We triage what other platforms can't
Other AI SOC platforms have coverage ceilings. They rely on pre-defined logic and follow fixed triage questions.
Radiant uses a structured 5-step investigation process designed to handle any alert, from the common to the complex.
Other AI SOC platforms have coverage ceilings. They rely on
pre-defined logic and follow fixed triage questions.
Radiant uses a structured 5-step investigation process designed to handle any alert, from the common to the complex.
Triage any alert with Radiant’s
5-Step Methodology
The triage process: What we do
Radiant follows the same investigative flow a human analyst would: understand → enrich → plan → execute → conclude.
Classification
AI interprets the characteristics of a raw alert to determine it’s type of threat, and understand whether it has encountered it before. This determines if a plan will be re-used or generated from scratch in step 3.
Enrich
AI automatically pulls in context from across your environment: threat intelligence, identity data, asset information, and more, so your team has everything they need to make a decision without manually stitching data together.
Plan
AI plans the structured set of steps that determines exactly how the alert will be investigated. Plans are built dynamically based on: Radiant’s expert knowledge, your unique environment, and context memory.
Execute
AI runs automatically to answer each investigative question, pulling information from your connected security tools, SIEMs, and external data sources without any manual effort from your analysts.
Conclude
AI provides a transparent verdict by weighing malicious indicators against benign ones. Once analysts review and validate the reasoning of escalated alerts, they can group related alerts into a case, where they can view the full threat picture and take action from a single place.
Classification
AI interprets the characteristics of a raw alert to determine it’s type of threat, and understand whether it has encountered it before. This determines if a plan will be re-used or generated from scratch in step 3.
Enrich
AI automatically pulls in context from across your environment: threat intelligence, identity data, asset information, and more, so your team has everything they need to make a decision without manually stitching data together.
Plan
AI plans the structured set of steps that determines exactly how the alert will be investigated. Plans are built dynamically based on: Radiant’s expert knowledge, your unique environment, and context memory.
Execute
AI runs automatically to answer each investigative question, pulling information from your connected security tools, SIEMs, and external data sources without any manual effort from your analysts.
Conclude
AI provides a transparent verdict by weighing malicious indicators against benign ones. Once analysts review and validate the reasoning of escalated alerts, they can group related alerts into a case, where they can view the full threat picture and take action from a single place.
The output for analysts: What you see
See how we deliver the details that matter the most once triage is completed.
Click through to see examples of each alert type.
Recommended Malicious
Active phishing site impersonating customer portal
Escalate to Case 
Classification
Site Impersonation
A suspicious domain impersonating Blast Labs' customer portal was identified and confirmed active. It is presenting a near-identical replica of the legitimate login page and posing a credible phishing risk to both employees and customers.
Classification
Site Impersonation
A suspicious domain impersonating Blast Labs' customer portal was identified and confirmed active. It is presenting a near-identical replica of the legitimate login page and posing a credible phishing risk to both employees and customers.
Planning and Execution
AI triage findings
Is the flagged domain still live and serving content?
The site is confirmed live, rendering a full replica of Blast Labs customer login page.
Does the phishing site closely resemble the legitimate Blast Labs portal?
Logo, color scheme, and login form are near-identical to portal.blastlabs.com .
Was the domain recently registered with signs of malicious intent?
The domain was registered 6 days ago with privacy protection enabled — consistent with phishing infrastructure.
Is the hosting IP linked to any known phishing campaigns?
IP is tied to other phishing campaigns targeting SaaS companies in the past 60 days.
Enrichment
Involved artifacts
blastlabs-secure-login.com
91.238.181.44 (Sofia, Bulgaria)
https://blastlabs-login.com/login
https://portal.blastlabs.com/login
blastlabs-secure-login.com
Response
Take action
Submit domain takedown request
ZeroFox
Block domain
Palo Alto Networks
Notify customer success and employees
Recommended Malicious
Disguised update file triggered ransomware on corporate endpoint
Escalate to Case
Classification
Ransomware Disguised as Update
Employee executed a file disguised as a routine software update on their corporate endpoint — triggering a ransomware deployment that attempted encrypting local and network-accessible files within seconds.
Classification
Ransomware Disguised as Update
Employee executed a file disguised as a routine software update on their corporate endpoint — triggering a ransomware deployment that attempted encrypting local and network-accessible files within seconds.
Planning and Execution
AI triage findings
Did the process spawn any child processes or attempt lateral movement?
Update.exe spawned svchost.exe and began enumerating network shares within seconds of execution.
Is the contacted domain associated with any known malicious activity?
The domain is flagged as an active ransomware command-and-control server with recent malicious activity.
