Every workflow ships with a golden eval set, a published accuracy number, and a configurable approval policy. Run them in shadow before you trust them in production.
User-reported phishing · subject "Q4 invoice review" · sender finance@acm3.com
SPF fail · DKIM none · domain registered 6 days ago · 1 URL → typosquat
Sandbox · credential-harvesting page · brand impersonation: Microsoft 365
M365 logs · 3 users opened · 1 clicked · 0 submitted credentials
Verifier model: confidence 0.94 · pass
Quarantine across mailboxes · force MFA on clicker · ticket opened in Jira
End-user-reported and gateway-detected. Auto-quarantine, user notify, identity step-up.
Acc 97.2% · 4s median
Impossible travel, new device, residential proxy, atypical OS — enriched + verdicted.
Acc 96.8% · 11s
CrowdStrike, SentinelOne, Defender. Process tree + RTR pivots + verdict.
Acc 94.5% · 18s
Auth graph + Kerberos + SMB usage. Builds a timeline, scopes blast radius.
Acc 89.4% · 2m
Two-person approval. Isolate host, revoke sessions, rotate creds, snapshot.
Acc 95.1% · 38s
AWS / Azure / GCP. Drift detection + IAM blast radius + remediation PR.
Acc 92.7% · 1m
Weekly digest of privilege drift, stale access, MFA gaps, OAuth grants.
Scheduled
DLP + Git + email egress. Pattern-based, human-confirmed.
Scheduled
New IOC drops → retro-hunt against 90 days of logs.
Scheduled
Per-vendor SaaS account hygiene with auto-revocation paths.
Customizable
Triage outbound data events — attribute, classify, escalate.
Customizable
Define a workflow in plain English. Triago ships a draft + evals within 48h.
Forward-deployed
Shadow mode for 7 days. Real verdicts. Real numbers.