CS — 01

Phishing Mailbox Automation

Production
Phishing · SOAR
Problem
Analysts spent the first hour of each shift triaging reported phishing — repetitive, slow, drift-prone.
Approach
AI-assisted classifier, header & URL enrichment, attachment detonation, and a one-click contain action gated by analyst approval.
Outcome
~72% of reports auto-triaged with zero false-positive containment over the eval window.
XSOARVirusTotalSandboxSentinel
CS — 02

AI-Assisted IOC Enrichment

Pilot
Threat Intel · Agent
Problem
IOC enrichment was fragmented across 6 tools, with inconsistent confidence scoring and duplicate noise.
Approach
An agent calls scoped enrichment tools, reconciles results, normalizes confidence, and writes one structured artifact back to the case.
Outcome
Enrichment time down ~80%; consistent, agent-consumable schema across cases.
MCPVirusTotalShodanAbuseIPDB
CS — 03

Guardrailed Agent Tool Execution

Research
Agent Security · MCP
Problem
An internal LLM agent had broad MCP tool access — no scoping, no policy gate, no audit on tool arguments.
Approach
A guardrail proxy in front of MCP servers — per-tool policy, argument validation, redaction, and a tamper-evident audit log per session.
Outcome
Scope violations dropped to zero in red-team eval; every call is now reviewable and replayable.
MCPOPAPythonAudit Store
CS — 04

SOAR Playbook Modernization

Production
SOAR · Engineering
Problem
A SOC had 40+ playbooks across two SOAR platforms with copy-pasted branches and no shared enrichment substrate.
Approach
Refactored playbooks onto a shared enrichment + decision library; introduced versioned blueprints with tested branches for phishing, malware, and EDR isolation.
Outcome
Playbook count down ~35%; mean-time-to-respond down for the top three alert classes.
XSOARTinesQRadarSentinel
CS — 05

Human Approval in High-Risk Response Actions

Production
Workflow · UX
Problem
High-risk actions — host isolation, user disable, mailbox purge — were authorized via Slack with insufficient context.
Approach
A structured approval surface with risk score, blast radius, IOC summary, agent recommendation, and a one-click revoke window.
Outcome
Approval-to-action latency stayed flat while context completeness audits passed at 100%.
TinesSentinelSlackCrowdStrike
Read the engineering

Patterns first, then implementations.

Each case study sits on top of a project and a topic note. Browse the projects for the systems behind these outcomes.