Five specialist agents that collaborate the way a senior SOC team does — with bounded retries, verifier loops, and human-in-the-loop gates on every consequential action.
Reads the alert, queries policy, drafts an investigation plan with stop conditions and budget.
Pivots through SIEM, EDR, identity, cloud, and threat intel — collecting evidence into a structured case.
Independent model that audits the investigator. Abstains when confidence is low. Triggers escalation.
Executes containment within policy: isolate host, revoke session, disable identity, block hash, file ticket.
Writes the incident note: timeline, IOCs, MITRE mapping, evidence, and recommended hardening.
Continuously replays golden cases against the live fleet — catches regressions before customers do.
Budget caps, two-person rules on disable / contain, escalation paths by severity, hour, and tenant. Versioned, diffable, auditable.
Latency, cost, accuracy, override rate, abstention rate — per workflow, per agent, per tenant. OpenTelemetry export to Datadog, Honeycomb, Grafana.
SAML, OIDC, Okta, Azure AD, Google. Per-action permissions, per-tenant key.
Investigations stream to the channel of your choice. Approve from your phone.
"Show me every alert tied to 198.51.100.42 in the last 90 days." Done.
Foundation models fine-tuned on a proprietary attack-trace dataset and on your own production verdicts (opt-in, federated).
Triago publishes a confidence score on every verdict and abstains when it would be wrong. You define the threshold per category.
Episodic memory per host, identity, and tenant. The agent that closed yesterday's case is the same one that opens today's.
MCP-compatible tool registry. Per-tool authz. Sandboxed execution. Failure-tolerant retries.
A pilot takes a week. We promise a verdict accuracy number you'll trust by Friday.