Skip to Content
Docs are being rebuilt — start at Introduction → How it works.
GuidesBy departmentIT & securitySecurity incident triage

Security incident triage

You’ll build an agent that triages incoming security alerts, classifies severity, and proposes containment steps — but requires human approval before taking any action.

The plan

  1. Start from an Agent Hub template
  2. Define triage and severity rules
  3. Require approval for actions
  4. Trigger on new alerts

Step 1 — Start from a template

Open the Agent Hub and install a security or triage template as a starting point, then refine its system instructions. (Or build fresh in Agents.)

Step 2 — Define triage rules

In the system instructions, encode your severity scale and classification logic so each alert gets a consistent assessment and a recommended next step.

Step 3 — Require approval

Turn on Require Approval in the Capabilities tab so the agent proposes containment but a human approves before any tool runs. This is essential for security workflows.

Step 4 — Trigger on alerts

Add a trigger so triage starts the moment an alert arrives. Test from the builder preview before connecting it to live alerts.

Where to go next

On-call assistantInternal IT helpdesk