: when one machine in a fan-out fails, downstream phases that depend on it stop; independent work keeps moving. There's a real audit trail.

  • DAG-based execution. Phases, steps, dependencies. Not a YAML script-runner pretending to be a workflow engine.
  • AI gates between phases. An evaluator reads the output of the prior phase and decides whether to proceed.
  • Fan-out across endpoints in parallel, with bounded concurrency.
  • Automatic failure propagation. One failure halts only the work that depends on it.
08
MCP

If you already have an AI tool, point it here.

Aorka exposes its tools over the Model Context Protocol. Connect Claude Code, Codex CLI, Gemini CLI, or anything else that speaks MCP. The same safety pipeline runs. The same approval gates fire. The tools you already prefer get infrastructure awareness for free.

Write scripts coming in through MCP require browser approval before they execute, regardless of who's on the other end. The pipeline doesn't care if the request came from a human in the console or a CLI in a terminal.

  • Full toolset: search facts, run scripts, save understandings, list endpoints.
  • Browser-approval gates for any script that writes, regardless of source.
  • Per-user authentication and unit scoping — the AI tool sees what the user sees, no more.

.claude.json

{
  "mcpServers": {
    "aorka": {
      "url": "https://aorka.com/api/mcp",
      "headers": {
        "Authorization": "Bearer …"
      }
    }
  }
}

That's the whole thing.

Eight pieces, in the order they fire. If this is the shape of the tool you've been wanting, the home page has the demo signup.

Request access