AI agents
AgentSOC runs your SOC as a pipeline of autonomous agents. Each one owns a stage of the lifecycle—from the moment a raw event arrives to the moment an incident is reported and your detections improve. Several agents reason with large language models (LLMs); others apply deterministic logic. They hand work to each other through a queue, so an event flows from detection all the way to response without an analyst stitching the steps together.
The agents
| Agent | Role | Inputs → Outputs |
|---|---|---|
| Detection (Normalizer) | Standardize raw events from every source into one unified alert schema. | Raw provider events → normalized alerts |
| Enrichment | Add IP geolocation, threat-intel reputation, and asset, identity, and cloud context. LLM-assisted. | Normalized alert → enriched alert with context and reasoning |
| Triage | Assess severity, priority, and confidence to decide what matters. LLM. | Enriched alert → triage verdict (severity, priority, confidence) |
| Response | Decide the action and, with approval, execute an AgentSOAR playbook. LLM. | Triage verdict → executed action, escalation, or close |
| Reporting (Incident Report) | Generate incident and compliance reports as Markdown and PDF. LLM. | Incident → report artifact |
| Learning | Improve detections and reasoning from analyst feedback. | Analyst feedback → tuned detection and triage behavior |
Detection (Normalizer)
The Normalizer is the front door. It takes raw events from each connected source—your SIEM, email logs, syslog, and more—and rewrites them into a single, unified alert schema so every downstream agent works from the same shape.
Enrichment
The Enrichment agent adds the context a raw alert lacks: geolocation for IPs, reputation from threat-intel providers, and asset, identity, and cloud details from your inventory. It uses an LLM to reason over that context and produce recommendations.
Triage
The Triage agent scores each enriched alert, producing a severity, a priority, and a confidence level so the queue surfaces the alerts that matter. It runs on an LLM.
Response
The Response agent reads the triage verdict and decides what to do—execute a playbook, escalate to a human analyst, or close the alert. When it executes, it runs an AgentSOAR action such as Isolate Host, Block IP, or Disable User, gated behind approval where required. It is LLM-driven.
Reporting (Incident Report)
The Reporting agent generates incident and compliance reports, capturing the timeline, linked alerts, response taken, and audit trail. Output is Markdown, exportable to PDF. It runs on an LLM.
Learning
The Learning capability closes the loop: analyst feedback on alerts and decisions is fed back to improve detection accuracy and triage reasoning over time.
Incident Correlation
Alongside the lifecycle agents, Incident Correlation groups related alerts into incidents. Instead of leaving you with a flood of individual alerts, it matches alerts that belong to the same activity and rolls them up, so you investigate one incident rather than dozens of fragments.