Streamlining Security Investigations with Agents

Slack's Security Engineering team built an AI agent system to automate and improve security alert investigations at scale.

• •Initial prototype used a single 300-word prompt with an MCP server exposing data sources, but produced inconsistent results
• •Solution replaced the monolithic prompt with a chain of structured model invocations, each with a defined JSON schema output
• •Multi-agent architecture uses three persona types: Director (orchestrates investigation flow), Expert (domain-specific analysts for Access, Cloud, Code, Threat), and Critic (scores finding credibility to reduce hallucinations)
• •A "knowledge pyramid" model strategically assigns low/medium/high-cost LLMs to expert/critic/director roles to manage token costs
• •Investigation proceeds through phases (Discovery, Trace, Conclude) with a Hub-Worker-Dashboard service architecture for real-time observability