The Agentic Bank

SOC Alert Triage Agent

⬡ Sentinel Tier-1 disposition of SIEM alerts at machine speed.
◆ Autonomous Router

Reads every security alert, enriches it with asset, identity and threat-intel context, correlates it with related signals, and disposes benign alerts with a written rationale. Confirmed intrusions escalate to the hunter agent with the timeline already reconstructed and a containment recommendation pre-staged.

Memory

Working The alert, enrichment pulled, correlated signals, disposition lean.
Episodic Prior alerts on the same asset/identity and their outcomes.
Semantic MITRE ATT&CK mappings, asset criticality, known-good baselines.
Procedural Triage playbooks refined from oversight-agent overrides.
Store Vector + asset/identity knowledge-graph hybrid

Orchestration

router-fanout MCPA2A

Harness · Managed Agents: session event-log per alert; context editing trims stale enrichment output on long correlation chains.

Tools

{ } SIEM / SOAR platform API Threat-intel feeds Retrieval { } EDR / identity provider API ›_ Enrichment sandbox Code exec Threat-hunter agent A2A

Evals & guardrails

  • Guardrail: cannot auto-close alerts on crown-jewel assets; forced escalation to the hunter agent.
  • Daily replay against a labelled true-positive set; a missed intrusion is a Sev-1.
  • Agent-as-judge sampling of closed alerts; precision/recall vs. the gold set.
  • Full OpenTelemetry trace of enrichment retained for forensic audit.

Offline reflection

Nightly consolidation of oversight-agent overrides into sharper triage playbooks. Offline experience replay, not a live process.

Frontier edge

  • Continual learning: eval-gated self-edits (SEAL-style) fold each oversight-agent override into sharper disposition logic without a full retrain.
  • Causal reasoning: reconstructs the attack chain as cause-and-effect (this login enabled that download), not a loose cluster of co-occurring alerts.
  • Confidential compute: enriches identity and PII context inside a TEE so raw employee data never sits in the clear during triage.

A sample run

Trigger Impossible-travel alert: same identity authenticating from two continents in 20 minutes.
  1. 1Enrich both logins with device, IP reputation and prior session history.
  2. 2Correlate with EDR: one device is unmanaged and just downloaded a credential dumper.
  3. 3Map to ATT&CK (valid accounts → credential access); reconstruct the timeline.
  4. 4Pre-stage a containment recommendation (disable identity, isolate host).
Output Escalates to the hunter agent as a likely account takeover with the timeline, ATT&CK mapping and a ready containment action; benign impossible-travel cases auto-close instead.

In numbers

21,000
Alerts triaged / day
94%
Benign auto-close rate
11s
Median triage latency

Handoffs

Hands to → Threat Hunting Agent
Across ⇢ Operations → enterprise incident-response agents for confirmed breaches

More on the Cybersecurity / SOC desk

Threat Hunting Agent
Proactively hunts for adversary activity below the alerting threshold.
← Back to Technology, Data & AI Platform