SIRT Triage Agent Workshop
← All lessons

Lesson 15

~10 min

Recap, before/after, what to extend

Compare your deployed analyst console to the reference demo, review the five agents you didn't build, and learn what to extend after the workshop.

The journey

You started with an empty shell — a queue that said “No incidents yet” — and across 15 lessons, you wired in 7 Cloudflare primitives to build an autonomous security triage system:

PrimitiveWhat it did
WorkersHosted your analyst console at the edge
D1Stored and served the incident queue
Durable ObjectsGave each incident its own persistent state
Workers AIRan LLM inference for every analysis step
Agents SDKOrchestrated parallel sub-agents with structured output
Sandbox SDKExecuted real CLI commands (dig, whois) in a secure sandbox
Dynamic WorkersGenerated and ran custom code at runtime

Each lesson was one small diff — a binding addition, a code block uncommented, a redeploy. No monoliths. No boilerplate marathons.

Before and after

Before: A human analyst receives an alert, opens 4–6 tools in serial (SIEM, EDR console, identity provider, network logs, threat intel feed, ticketing system), copies indicators between tabs, and writes up findings. Average triage time: ~45 minutes per incident. Context gets lost between tool pivots. Severity is a gut call.

After: The analyst clicks Investigate. Four specialized sub-agents run in parallel — command-line, identity, network, and activity analysis — each returning structured findings. A Synthesizer merges them into a triage card with severity, confidence, and recommended actions. A Response Agent maps the incident to playbooks and produces an action plan with per-action risk and reversibility. Total time: under 60 seconds. The human still approves every action.

What you built

Your deployed app runs a 6-agent harness:

  1. Triage Coordinator — dispatches the incident to sub-agents in parallel
  2. Command-Line Analyzer — examines process execution and command history
  3. Identity Analyzer — evaluates authentication patterns and access anomalies
  4. Network Analyzer — inspects traffic patterns, with sandbox-powered CLI enrichment
  5. Activity Analyzer — reviews timeline and behavioral signals
  6. Synthesizer — merges all findings into one triage card
  7. Response Agent — reads playbooks and generates a structured action plan

Plus the Sandbox SDK integration for live DNS/WHOIS lookups and the Dynamic Workers integration for on-the-fly code execution.

Full system architecture — built vs. unbuilt

flowchart TD
  COORD[Triage Coordinator]
  CMD[Command-Line Analyzer]
  ID[Identity Analyzer]
  NET[Network Analyzer]
  ACT[Activity Analyzer]
  SYN[Synthesizer]
  RESP[Response Agent]

  NOTIF[Notification Agent]:::dash
  DISPATCH[Action Dispatcher]:::dash
  AUDIT[Audit Writer]:::dash
  RESOLVE[Resolution Summarizer]:::dash
  EXTACT[Extended Activity Analyzer]:::dash

  COORD --> CMD
  COORD --> ID
  COORD --> NET
  COORD --> ACT
  CMD --> SYN
  ID --> SYN
  NET --> SYN
  ACT --> SYN
  SYN --> RESP
  RESP --> DISPATCH
  RESP --> NOTIF
  DISPATCH --> AUDIT
  DISPATCH --> RESOLVE
  ACT -.-> EXTACT

  classDef dash stroke-dasharray: 5 5, stroke:#999, color:#999

What the reference demo has that you didn’t build

The reference demo includes 5 additional agents that complete the production loop. These are good candidates for your next build session:

AgentPurpose
Notification AgentRoutes alerts to the right channel (Slack, PagerDuty, email) based on severity and on-call schedule
Action DispatcherExecutes approved actions against real integrations (EDR, identity provider, firewall)
Audit WriterRecords every agent decision and human approval to an immutable audit log
Resolution SummarizerGenerates a post-incident summary after all actions complete
Extended Activity AnalyzerRicher behavioral analysis with historical baseline comparison

Each one follows the same pattern you already know: an Agent subclass, a system prompt, structured output, and a Workers AI call. The architecture scales horizontally — add agents without changing the coordinator.

Extension ideas

Now that you have the primitives, here are paths worth exploring:

  • Cloudflare Access — Gate the analyst console behind SSO with one wrangler.jsonc change. Zero-trust access for your triage tool.
  • Real SIEM integration — Replace the seed incidents in D1 with a webhook receiver that ingests from Splunk, Sentinel, or CrowdStrike.
  • R2 for evidence storage — Store forensic artifacts, sandbox command outputs, and generated Worker code in R2 with lifecycle policies.
  • Observability — Add Workers Traces and Logpush to track agent latency, token usage, and error rates across the triage pipeline.
  • Notification Agent with Email Workers — Build the first unbuilt agent using Cloudflare’s Email Workers to send structured triage summaries to the on-call team.

You deployed a working system. You understand the primitives. Go build the next one.

Knowledge check