Features

Everything a tier-1 analyst does.
Done by an agent.

Five specialist agents that collaborate the way a senior SOC team does — with bounded retries, verifier loops, and human-in-the-loop gates on every consequential action.

The agent fleet

A team of five.

Planner

Reads the alert, queries policy, drafts an investigation plan with stop conditions and budget.

Investigator

Pivots through SIEM, EDR, identity, cloud, and threat intel — collecting evidence into a structured case.

Verifier

Independent model that audits the investigator. Abstains when confidence is low. Triggers escalation.

Responder

Executes containment within policy: isolate host, revoke session, disable identity, block hash, file ticket.

Scribe

Writes the incident note: timeline, IOCs, MITRE mapping, evidence, and recommended hardening.

Eval Conductor

Continuously replays golden cases against the live fleet — catches regressions before customers do.

Operations

Control plane for a 24×7 fleet.

Approval policies

Budget caps, two-person rules on disable / contain, escalation paths by severity, hour, and tenant. Versioned, diffable, auditable.

# policy.yaml
on: ransomware_contain
  requires: ["sec_lead", "secops_oncall"]
  budget_minutes: 15
  escalate_if: confidence < 0.85

Observability

Latency, cost, accuracy, override rate, abstention rate — per workflow, per agent, per tenant. OpenTelemetry export to Datadog, Honeycomb, Grafana.

fleet.live
04:17:02PLANalert id=A-9482 → 6 steps · budget=$0.04
04:17:13INVESTok 198.51.100.42 enriched · risk=7.4
04:17:19VERIFYconf=0.91 · pass
04:17:21RESOLVEbenign · notify · step-up MFA

RBAC + SSO/SCIM

SAML, OIDC, Okta, Azure AD, Google. Per-action permissions, per-tenant key.

Slack + Teams + Inbox

Investigations stream to the channel of your choice. Approve from your phone.

Search across history

"Show me every alert tied to 198.51.100.42 in the last 90 days." Done.

AI capabilities

Models, tuned to defense.

Threat-tuned reasoning

Self-hosted models customized with NVIDIA NeMo on a proprietary attack-trace corpus, fine-tuned via continuous DPO and RLHF from analyst overrides. Not a generic API call.

  • NeMo-Tuned Investigator
  • Triago-Verifier v3
  • Llama 4 distillate

Confidence-aware abstention

Triago publishes a confidence score on every verdict and abstains when it would be wrong. You define the threshold per category.

Long-context investigation memory

Episodic memory per host, identity, and tenant. The agent that closed yesterday's case is the same one that opens today's.

Tool-use across 200+ APIs

MCP-compatible tool registry. Per-tool authz. Sandboxed execution. Failure-tolerant retries.

GPU infrastructure

The model fleet Triago runs on.

NVIDIA Morpheus — real-time detection

The front door to every investigation. Morpheus GPU-scores millions of SIEM, EDR, network, and auth events per second before any agent token is spent. CPUs cannot meet SOC-volume latency at this throughput.

Sub-100ms · millions of events/sec

NeMo-customized models

Security reasoning models fine-tuned on the Triago attack-trace corpus. Served via TensorRT and Triton at under 2 seconds p99 across 10,000+ concurrent alerts.

NVFlare federated training

Customers contribute model gradient updates, not raw telemetry. The shared security foundation model improves with every investigation across the whole network.

NIM for VPC and air-gapped deploy

The entire model fleet packages as NVIDIA NIM microservices. FedRAMP, defense, and critical-infrastructure customers run Triago in their own VPC or air-gapped environment without shipping data anywhere.

RAPIDS GPU analytics

TB-scale log and flow ETL via RAPIDS cuDF. Causal graph inference via cuGraph. The same GPU infrastructure powers Huntra's threat-hunting analytics on historical telemetry.

See it on your data.

A pilot takes a week. We promise a verdict accuracy number you'll trust by Friday.

Start free pilot