惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

酷 壳 – CoolShell
酷 壳 – CoolShell
T
Threatpost
Latest news
Latest news
N
News | PayPal Newsroom
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Help Net Security
Help Net Security
D
Darknet – Hacking Tools, Hacker News & Cyber Security
AI
AI
Simon Willison's Weblog
Simon Willison's Weblog
TaoSecurity Blog
TaoSecurity Blog
The Last Watchdog
The Last Watchdog
L
LINUX DO - 热门话题
Google DeepMind News
Google DeepMind News
T
Threat Research - Cisco Blogs
O
OpenAI News
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
The Exploit Database - CXSecurity.com
NISL@THU
NISL@THU
Application and Cybersecurity Blog
Application and Cybersecurity Blog
S
Securelist
小众软件
小众软件
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Martin Fowler
Martin Fowler
S
SegmentFault 最新的问题
Cisco Talos Blog
Cisco Talos Blog
云风的 BLOG
云风的 BLOG
AWS News Blog
AWS News Blog
GbyAI
GbyAI
N
News and Events Feed by Topic
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
美团技术团队
Engineering at Meta
Engineering at Meta
A
About on SuperTechFans
博客园 - 三生石上(FineUI控件)
S
Schneier on Security
博客园 - 聂微东
V2EX - 技术
V2EX - 技术
T
Troy Hunt's Blog
SecWiki News
SecWiki News
S
Secure Thoughts
B
Blog RSS Feed
Hugging Face - Blog
Hugging Face - Blog
WordPress大学
WordPress大学
腾讯CDC
H
Heimdal Security Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Apple Machine Learning Research
Apple Machine Learning Research
月光博客
月光博客
www.infosecurity-magazine.com
www.infosecurity-magazine.com
P
Privacy International News Feed

Intezer

The other half of the AI SOC: Intezer, now inside your AI workspace How attackers are gaining access to LLM inference A Gartner take on the MDR market in 2026 OrBit (Re)turns: Tracking an open-source Linux rootkit across four years of forks and deployments Generalist AI for your SOC: When and where to use it AI SOC Live at Nasdaq: Real conversation about modern security operations AI SOC: When to buy and when to DIY AI SOC for teams outgrowing MDR Intezer’s 2025 momentum reflects rapid adoption of AI SOC in global enterprise Alert fatigue is costing you: Why your SOC misses 1% of real threats How AI brings the OSCAR methodology to life in the SOC The 7 CISO requirements for AI SOC in 2026 Tracing a Paper Werewolf campaign through AI-generated decoys and Excel XLLs Intezer named a top-tier Solutions Partner in the Microsoft AI Cloud partner program Comprehensive Google SecOps migration checklist for CISOs and SOC leaders Top 15 AI SOC Tools for 2026: SOC Automation Compared
Building effective AI for the SOC: How Intezer Forensic AI SOC follows Anthropic’s best practices
Zev Schonberg · 2026-01-15 · via Intezer

One of the most influential publications on real-world AI system design is Anthropic’s guide, Building Effective Agents. Its core message is simple:
Effective AI requires structure first, adaptability second.

Anthropic emphasizes that AI agents work best when:

  1. A deterministic workflow does all the structured work up front
  2. The agent only activates when uncertainty remains
  3. The agent begins with full context, not an empty slate
  4. Tool usage is controlled and evidence-driven
  5. Human-in-the-loop remains central for oversight and trust

These principles ensure accuracy, avoid hallucinations and keep investigations reproducible, all critical requirements for cybersecurity.

Intezer Forensic AI SOC is built on exactly this philosophy. Our platform uses a dual-mode design with Intezer AI Workflow and AI Agent, completely aligning with Anthropic’s best practices to deliver fast, scalable and highly accurate investigations across a broad range of alerts, all while keeping analysts in the loop.

Here is how Intezer implements Anthropic’s best practices for agents.

Structured first: Intezer AI Workflow handles the majority of alerts

Anthropic advises that AI systems should begin with deterministic workflows instead of free-form reasoning. In cybersecurity, this is essential for accuracy, auditability, trust and scalability (when handling huge volumes of alerts).

Intezer’s AI Workflow mode is a structured triage process designed by security experts and executed with strict consistency. It applies AI only at key decision points, not as the driver of the entire investigation.

