All agents
Investigation Agent
The agent that asks the questions a junior analyst forgets.
Iterates through actor → asset → IOC → prior cases. Shows its work.
When an alert needs more than a glance, the Investigation agent picks it up. Up to six iterations, each a tool call against your live data — alert lookups, IOC pivots, actor lookups, related-alert search, asset-exposure checks — ending with a final assessment that cites every decision. The dashboard shows the full trace. So can your auditor.
Iteration trace
run · 019d-…-aa28iter 1lookup_alert(alert_id="ALERT-9817")
Read the alert before anything else.
→ Critical · C2 indicator 185.101.94.215 · source=feodo_tracker
iter 2search_iocs(value="185.101.94.215")
How widely is this indicator corroborated?
→ Seen in 3 feeds · first_seen 22d ago · tags: c2, botnet
iter 3lookup_threat_actor(indicator="185.101.94.215")
Does it map to a known actor?
→ Match: APT28 (Fancy Bear) · GRU Unit 26165 · risk 95
iter 4related_alerts(same IOC cluster, 90d)
Has this cluster touched us before?
→ 2 prior alerts · linked case CASE-018 · status=remediated
Final assessment
Criticalconf 91%
APT28-linked C2 indicator corroborated across three feeds. Two prior alerts touch the same IOC cluster and CASE-018 covered the same TTP — recommend reopening it, not duplicating.
Re-open CASE-018 (don't duplicate)
Block 185.101.94.215 at egress
Hunt 10.4.18.99 for T1078 evidence
6
Max tool calls before forced finalise
100%
Tool calls logged with thought, args, and result
5
Read-only tools — the agent can look, never touch