Triagethe opening read
Ingests the raw alert, normalizes it, returns a structured verdict: true positive, false positive, or escalate — with severity and reasoning. Structured JSON via tool-use, so every downstream agent consumes a clean contract, not free text.
Huntcorroborate and contradict
Pivots across available log sources for evidence on both sides. Hunt is not trying to confirm Triage — it’s gathering everything relevant, including the facts that argue against the initial call.
Challengethe adversary
The architectural commitment. Challenge takes the Triage verdict and attempts to dismantle it: what would have to be true for this to be a false positive? What benign explanation fits the same evidence? A verdict that survives Challenge is one you can act on. A verdict that doesn’t gets flagged, not buried.
Evidencethe case file
Separates the known from the assumed from the missing. This is what makes the output auditable: an analyst can see not just the conclusion but the gaps in it.
EDR Managerhost-level ground truth
Reaches into endpoint telemetry to confirm or deny what the logs suggest. Process lineage, parent-child relationships, signing status.
Email Guardianthe delivery vector
For anything email-borne: resolves sender reputation, payload, and the full delivery path. Closes the “how did this get in” question.
Brieferthe human handoff
Writes the narrative a human actually reads. Not a field dump — a decision, the reasoning behind it, and what to do next.
Auditorthe final check
Validates the entire chain before it surfaces. Catches internal contradictions, broken reasoning, incomplete evidence. The last gate.