This approach provides:

  • Deterministic, reproducible results
  • High speed due to streamlined, parallelizable steps
  • Lower costs because heavy reasoning is used sparingly
  • No drift or unexpected branching
  • Clear human oversight points

Most alerts, especially well-defined ones, are fully resolved at this stage, giving SOCs broad alert coverage at low cost.

Adaptive only when needed: Intezer AI Agent extends the investigation

Anthropic states that agents should activate only when the structured workflow reaches uncertainty, and only after they inherit the full context. Intezer follows this exactly.

AI Agent mode activates only when the Workflow cannot reach a high-confidence verdict.

At that point, the agent:

  • Starts with all evidence collected so far
  • Avoids premature assumptions
  • Uses tools deliberately and contextually
  • Expands the investigation where human analysts would
  • Surfaces deeper behavioral patterns or cross-asset correlations

This ensures the agent is guided, not free-floating, and its decisions remain grounded in evidence, not guesswork.

Tools the AI Agent can leverage once activated

  • Dynamic SIEM queries
  • EDR/XDR telemetry lookups
  • Identity provider (IDP) investigation
  • Behavioral analysis of processes and command lines
  • User activity mapping
  • Process ancestry and parent-child correlation
  • Intezer’s historical alert database
  • Code DNA similarity and malware lineage tracking
  • Additional host, memory, or file-based forensics

The result is deeper investigation where it matters, without unnecessary cost.

Human-in-the-loop by design

Intezer keeps human analysts at the center so they can review and override conclusions, and trace every decision made by Intezer. Of course, all evidence and reasoning is grounded in forensic data and is fully transparent and explainable for beginners and advanced analysts alike.

This aligns with Anthropic’s principle that humans remain final decision-makers, especially in high-stakes domains like cybersecurity.

How this architecture improves SOC performance

Intezer’s adherence to Anthropic’s best practices produces measurable outcomes across the three most important SOC metrics: accuracy, coverage, and speed, while also reducing cost.

Accuracy

Intezer’s approach of combining deterministic forensics + adaptive AI = best-in-class verdict quality.

  • The structured workflow prevents hallucinations
  • The AI Agent only activates with strong guardrails
  • Context inheritance ensures consistent reasoning
  • Analysts always have visibility and control

This hybrid approach dramatically reduces false positives and prevents premature conclusions.

Triage of all alerts, including low-severity (where threats often hide)

Because AI Workflows handle the bulk of alerts inexpensively and AI Agents only run when needed, heavy and expensive reasoning calls are minimized

This frees SOCs from cherry-picking which alerts to ingest allowing them to triage and investigate them all.

This is crucial for:

  • High-volume enterprise environments
  • MSSPs with strict SLAs
  • Cloud-scale detection pipelines
  • 24/7 monitoring teams

You get broad alert coverage without inflating compute costs.

Speed: Structured steps + adaptive depth

  • Workflow mode resolves most alerts within seconds
  • Agents accelerate investigations that normally take analysts hours
  • No bottlenecks, no backlog, no manual evidence gathering

The result is a SOC where every alert is investigated quickly, consistently, and with forensic depth.

Table of how Intezer’s design reflects Anthropic’s guidance

Anthropic best practiceHow Intezer implements it
Start with deterministic workflowsAI Workflow handles structured triage with predefined expert steps
Activate agents only when neededAI Agent triggers only when confidence is insufficient
Give agents full contextAgent inherits the entire Workflow evidence set
Control tool usageAgent selects tools based on evidence, not speculation
Maintain human-in-the-loopAnalysts can verify, guide, and override conclusions
Prioritize safety and reproducibilityEvery action is logged, justified, and traceable

Conclusion: Anthropic’s Agent principles in a real SOC

Anthropic’s framework for building effective agents is now influencing industries far beyond general AI research. Intezer Forensic AI SOC might be one of the strongest real-world implementations of these practices in cybersecurity.

By combining:

  • Deterministic workflows for reliable baseline investigations
  • Adaptive agents for deeper reasoning when needed
  • Human oversight for trust and accountability
  • Cost efficiency enabling full-pipeline alert coverage

Intezer is able to deliver fast, accurate, and scalable triage that transforms SOC operations.

Learn more about how you can transform your SOC today.