Multi-Agent Security Operations Triage
Incoming incident reports get classified, enriched with context, prioritised and drafted into structured reports by cooperating agents, with a human approving every consequential step. Not an autonomous toy: an agent system built the way you would have to build it for a real operations team.
Why this project
Incident triage is work I know from the inside. In my security and compliance roles I have written and processed the exact kind of unstructured incident reports this system handles, and I know where the time goes: classification, looking up related history, deciding severity, and writing it all up consistently. It is a genuinely good fit for agents, and a genuinely bad fit for full autonomy, which is why human-in-the-loop approval is a core design constraint rather than an afterthought.
What it does
- Orchestrates a LangGraph workflow: a classifier agent, an enrichment agent that pulls related incidents and location history from PostgreSQL, a prioritisation agent, and a report-drafting agent
- Forces every agent output through Pydantic structured-output schemas, so downstream steps never parse free text
- Pauses at human-in-the-loop checkpoints before anything is filed or escalated
- Tracks cost per run and enforces guardrails on tool use and output content
- Traces every agent step in Langfuse, and evaluates full agent trajectories against a golden test set, not just final answers
Architecture
Skills demonstrated
- Agent orchestration with LangGraph: state machines, tool calling, checkpointing
- Structured outputs and schema-driven agent design with Pydantic
- Production agent concerns: guardrails, cost tracking, observability, HITL
- Agent evaluation beyond vibes: golden-set trajectory testing in CI
- Domain knowledge from working real incident and compliance workflows