Has this user executed similar suspicious files recently?
No prior suspicious executions found — this is the user's first encounter with this file.
Enrichment
Involved artifacts
blastlabs-secure-login.com
91.238.181.44 (Sofia, Bulgaria)
https://blastlabs-login.com/login
https://portal.blastlabs.com/login
blastlabs-secure-login.com
Response
Take action
Submit domain takedown request
ZeroFox
Block domain
Palo Alto Networks
Notify customer success and employees
Recommended Malicious
Sensitive file download detected from Salesforce
Escalate to Case
Classification
High-priority insider data exfiltration
A departing employee downloaded a sensitive sales leads file from Salesforce without authorization and immediately uploaded it to a personal Gmail account.
Classification
High-priority insider data exfiltration
A departing employee downloaded a sensitive sales leads file from Salesforce without authorization and immediately uploaded it to a personal Gmail account.
Planning and Execution
AI triage findings
Does this user have the permissions to access sensitive CRM sales data?
The user holds no IAM roles or entitlements authorizing access to sensitive Salesforce sales records.
Was the downloaded file transferred to any external destination?
A follow-on DLP alert confirmed the file was uploaded to Gmail shortly after the Salesforce download.
Is the user currently flagged offboarding or a departure risk or?
The user is actively marked as departing the organization in Workday, placing this event in a high-risk insider threat context.
Enrichment
Involved artifacts
amelia@blastsecurity.com
agreen-MacBook Air
3.146.43.227
Salesforce
026 enterprise salesleads.xlsx
Response
Take action
Suspend Amelia Green’s account
Google IAM
Revoke active sessions and auth tokens
Google IAM
Notify stakeholders to recover lost data
Recommended Malicious
Suspicious VPN login bypassed MFA on registered device
Escalate to Case
Classification
Anomalous VPN Login
Employee's account was accessed from an unfamiliar location behind a consumer VPN — MFA challenges failed three times, and no ZTNA client was found on their registered device.
Classification
Anomalous VPN Login
Employee's account was accessed from an unfamiliar location behind a consumer VPN — MFA challenges failed three times, and no ZTNA client was found on their registered device.
Planning and Execution
AI triage findings
Is the login IP associated with a VPN or anonymizing service?
The IP resolves to an ExpressVPN exit node in Iceland — absent from this user's entire login history.
Did the user successfully complete MFA during this login?
MFA failed three times — session access was granted via a legacy authentication fallback policy.
Is a VPN client installed on the user's registered endpoint?
No VPN client is installed on the registered device — confirming the VPN traffic originated elsewhere.
Enrichment
Involved artifacts
blastlabs-secure-login.com
Remote Azure AD — MFA: Failed
104.223.87.34 (Reykjavik, Iceland)
srodriguez-DELL-WIN11
76.102.44.19 (Austin, Texas)
Response
Take action
Suspend user account
Microsoft Entra ID
Terminate active sessions
Microsoft Entra ID
Force MFA re-enrollment
Microsoft Entra ID
Recommended Malicious
Persistent web attack bypassed WAF and reached application
Escalate to Case
Classification
External SQL injection
An external attacker cycled through evasion techniques across dozens of blocked attempts until a modified SQL injection payload slipped past WAF rules and hit Blast Labs' application layer.
Classification
External SQL injection
An external attacker cycled through evasion techniques across dozens of blocked attempts until a modified SQL injection payload slipped past WAF rules and hit Blast Labs' application layer.
Planning and Execution
AI triage findings
Analyze requests from this IP in the last 30 days.
47 requests were sent and blocked over 11 minutes before the 48th attempt evaded detection.
Is this IP associated with known malicious or anonymizing infrastructure?
The IP is a confirmed Tor exit node with a history of automated web application attacks.
Did the successful request cause anomalous behavior in the application or database?
The request returned an HTTP 500 error, indicating the payload reached and interacted with the backend.
Enrichment
Involved artifacts
185.220.101.34
https://portal...com/api/v2/auth
SQL Injection—WAF Evasion Variant
SQLi-Detection-Rule-09
write → failure (HTTP 500)
portal.blastlabs.com
Response
Take action
Block attacker IP
Imperva Cloud WAF
Escalate to incident response
PagerDuty
Patch bypassed WAF rule
Imperva Cloud WAF
Recommended Malicious
Persistent web attack bypassed WAF and reached application
Mark Benign
Classification
Low-Fidelity Outbound Alert
A corporate device triggered a network alert for unusual outbound traffic patterns — flagged by firewall rules as potentially suspicious but lacking clear indicators of <br> malicious intent.
