Use Cases
Automated Slack Triage
Automatically triages security alerts in Slack threads by investigating the detection, querying relevant logs, updating ticket status, and posting a structured summary with recommendations. This agent ensures every alert gets timely, consistent, and thorough review — reducing MTTR and analyst workload.
Alert & Incident Triage
Tools
 |  |  |  | |
|---|---|---|---|---|
Linear | Slack | IP Lookup | Scanner |
Trigger
Slack
Agent Flow
When @mentioned in a Slack thread, the agent acknowledges with a :brain: emoji, replies that it's investigating, and kicks off triage. If the thread references a Linear ticket, it updates its status to Acknowledged.
Using the detection ID, the agent:
Retrieves the alert from Scanner
Correlates related log data (3h before, 5–10m after the detection)
Converts all timestamps from UTC to local time
Enriches findings using IP lookup
It then posts a summary in Slack and updates the Linear ticket, covering:
Who did what, when, and where
Recommendations: close, escalate, tune detection, or request follow-up
Suggested detection rule updates if closing as false positive