Triago
Sign inStart free
ProductWorkflowsIntegrationsSecurityCustomersPricingDocsSign inStart free
Documentation · v1.4

Introduction

Triago is an autonomous SOC analyst. It ingests alerts from your SIEM, EDR, identity, and cloud systems, runs a structured investigation, and either resolves the alert autonomously or escalates with full evidence to a human.

This documentation is written for security engineers and SOC operators. It assumes you know what KQL, EDR, and IOC mean. If you want a narrative tour, start with the product page.

Quickstart

From signup to first investigation in under fifteen minutes:

  1. Sign in at app.triago.com and create a workspace.
  2. Connect at least one SIEM and one identity provider.
  3. Choose a workflow from the catalog (start with phishing triage).
  4. Enable shadow mode — Triago will produce verdicts without acting.
  5. Review verdicts side-by-side with your team for 7 days.
  6. Promote categories to autonomous with a per-action approval policy.

Core concepts

Investigation

A bounded execution of the agent fleet against a single alert, with a budget (time, credits, tool calls), a trace, evidence artifacts, and a verdict.

Workflow

A typed family of investigations — e.g. phishing.user_report — with a defined input schema, eval set, and policy.

Verdict

A structured output: {label, confidence, evidence, actions, abstain}. The verifier signs every verdict.

Policy

YAML-defined rules for approvals, escalation, budgets, and abstention thresholds. Versioned and diffable.

Configuring a workflow

# workflows/phishing-triage.yaml
name: phishing.user_report
mode: autonomous
budget:
  time_seconds: 60
  credits: 5
abstain_below_confidence: 0.85
actions:
  - quarantine_mailboxes
  - notify_user
  - require_mfa_step_up
escalate_to: secops-oncall@triago.example

Approval policies

Sensitive actions (host isolation, identity disable, data destruction) require explicit policies. Two-person rules, time-of-day windows, and budget caps are supported.

Eval harness

Ship your golden alerts as a versioned dataset. Triago re-runs the fleet on every model promotion and reports regressions before they reach production.

RBAC & SSO

SAML, OIDC, SCIM. Roles: Owner, Admin, SecOps, Auditor, ReadOnly. Per-action overrides per role.

Audit log

Every agent step, tool call, approval, and verdict is appended to an immutable log. Export to your SIEM via webhook, S3, or syslog.

Observability

OpenTelemetry traces, metrics, and logs. Bring your own Datadog, Honeycomb, Grafana.

SDKs

TypeScript and Python, plus an MCP-compatible tool server. See the API reference.

MCP tools

Register custom tools (SOAR escape hatches, internal APIs) via MCP. Per-tool authz, sandboxed execution.