What Triage Actually Looks Like in a Self-Evolving System

Let’s break down the key functions your Triage Mesh handles - not in marketing terms, but in system operations:

1. Deduplicator Agent

Clusters semantically identical alerts - even if fields differ slightly.

• Compares source, timestamps, asset fingerprints, and behavioral indicators.
• Leverages similarity search across alert embeddings (via Qdrant or equivalent).
• Uses temporal clustering to collapse alert storms into singular events.

Example: 300 failed login attempts from different IPs collapse into a single correlated brute force incident.

2. NoiseFilter Agent

Suppresses low-confidence, routine, or previously-ignored alert patterns.

• Trained using historical analyst suppressions and feedback loops.
• Can integrate RAG to ask: “Have we seen this before? Did we care?”
• Uses learned suppression thresholds dynamically - different for each environment.
  

3. S3 Agent (Signal Scoring System)

Scores alerts based on multi-dimensional context: severity, asset criticality, threat actor presence, historical patterns.

• Combines raw alert metadata with organizational context via RAG.
• Uses the OmniSec LLM to interpret loosely-structured fields like attack narratives, toolmarks, or vendor notes.
• Final score drives auto-prioritization and determines auto-escalation eligibility.

Why not static scoring rules? Because a “medium” severity alert on a crown-jewel server at 2am is not medium.

4. Alert Classifier Agent

Categorizes alerts into standardized types (e.g., phishing, malware, insider threat) and assigns severity + priority.

• LLM-powered classification with post-hoc explainability.
• Combines MITRE mapping, payload pattern matching, and behavioral tags.
• Context-aware: “Malware on a jump server” ≠ “Malware on a test VM.”
  

5. Context Link Agent

Pulls in surrounding telemetry to add color before enrichment.

• Integrates with identity platforms (AAD, Okta), EDR, network logs, and previous incident trails.
• Applies RAG to stitch together relevant past alerts/incidents tied to the same user, device, or tactic.
• Builds a contextual envelope around the alert.

6. Alert Summarizer Agent

Converts machine output into analyst- and exec-ready narrative.

• OmniSec LLM generates multiple layers of output: technical (for the SOC), narrative (for execs), and action summary (for SOAR).
• Includes “reason for score”, “why it matters”, and “what’s next” sections.

Why use a security LLM? Because summarizing a phishing header or obfuscated JS file requires domain knowledge - not just NLP.

Why This Architecture Works (When SOAR Doesn’t)

This isn’t just automation - it’s intelligence by design. Each agent is:

• Stateless and modular - You can run them in parallel, on demand, or as fallbacks.
• LLM-native - All critical reasoning is done through OmniSec, a security-tuned model.
• RAG-augmented - Instead of static memory, each agent taps into a vector database populated with:
  
  • Past incidents and resolutions
  • Known threat actor profiles
  • Environment-specific baselines (users, assets, behaviors)

This means the system learns from your SOC - not just the internet.

How RAG Powers Contextual Reasoning in Triage

Let’s say an alert arrives from CrowdStrike about ps1 execution on a sensitive host. The triage process looks like this:

1. Deduplicator Agent checks if this matches other active alerts - embedding similarity search reveals a matching alert 6 mins ago from the same subnet.
2. ContextLink Agent uses RAG to retrieve:
   
   • Login history for the user
   • Recent password resets
   • Known adversary tradecraft matching PowerShell abuse
     
3. S3 Agent scores it:
   
   • High asset sensitivity
   • Off-hours access
     Known bad behavior tree
     → Final score: 92 (Critical)
     
4. AlertSummarizer Agent produces:
   
   • “PowerShell execution on crown-jewel server after hours by finance user. Matches recent Redline activity. Analyst review required.”

This is triage - not playbooks. And it adapts every time your environment changes.

Why This Isn’t Just LLM Hype

Anyone can throw a GPT wrapper on alert data. What makes this work:

• Tightly scoped agents. Each does one thing. Well.
• Trained security LLM (OmniSec) - understands MITRE, CVEs, headers, sandbox trees, and SOPs.
• Live, private context through RAG - your agent reasons with your environment, not a generic training corpus.
• Self-reinforcement through OmniFlex - every analyst action is a learning opportunity.
  

TL;DR: What You Get with SIRP’s Triage Mesh

• No more alert queues
• No more 500-low-severity-phishing duplicates
• Real prioritization based on real risk
• A team of AI agents that learn how your SOC works - and triage faster than any human could