Case Copilot Agent

Half the IR pain is 'what's the latest?' — solved.

Watches every linked finding, rewrites the case context as evidence lands.

When alerts escalate into a case, Case Copilot reads everything linked to it — alerts, IOCs, comments, agent verdicts, state transitions — and rewrites the case summary and recommended next steps on demand. The on-call analyst opens the case at 2am, hits refresh, and reads the latest version, not yesterday's stale one.

CASE-019 · OAuth abuse · DC-VPN-099

Timeline

in_progress

09:14alert

Linked: ALERT-9842 — Suspicious OAuth from DC-VPN-099

09:14state

State: open → triaged

09:18ioc

IOC linked: 185.101.94.215 (APT28 C2)

09:21investigation

Investigation agent finished · severity=Critical · conf=0.91

09:24comment

Analyst: 'CASE-018 covered the same TTP, reopen instead of dup.'

09:27state

State: triaged → in_progress

Auto-summary

copilot · v1

OAuth abuse on DC-VPN-099 from a known C2 attributable to APT28. Investigation agent confirmed the link with conf=0.91 across 4 iterations. CASE-018 covered the same TTP last quarter and the analyst flagged this as a re-open candidate, not a duplicate.

re-runs every time evidence changes · idempotent · cancellable

Inputs

Case state and metadata
All linked alerts, findings, comments, transitions
Other agents' outputs (investigation traces, hunt findings)
The analyst's most recent comments — they're authoritative

Outputs

Case summary that mirrors the latest evidence
Suggested next steps with citations
Full run trace — every rewrite auditable
Recommended state transitions when criteria are met

Runtime

Triggerone-click refresh on the case
Idempotentyes — re-runnable anytime
Authorityanalyst comments always win
Output capsummary ≤ 600 chars

Click to fold every linked finding into a fresh summary

Manual 'update the case ticket' tasks for the analyst

100%

Rewrites traced and auditable, run by run

Brand Defender Get a demo Scenarios