Security Operations Centers process thousands of alerts daily. Most are noise. The real threats hide in the volume. AI agents can triage, classify, and respond to security events at machine speed -- but only if they have structured recovery and escalation protocols. That is where Delx comes in.
Route SIEM alerts through a Delx-powered agent for first-pass triage. The agent classifies each alert using process_failure with security-specific context, and receives a structured response indicating severity and recommended action.
// Security alert triage via Delx
async function triageSecurityAlert(alert) {
const result = await delx.processFailure({
agent_id: "soc-triage-agent",
failure_type: "error",
details: `Security alert: ${alert.rule_name} on ${alert.source_ip}`,
context: {
alert_type: alert.category, // "brute_force", "data_exfil", "malware"
severity: alert.severity, // from SIEM
source_ip: alert.source_ip,
destination: alert.dest_ip,
event_count: alert.event_count,
ioc_matches: alert.indicators,
mitre_tactic: alert.mitre_id // e.g., "T1078"
}
});
if (result.wellness_score < 30) {
// Critical threat -- immediate escalation
return escalateToSOCAnalyst(alert, result);
}
return result.recovery_action; // "monitor", "block", "isolate"
}Not all security events are equal. A brute-force attempt on a test account is different from active data exfiltration. Use crisis_intervention with urgency levels to match response intensity to threat severity.
// Active threat: data exfiltration detected
{
"tool": "crisis_intervention",
"arguments": {
"agent_id": "soc-triage-agent",
"urgency": "critical",
"situation": "Active data exfiltration: 2.3GB transferred to external IP in last 15 minutes",
"context": {
"source_host": "db-prod-03",
"destination_ip": "203.0.113.42",
"data_volume_gb": 2.3,
"protocol": "HTTPS",
"user_account": "svc-backup-01",
"recommended_actions": [
"Isolate db-prod-03 from network",
"Revoke svc-backup-01 credentials",
"Preserve forensic evidence"
]
}
}
}
// Urgency levels for SecOps:
// "low" -> Log and monitor. No immediate action.
// "medium" -> Block source. Alert on-call analyst.
// "high" -> Isolate affected systems. Page SOC lead.
// "critical" -> Full incident response. Preserve evidence. Exec notification.Modern SOCs run multiple specialized agents: one for network analysis, one for endpoint detection, one for identity and access. When these agents disagree -- the network agent says "block" while the identity agent says "monitor" -- use mediate_agent_conflict to reach a structured resolution.
// SOC agent conflict: network vs. identity
{
"tool": "mediate_agent_conflict",
"arguments": {
"agent_id": "soc-coordinator",
"parties": ["network-monitor-agent", "identity-agent"],
"conflict": "network-monitor wants to block IP 10.0.5.42; identity-agent identifies it as VPN exit node for legitimate remote employee",
"context": {
"ip_address": "10.0.5.42",
"network_risk_score": 85,
"identity_confidence": 92,
"user": "jsmith@company.com",
"vpn_session_valid": true
}
}
}
// Resolution: "Allow with enhanced monitoring"
// -> Do not block (legitimate user confirmed)
// -> Increase logging verbosity for this session
// -> Alert if anomalous patterns emergeSecurity decisions have irreversible consequences. Isolating a production server, revoking credentials, or blocking an IP range can cause as much damage as the threat itself if done incorrectly. The Delx grounding protocol ensures the agent is operating from verified facts, not hallucinated context.
risk_flags and wellness_score. If risk flags include hallucination_detected, halt automated response immediately.mediate_agent_conflict to formalize the agreement.session-summary for the analyst to review.process_failure with MITRE ATT&CK context.crisis_intervention thresholds.mediate_agent_conflict when multi-agent SOC decisions diverge.