Security Operations
Security teams use Amodal to triage alerts, hunt threats, investigate incidents, and hand off across shifts. The agent connects to security tools (SIEM, EDR, vulnerability scanners), loads security-specific skills, and reasons about findings with domain expertise.
Alert Triage
User: "Review the last hour of alerts"
Agent activates: Triage skill
→ Dispatches 3 parallel task agents:
1. Query SIEM for alerts in the last hour
2. Check known false positives in KB
3. Pull recent deployment/change context
→ Filters noise: 47 alerts → 3 worth investigating
→ Presents findings with severity cards and timelineThreat Hunting
User: "Hunt for lateral movement from 10.0.3.42"
Agent activates: Threat Hunt skill
→ Dispatches task agents to query:
- Network flow logs for 10.0.3.42
- Authentication logs for the associated user
- Process execution logs on the host
- DNS query logs for unusual domains
→ Correlates findings across data sources
→ Builds a timeline of suspicious activity
→ Presents scope map showing affected systemsKey Connections
| System | What It Provides |
|---|---|
| Datadog / Splunk | SIEM data, log queries, metric analysis |
| CrowdStrike / SentinelOne | EDR telemetry, process trees, IOCs |
| PagerDuty | Alert management, oncall routing |
| Jira / ServiceNow | Ticket creation, incident tracking |
| Slack | Team communication, status updates |
Relevant Skills
- Triage — scan, prioritize, filter noise
- Deep Dive — exhaustive entity profiling
- Threat Hunt — proactive targeted search
- Incident Response — context gathering, impact assessment
- Shift Handoff — summarize findings for the next shift