Announcing LimaCharlie Case Management: Built for agentic security workflows

Security operators often struggle with the escalating friction that naturally occurs in their detection and response (D&R) workflow. Detections fire in one tool. Investigations happen in another. Case tracking lives in a third. For MSSPs managing dozens of client environments, fragmentation compounds quickly. Analyst time bleeds into context-switching. SLAs are hard to track. When something goes wrong, reconstructing what happened across multiple platforms is painful.

LimaCharlie’s Case Management eliminates operational friction by removing fragmentation. It provides a single interface covering detection through resolution, and it’s available now.

One platform from detection to resolution

LimaCharlie Case Management can be operated manually, or for those who prefer automation it can convert detections into trackable cases automatically. The moment a D&R rule fires, a case opens. Severity is assigned based on detection priority. SLA timers start. There is no manual handoff or copy-paste between tools. 

Analysts work the case queue inside the same platform where detections are generated and telemetry lives. They can attach IOCs, link detections, raw telemetry events, add forensic artifacts, and document findings. Analysts can add case notes in Markdown, categorized by type: analysis, remediation, escalation, handoff, and stakeholder communication.

When a case closes, the complete timeline is preserved. Every status change, assignment, note, and classification is captured in an immutable audit trail. Nothing is lost.

For MSSPs and SOC analysts, this means less time managing tools and more time working cases.

A state machine for AI incident response

AI SOC automation works best when it has structure to operate within. Freeform workflows break down at scale. LimaCharlie Case Management provides the scaffolding that makes agentic security reliable.

Cases follow a defined lifecycle: new, in progress, resolved, closed. Each transition is intentional. Each state records key timestamps, including time to acknowledge and time to resolve. That structure is not just useful for human analysts. It gives AI agents a clear operational surface.

The LimaCharlie case lifecycle

An agent can check case status, determine whether SLA thresholds have been met, add investigation notes, and update severity. Because every action is logged and every state transition is traceable, AI for incident response on LimaCharlie is inspectable by design. You can see what the agent did, when it did it, and why.

This is what agentic AI security looks like in practice: not a black box making decisions, but a system operating within a defined, governable, and auditable structure.

Rounding out the platform

LimaCharlie Case Management brings many aspects of SIEM functionality to our platform. We natively host detection, investigation, and case tracking without the cost and complexity of competing solutions.

A dedicated multi-tenant API lets MSSP teams query the full case queue across all client environments. Auto-grouping reduces alert fatigue by clustering related detections into a single case. Teams can set SLA targets for each severity level, ensuring accountability to response commitments. SOC managers get mean time to acknowledge (MTTA) and mean time to resolve (MTTR) data at a glance through the summary reporting view.

For teams building on LimaCharlie, a single, coherent workflow replaces a process that previously required multiple tools.

Built for agentic security MSSP workflows

LimaCharlie’s architecture is built to reflect how modern security teams actually work. Cases can be created automatically from any detection, or manually for ad-hoc investigations. D&R rules can trigger case creation directly. Bulk updates let analysts close false positives at volume. Webhook notifications and a WebSocket API support real-time integrations with downstream tools.

Configuration is per-tenant. Severity thresholds, SLA targets, auto-grouping behavior, and retention periods are all adjustable. This flexibility is crucial for MSSPs managing environments with different risk profiles.

LimaCharlie Case Management is available now.

If you are not yet on the platform, start at LimaCharlie.io.

Documentation on LimaCharlie Cases.

Browse our lc-ai Github repo.