Agentic SecOps: Build a security AI agent that automatically investigates detections

A credential access event fired. An AI agent investigated it, correlated it against running processes, assessed the risk, and closed the ticket. No analyst touched it. The entire loop ran in minutes.

This is what security operations look like when AI can actually operate in the environment rather than advise from outside it.

Why earlier automation couldn't do this

Security operations have always required a special kind of person. Someone who can: 

• Hold a mental model of an entire environment

• Chase a suspicious process across a dozen endpoints without losing the thread

• Produce findings that anyone can act on

For decades, that cognitive load was borne entirely by human analysts.

AI agents can now share that burden in a way that earlier automation never could. Scripted playbooks follow a fixed path and are extremely fragile. An AI agent reasons through situations, adapts to what it encounters, and produces outputs that are actionable by others.

This capability can be demonstrated right now. Watch an agent autonomously investigate a credential access event, correlate it against running processes, assess the risk, and write a structured ticket in case management. 

This demo shows LimaCharlie Co-Founder, Christopher Luft, building the workflow in under five minutes.

Building the agent

LimaCharlie's AI terminal provides a purpose-built wrapper over Claude Code, pre-loaded with skills and knowledge covering the entire platform. This includes LimaCharlie's telemetry schema, sensor structure, and D&R rule syntax. When AI is grounded in your security environment, agents need far less prompting to act effectively. 

From the Automation section of a LimaCharlie tenant, navigate to AI Agents and select "Create with AI." This loads the terminal and surfaces links to LimaCharlie’s open-source agent examples. 

From there, simply write a plain-language prompt describing what the agent should do. In this case, the agent is designed to analyze processes, users, hosts, and related telemetry for signs of credential exfiltration, persistence, or lateral movement. It then produces a structured case ticket with a risk assessment. 

Deployment

With the investigation agent built, a second prompt in a fresh AI terminal handles the deployment side: write a detection and response rule that fires whenever a user accesses the SSH folder or touches a file inside it, and launch the investigation agent when the rule fires.

LimaCharlie generates the detection and response (D&R) rule, which can be reviewed before going live. The whole setup, agent creation plus detection rule creation, takes about three minutes of actual work.

Because both the agent and the rule are saved as code, they can be run on a schedule, triggered continuously in the background, or invoked in response to specific detections across infrastructure. 

The new D&R rule is deployed to endpoints for testing purposes, a final step to ensure it works as intended. If anything is touched in a folder containing SSH keys, an alert should fire.

Testing and results

Accessing the SSH folder on a Mac endpoint triggers the detection as expected. The investigation agent runs automatically, queries the relevant telemetry, assesses the activity, and creates a ticket in LimaCharlie's case management system.

The ticket includes structured notes on what was found, what was checked, and a risk verdict (benign, in this case). Closing the case is a single click.

The entire loop, from detection to closed case, completed in minutes.

Try it yourself

LimaCharlie offers a fully featured free tier with no credit card required. AI costs run against your existing subscription. You can get started at https://app.limacharlie.io/signup.

To demo these capabilities in your environment, schedule a call with our solution engineers.

All supporting code lives in our lc-ai Github repo.