Many aspects of what makes an investigation successful are the best parts of human intelligence: judgment, contextual awareness, and strategic thinking. But the overwhelming demands of the current security landscape — with attacker breakout times now under an hour — narrow the window for these techniques to be applied at scale. But what if you could encode the instincts of an experienced analyst into every investigation and execute at machine speed?
For too long, security automation has meant rigid workflows and shallow actions. SOAR tools promised relief but often delivered brittle playbooks that broke with nuance or failed to adapt effectively to evolving threats or new data sources. Meanwhile, threat actors have evolved to think faster, act smarter, and scale with AI. Our defenses need to do the same.
At Rapid7, our view of the future of cybersecurity combines deep human expertise with intelligent systems that perceive, reason, and act with autonomy. Today, we’re proud to introduce agentic AI workflows, powered by the Rapid7 AI Engine: a system that brings structured thinking, deep analysis, and scalable decision-making to every investigation within our next-gen SIEM.
Rapid7’s global Security Operations Center (SOC) has always been driven by expert analysts who follow proven, disciplined workflows and playbooks to deliver consistent service to our customers. They work directly out of our next-gen SIEM to bring transparency and streamlined delivery to customers. Every alert is assessed rigorously: oriented, enriched, and investigated, before a response is delivered. With agentic AI workflows, we’re now scaling those principles through agentic AI, giving analysts and customers an AI partner capable of performing the same structured investigative process they’ve been conducting, visible in the same platform in seconds.
Introducing agentic AI workflows to the Rapid7 SOC
This is where things get exciting. With agentic AI workflows we’ve reimagined how an alert gets investigated by building an intelligent partner that knows how to think, plan, and act — and surfaces the right insights to human analysts for action.
Let’s walk through how it works, step-by-step:
Getting oriented: The moment an alert page loads, the agent initiates the workflow. It’s not just scanning — it’s perceiving the environment, actively taking in the alert details to build a mental model of what’s going on. Think of it as the digital equivalent of an analyst reading the room.
Calling in the specialists: If the alert contains enough information, the agent taps our deterministic ML models. These are specialist models that can make fast, confident decisions — and if they can disposition the alert, the agent knows to pass it along. It’s teamwork in action.
Digging deeper: If there’s not enough to go on, the agent doesn’t give up. Instead, it kicks off the next phase — seeking out more information, gathering related logs, history, and context. It’s re-orienting, expanding its situational awareness.
Thinking it through: Now the real reasoning begins. The agent evaluates what it knows, considers what’s missing, and forms a plan. It's using our documented playbooks and best practices, combined with the context to figure out what questions to ask and how to find the answers.
Executing the plan: Then comes action. The agent executes its plan autonomously — querying data sources, analyzing results, connecting the dots. And importantly, it documents everything along the way. It’s like having an analyst that never loses focus.
Pulling it all together: Finally, the agent steps back, reviews all the information it’s gathered, and reasons about what it all means. It forms a conclusion, identifies the next steps, and packages that insight for the human analyst action. And here’s the key: the human is still in control. The Rapid7 AI Engine doesn't override; it empowers.
Everything evaluated and surfaced is transparent, traceable, and explainable. You can see its entire train of thought directly within our next-gen SIEM — what it did, why it did it, and how it reached its recommendation. The agentic AI workflow assembles evidence, draws conclusions, and delivers it all in a way that sharpens and accelerates human judgement, rather than replacing it.
The OSCAR Framework: A proven methodology for investigations
At the heart of every great investigation is a proven structure. The Rapid7 SOC leverages the OSCAR framework — a repeatable, rigorous approach to alert triage and resolution. It ensures investigations are efficient, consistent, and complete. Here's how it works:
Orient: Analysts begin by reviewing the initial alert signal and its metadata. They determine what’s known, what’s missing, and what context is needed to make sense of the activity.
Strategize: Based on the alert type, potential severity, and initial signal clarity, the analyst forms an approach: Can the issue be resolved with current data, or will it require deeper investigation?
Collect: The analyst begins data gathering. This might include historical context on the user or asset, similar past alerts, endpoint activity logs, authentication records, or threat intel correlations.
Analyze: With data in hand, the analyst interprets findings: looking for behavior patterns, verifying anomaly authenticity, and cross-referencing indicators of compromise or known malicious behaviors.
Report: Once the investigation is complete, the analyst summarizes their findings, outlines recommended actions, and shares outcomes with the response team or customer for final decisions and remediation.
This method isn’t just thorough, it’s teachable, scalable, and ideal for embedding into an intelligent system. With agentic AI, every step of OSCAR can be mirrored, executed autonomously, and presented for human validation to deliver speed without compromising depth.
Engineered for trust, built for scale
At Rapid7, AI isn’t a bolt-on or a black box. It’s a deeply integrated component of our next-gen SIEM, trained on workflows designed by our own SOC experts, and refined through continuous real-world application. Today, we’ve built the Rapid7 AI Engine to inject intelligence directly within the SOC workflow, flagging anomalous behavior, triaging alerts with leading accuracy, working through the investigation lifecycle, and delivering transparent outputs for analysts and customers.
But trust isn’t just about delivering results. It’s about how those results are achieved, and whether customers can understand, verify, and rely on them. That’s why our approach to AI is grounded in our TRiSM framework: Transparency, Risk management, Security, and Model governance.
We’ve aligned our practices with leading standards like the NIST AI Risk Management Framework and the Open Standard for Responsible AI. That means we build AI systems with clear safeguards, evaluate them throughout their lifecycle, and hold ourselves accountable for their behavior. Transparency isn’t an afterthought; it’s built in, with every action logged and explainable inside InsightIDR.
For us, AI isn’t just a feature — it’s a responsibility. And we’re committed to innovating in a way that’s not only intelligent, but also intentional, delivering real results for SOCs around the world:
200+ analyst hours saved per week
Reduced false positives with 99.93% AI triage benign disposition accuracy
Zero friction for customers
The future of investigations is here
Agentic AI workflows are now starting to roll out for all MDR customers. Want to learn how Rapid7’s Managed Detection and Response service can help your team scale smarter and respond faster? Reach out to our team to see how agentic AI can elevate your security outcomes from day one.