SIRT Triage Agent Workshop
← All lessons

Lesson 4

~10 min

Explore the reference demo

Walk through the finished analyst console demo to understand each screen you will build.

Steps0 / 4
~10 min

  1. Open the reference demo at /demo

    Navigate to /demo on this workshop site. You should see the SIRT Analyst Console with 4 incidents in the queue.

  2. Click an incident and watch the triage flow

    Click 'Malware + C2 callback', then click 'Investigate'. Watch 4 sub-agents stream analysis in parallel.

  3. Review the synthesized triage card

    After triage completes, you should see a triage card with severity, confidence, indicators, and a summary.

  4. Review the action plan and HITL controls

    Continue to the action plan. Each action shows risk level, reversibility, and approve/reject/escalate controls.

Before you start building, take 10 minutes to walk through the finished product. The reference demo at /demo shows exactly what your analyst console will look like by the end of the workshop.

Open the demo

Navigate to /demo on this workshop site. This is a self-contained simulation — it uses canned data, not live AI calls — so it always works and loads instantly.

You will see the SIRT Analyst Console with four incidents in the queue:

#IncidentSeveritySource
1Malware + C2 callbackP1EDR
2Phishing credential harvestP1SIEM
3Anomalous authenticationP2SIEM
4Data exfiltration suspectedP0DLP

Walk through the triage flow

Click the Malware + C2 callback incident. Then click Investigate.

Watch four sub-agents stream their analysis in parallel:

  • Command-Line Analyzer — decodes the obfuscated PowerShell command, identifies LOLBin abuse (Living Off The Land Binaries), extracts IOCs
  • Identity Analyzer — assesses whether the user account is likely compromised based on access patterns and risk factors
  • Network Analyzer — evaluates the destination IP/domain reputation, ASN, hosting infrastructure
  • Activity Analyzer — surfaces baseline deviations, lead-up activity, and cross-incident correlations

This parallel dispatch pattern is what you will build in lesson 11 using the Agents SDK.

Review the triage card

After all four sub-agents complete, the Triage Synthesizer combines their findings into a single structured triage card showing:

  • Severity (P0-P3) with confidence level
  • Incident type (malware, phishing, unauthorized access, data exfiltration)
  • Key indicators (IPs, domains, users, hostnames)
  • Sub-agent agreement (unanimous, majority, split)
  • Recommended next step (engage response agent, escalate to L2, etc.)

Review the action plan

Continue to the action plan screen. The Response Agent reads relevant playbooks and produces structured action recommendations. Each action includes:

  • Action type and target (e.g. “Isolate endpoint WKSTN-JDOE-PC”)
  • Risk level (low, medium, high) and reversibility (can it be undone?)
  • Prerequisites (what must happen first)
  • Rationale (why the agent recommends this)
  • Per-action controls: approve, reject, or escalate

What is simulated vs. what you will build live

Demo elementIn the demoWhat you build
Sub-agent analysisCanned text revealed with setTimeoutReal Workers AI inference per sub-agent
Parallel dispatch4 timers with staggered durationsAgents SDK with real parallel execution
Action planPre-written per scenarioResponse Agent reading playbook files via Workers AI
CLI enrichmentNot shownReal dig/whois commands via Sandbox SDK
Dynamic WorkersNot shownAgent-generated code executed at runtime

You are ready to build

Now that you have seen the finished product, you will progressively build each capability across the remaining lessons. The next step is to deploy an empty version of this console to your own Cloudflare account.

Knowledge check