← Back to projects Planned · final project of the series

Multi-Agent Security Operations Triage

Incoming incident reports get classified, enriched with context, prioritised and drafted into structured reports by cooperating agents, with a human approving every consequential step. Not an autonomous toy: an agent system built the way you would have to build it for a real operations team.

Why this project

Incident triage is work I know from the inside. In my security and compliance roles I have written and processed the exact kind of unstructured incident reports this system handles, and I know where the time goes: classification, looking up related history, deciding severity, and writing it all up consistently. It is a genuinely good fit for agents, and a genuinely bad fit for full autonomy, which is why human-in-the-loop approval is a core design constraint rather than an afterthought.

What it does

Architecture

IntakeRaw incident report arrives via FastAPI endpoint
ClassifyIncident type and required follow-ups, as structured output
EnrichTool calls into PostgreSQL: related incidents, site history, personnel context
PrioritiseSeverity scoring with explicit reasoning captured in the trace
Draft & approveStructured report drafted; human approves, edits or rejects at a checkpoint
Observe & evaluateLangfuse tracing, cost tracking, golden-set trajectory evaluation in CI

Skills demonstrated