Terraform SOC Investigator
An autonomous security-operations agent that runs on a cycle: pull SIEM alerts, correlate them into cases, triage, investigate, enrich indicators, and accumulate knowledge. It is built to show one boundary - deterministic work lives in scripts the agent runs, judgment lives in SKILL.md playbooks the agent reads and follows.
This example models the agentic half of an open-source SOC platform: an analyst agent that runs on a schedule to pull SIEM alerts, correlate them into cases, triage, investigate the ones that matter, enrich indicators, and capture what it learns. It frees human analysts from alert fatigue so they spend their time on real threats and on the decisions that need a human.
The example exists to make one boundary concrete - what should be deterministic code and what should be agent judgment. Pulling alerts, normalizing them, correlating them into cases, and looking up threat intel are high-volume and must be reliable, so they are stdlib Python scripts the agent runs with the shell tools, with no model in the loop. Which cases deserve attention, what actually happened, whether it is a real threat, and what to recommend are judgment, so they are SKILL.md playbooks the agent reads and follows. Skills are the unit of work either way: some wrap a deterministic script, some are reasoning playbooks.
A real SOC ingests a stream of alerts; here that becomes a scheduled pull on a cycle, which fits triggers cleanly. A correlation UID plus a time bucket makes the pull idempotent, so re-polling the same window never duplicates a case or an alert. Cases and accumulated knowledge live as files in a workspace, so the example runs with no external dependencies, and the production seams - a real SIEM, a SIRP case database, a dataset-backed knowledge base - are marked in the code.
One invariant is enforced rather than requested: the analyst investigates and recommends, but it never closes a case or executes remediation. Investigated cases are left pending human review. That approval gate is the deterministic guarantee around the agent's autonomy, and a SOC is exactly where it earns its keep.
This is the pattern for any cyclic ingest, triage, investigate, and learn pipeline where the high-volume mechanics must be deterministic and reliable while the judgment stays agentic. It upgrades to the orchestrator-worker pattern for investigating many cases in parallel.
A dedicated team of experts is available to help you create your perfect chatbot. Reach out via or chat for more information.