Classification
Low-Fidelity Outbound Alert
A corporate device triggered a network alert for unusual outbound traffic patterns — flagged by firewall rules as potentially suspicious but lacking clear indicators of <br> malicious intent.
Planning and Execution
AI triage findings
Is the destination IP or domain associated with any known threats?
Domain resolves to a verified Google infrastructure endpoint with no threat associations.
Has this device shown any signs of compromise or suspicious process activity?
No malicious processes, file executions, or behavioral anomalies detected on the device.
Has this device communicated with this destination before?
The device has made repeated connections to this domain over the past 90 days — consistent with normal usage.
Enrichment
Involved artifacts
srodriguez@blastlabs.com
142.250.80.46 — Google LLC, US
clients6.google.com
Outbound-Anomaly-Low-Confidence-Rule-447
Response
Take action
Close alert as benign
Palo Alto Networks
Tune low-fidelity rule
Palo Alto Networks
Recommended Malicious
Authorized engineer scan flagged as OT reconnaissance activity
Mark Benign
Classification
Potential reconnaissance
A scheduled OT diagnostic scan triggered a Dragos reconnaissance alert — Radiant confirmed the activity was authorized, change-ticket approved, and identical in pattern to scans run by the same engineer the month prior.
Classification
Potential reconnaissance
A scheduled OT diagnostic scan triggered a Dragos reconnaissance alert — Radiant confirmed the activity was authorized, change-ticket approved, and identical in pattern to scans run by the same engineer the month prior.
Planning and Execution
AI triage findings
Has this user performed identical OT scanning activity before?
Matching scan patterns from the same user and device were recorded during last month's maintenance window.
Is the tool used for scanning recognized and approved by the security team?
Nmap 7.94 is on the approved diagnostic tooling list and carries a valid code signature.
Has this device communicated with this destination before?
The device has made repeated connections to this domain over the past 90 days — consistent with normal usage.
Enrichment
Involved artifacts
rpalmer@blastlabs.com
rpalmer-DELL-WIN11
Nmap 7.94 — code-signed
10.0.12.45 - internal
10.0.12.45:49152
PLC-HVAC-CTRL-07
Response
Take action
Close alert as benign
Dragos
Log authorized scan activity
ServiceNow
Tune OT reconnaissance detection rule
Dragos
Recommended Malicious
Compromised API credentials exploited misconfigured S3 bucket
Escalate to Case
Classification
Compromised API Credentials
A production service account's API credentials were used from a Tor exit node to enumerate and access S3 buckets — actions outside the account's normal behavior, due to a misconfigured public-read access policy that was never remediated.
Classification
Compromised API Credentials
A production service account's API credentials were used from a Tor exit node to enumerate and access S3 buckets — actions outside the account's normal behavior, due to a misconfigured public-read access policy that was never remediated.
Planning and Execution
AI triage findings
Are the API actions consistent with this service account's normal behavior?
This account has never previously performed bucket enumeration or cross-resource object reads.
Is the accessed S3 bucket misconfigured or overly permissive?
The bucket had a public-read ACL applied — granting access far beyond the service account's intended scope.
Was any data successfully read from the exposed bucket?
2,418 API read calls completed successfully across multiple file types before the session was flagged.
Enrichment
Involved artifacts
blastlabs-prod-svc-dataops
197.231.221.211
BlastLabs-Prod-us-east1
s3://blastlabs-prod-customer-data
s3:GetObject — Scope: public-read (misconfigured ACL)
Response
Take action
Rotate API credentials
AWS IAM
Restrict bucket ACL
AWS S3
Block IP
AWS WAF
Recommended Malicious
High-risk user accessing sensitive resources before likely departure
Escalate to Case
Classification
Pre-Departure Data Gathering
An employee was observed accessing authorized but infrequently used sensitive resources over a 30-day period — a pattern consistent with pre-departure data gathering, corroborated by repeated job site visits and personal Gmail upload activity.
Classification
Pre-Departure Data Gathering
An employee was observed accessing authorized but infrequently used sensitive resources over a 30-day period — a pattern consistent with pre-departure data gathering, corroborated by repeated job site visits and personal Gmail upload activity.
Planning and Execution
AI triage findings
Has this user's Exabeam risk score changed significantly in the past 30 days?
Risk score escalated from 21 to 94 over 30 days — driven by access anomalies and behavioral drift.
Which resources did the user access that were authorized but outside their normal patterns?
User accessed internal pricing models and contract templates not touched in the prior 12 months.
Has the user shown any signs of data staging or unusual file activity recently?
Large volumes of internal documents were opened and copied to a local folder in the past two weeks.
Has the user uploaded or transferred any files to external services recently?
