Feed Triage Agent

Every entry read. Only the hits alert.

Reads every new feed entry, writes the few worth waking an analyst.

CTP247's triage agent runs on every fresh entry across your feeds. It classifies against your declared tech stack and brand, extracts indicators of compromise, decides whether the entry warrants an alert, and explains why. If it's not a hit for you specifically, it gets dropped — no analyst time burned.

Incoming feed entry · ingest

[cisa_kev]

CVE-2026-04812 — Adobe Acrobat RCE

Exploited CVE

→

LLM decision · agent

Decision

Acrobat in declared tech stack · KEV listed

Output · alert

Alert opened

3 IOCs extracted · linked

Inputs

Raw feed entries (CISA KEV, abuse.ch, dshield, MISP, OTX, urlhaus, ransomware leaks)
Your declared tech stack (vendors, products, versions)
Brand keywords and primary domains
Past triage feedback (analyst thumbs)

Outputs

Alerts with severity, category, reasoning, recommended action
IOCs extracted from each hit, linked to the alert
Run record with cost, model, duration, FP rate trend
Audit trail per LLM call (input payload, structured result, model, cost)

Runtime

Windowrolling 24h
Cadenceevery new entry
Iterationssingle-pass
Cost gateper-org budget
Plan-then-actn/a (read-only)

Feeds triaged out of the box

100%

Decisions recorded with reasoning and cost

Manual classification rules to maintain

All agents Get a demo Investigation