Several file transfers to personal Gmail were detected via browser upload in the past 10 days.
Enrichment
Involved artifacts
Marcus Wilson — Sr Solutions Engineer
mwilson@blastlabs.com
2024-Enterprise-Pricing-Model.xlsx
Master-Services-Agreement.docx
mwilson-DELL-WIN11
linkedin.com/jobs
Gmail — mail.google.com
Response
Take action
Suspend user account
Okta
Revoke active sessions
Okta
Notify HR and legal team
ServiceNow
Recommended Malicious
Splunk detected quarterly report executed outside authorized reporting window
Escalate to Case
Classification
Stale Permission Abuse
A former FP&A analyst ran a restricted quarterly earnings report in the ERP system outside its authorized window — using elevated permissions that were never revoked after they changed roles.
Classification
Stale Permission Abuse
A former FP&A analyst ran a restricted quarterly earnings report in the ERP system outside its authorized window — using elevated permissions that were never revoked after they changed roles.
Planning and Execution
AI triage findings
Does this user still hold a role requiring access to this report?
The user left the FP&A team four months ago and no longer holds a financial reporting role.
Has this user run this report before?
The report was run twice before — both times within authorized Q3 and Q4 reporting windows.
Was the timing of this execution consistent with the user's normal behavior?
Execution occurred at 11:47 PM — outside business hours and inconsistent with all prior activity.
Enrichment
Involved artifacts
lfortier@blastlabs.com
SAP ERP
QTR-EARNINGS-CONSOLIDATED
SAP Role — Status: Active (stale)
lfortier-LENOVO-WIN11
Response
Take action
Suspend user account
Okta
Notify finance team
ServiceNow
Preserve audit logs
Splunk
Recommended Malicious
Vulnerable library executed and communicating with C2 server
Escalate to Case
Classification
Vulnerable Library Executed
A known-vulnerable third-party library was committed to the production codebase and subsequently executed on a developer endpoint - establishing an outbound connection to a confirmed malicious command-and-control server.
Classification
Vulnerable Library Executed
A known-vulnerable third-party library was committed to the production codebase and subsequently executed on a developer endpoint - establishing an outbound connection to a confirmed malicious command-and-control server.
Planning and Execution
AI triage findings
Is the flagged library version associated with any known vulnerabilities?
lodash 4.17.15 is confirmed vulnerable to CVE-2026-23337, a critical command injection flaw.
Was the vulnerable library executed on a developer endpoint after commit?
The library executed via a Node.js process on dchen's corporate MacBook within 4 hours of commit.
Did the executing process make any outbound network connections?
The process established an outbound HTTPS connection to cdn-pkg-delivery[.]io, a confirmed C2 domain.
Enrichment
Involved artifacts
dchen@blastlabs.com
lodash-4.17.15.min.js-SHA256:a1...
CVE-2026-23337 — Command Inject...
chen-MacBook-Pro-M2
node.js → lodash-4.17.15.min.js
10.0.4.31:52847→91.212.166.21:443
Response
Take action
Isolate developer endpoint
CrowdStrike Falcon
Block malicious domain
Palo Alto Networks
Open ticket - rotate keys and undo code changes
Jira
Recommended Malicious
Executive impersonation attempt targetting finance team
Escalate to Case
Classification
Executive Impersonation Attempt
A employee-reported email was confirmed as a targeted business email compromise (BEC) attempt — originating from a spoofed executive domain registered three days prior and deliberately composed in Spanish to evade English-language detection controls.
Classification
Executive Impersonation Attempt
A employee-reported email was confirmed as a targeted business email compromise (BEC) attempt — originating from a spoofed executive domain registered three days prior and deliberately composed in Spanish to evade English-language detection controls.
Planning and Execution
AI triage findings
Is the sender domain a lookalike impersonating Blast Labs?
Blastlabs-finance.com was registered 3 days ago with no affiliation to any legitimate Blast Labs domain.
Has the targeted employee received prior emails from this domain?
Two emails from the same domain reached tnavarro's inbox in the past 5 days — both unopened.
Does the email contain indicators of wire fraud intent?
The email demands an urgent $84,000 wire transfer to an overseas account, written entirely in Spanish.
Enrichment
Involved artifacts
dchen@blastlabs.com
cfo-office@blastlabs-finance.com
Diego Santiago — CFO, Blast Labs
tnavarro@blastlabs.com
185.234.219.44 (Bucharest,Romania)
blastlabs-finance.com
Response
Take action
Block sender domain
Microsoft Defender for Office 365
Quarantine all emails
Microsoft Defender for Office 365
Submit domain for takedown
ZeroFox
What security leaders say?
