We triage what other platforms can't
Other AI SOC platforms have coverage ceilings. They rely on pre-defined logic and follow fixed triage questions.
Radiant uses a structured 5-step investigation process designed to handle any alert, from the common to the complex.
Other AI SOC platforms have coverage ceilings. They rely on
pre-defined logic and follow fixed triage questions.
Radiant uses a structured 5-step investigation process designed to handle any alert, from the common to the complex.
Triage any alert with Radiant’s
5-Step Methodology
The triage process: What we do
Radiant follows the same investigative flow a human analyst would: understand → enrich → plan → execute → conclude.
Classification
AI interprets the characteristics of a raw alert to determine it’s type of threat, and understand whether it has encountered it before. This determines if a plan will be re-used or generated from scratch in step 3.
Enrich
AI automatically pulls in context from across your environment: threat intelligence, identity data, asset information, and more, so your team has everything they need to make a decision without manually stitching data together.
Plan
AI plans the structured set of steps that determines exactly how the alert will be investigated. Plans are built dynamically based on: Radiant’s expert knowledge, your unique environment, and context memory.
Execute
AI runs automatically to answer each investigative question, pulling information from your connected security tools, SIEMs, and external data sources without any manual effort from your analysts.
Conclude
AI provides a transparent verdict by weighing malicious indicators against benign ones. Once analysts review and validate the reasoning of escalated alerts, they can group related alerts into a case, where they can view the full threat picture and take action from a single place.
Classification
AI interprets the characteristics of a raw alert to determine it’s type of threat, and understand whether it has encountered it before. This determines if a plan will be re-used or generated from scratch in step 3.
Enrich
AI automatically pulls in context from across your environment: threat intelligence, identity data, asset information, and more, so your team has everything they need to make a decision without manually stitching data together.
Plan
AI plans the structured set of steps that determines exactly how the alert will be investigated. Plans are built dynamically based on: Radiant’s expert knowledge, your unique environment, and context memory.
Execute
AI runs automatically to answer each investigative question, pulling information from your connected security tools, SIEMs, and external data sources without any manual effort from your analysts.
Conclude
AI provides a transparent verdict by weighing malicious indicators against benign ones. Once analysts review and validate the reasoning of escalated alerts, they can group related alerts into a case, where they can view the full threat picture and take action from a single place.
Recommended Malicious
Persistent web attack bypassed WAF and reached application
Escalate to Case 
Classification
External SQL injection
An external attacker cycled through evasion techniques across dozens of blocked attempts until a modified SQL injection payload slipped past WAF rules and hit Blast Labs' application layer.
Classification
External SQL injection
An external attacker cycled through evasion techniques across dozens of blocked attempts until a modified SQL injection payload slipped past WAF rules and hit Blast Labs' application layer.
Planning and Execution
AI triage findings
Analyze requests from this IP in the last 30 days.
47 requests were sent and blocked over 11 minutes before the 48th attempt evaded detection.
Is this IP associated with known malicious or anonymizing infrastructure?
The IP is a confirmed Tor exit node with a history of automated web application attacks.
Did the successful request cause anomalous behavior in the application or database?
The request returned an HTTP 500 error, indicating the payload reached and interacted with the backend.
Enrichment
Involved artifacts
185.220.101.34
https://portal...com/api/v2/auth
SQL Injection—WAF Evasion Variant
SQLi-Detection-Rule-09
write → failure (HTTP 500)
portal.blastlabs.com
Response
Take action
Suspend user account
Microsoft Entra ID
Terminate active sessions
Microsoft Entra ID
Force MFA re-enrollment
Microsoft Entra ID
The output for analysts: What you see
See how we deliver the details that matter the most once triage is completed.
Click through to see examples of each alert type.
Recommended Malicious
Active phishing site impersonating customer portal
Escalate to Case
Classification
Site Impersonation
A suspicious domain impersonating Blast Labs' customer portal was identified and confirmed active. It is presenting a near-identical replica of the legitimate login page and posing a credible phishing risk to both employees and customers.
Classification
Site Impersonation
A suspicious domain impersonating Blast Labs' customer portal was identified and confirmed active. It is presenting a near-identical replica of the legitimate login page and posing a credible phishing risk to both employees and customers.
Planning and Execution
AI triage findings
Is the flagged domain still live and serving content?
The site is confirmed live, rendering a full replica of Blast Labs customer login page.
Does the phishing site closely resemble the legitimate Blast Labs portal?
Logo, color scheme, and login form are near-identical to portal.blastlabs.com .
Was the domain recently registered with signs of malicious intent?
The domain was registered 6 days ago with privacy protection enabled — consistent with phishing infrastructure.
Is the hosting IP linked to any known phishing campaigns?
IP is tied to other phishing campaigns targeting SaaS companies in the past 60 days.
Enrichment
Involved artifacts
blastlabs-secure-login.com
91.238.181.44 (Sofia, Bulgaria)
https://blastlabs-login.com/login
https://portal.blastlabs.com/login
blastlabs-secure-login.com
Response
Take action
Submit domain takedown request
ZeroFox
Block domain
Palo Alto Networks
Notify customer success and employees
Recommended Malicious
Disguised update file triggered ransomware on corporate endpoint
Escalate to Case
Classification
Ransomware Disguised as Update
Employee executed a file disguised as a routine software update on their corporate endpoint — triggering a ransomware deployment that attempted encrypting local and network-accessible files within seconds.
Classification
Ransomware Disguised as Update
Employee executed a file disguised as a routine software update on their corporate endpoint — triggering a ransomware deployment that attempted encrypting local and network-accessible files within seconds.
Planning and Execution
AI triage findings
Did the process spawn any child processes or attempt lateral movement?
Update.exe spawned svchost.exe and began enumerating network shares within seconds of execution.
Is the contacted domain associated with any known malicious activity?
The domain is flagged as an active ransomware command-and-control server with recent malicious activity.
Has this user executed similar suspicious files recently?
No prior suspicious executions found — this is the user's first encounter with this file.
Enrichment
Involved artifacts
blastlabs-secure-login.com
91.238.181.44 (Sofia, Bulgaria)
https://blastlabs-login.com/login
https://portal.blastlabs.com/login
blastlabs-secure-login.com
Response
Take action
Submit domain takedown request
ZeroFox
Block domain
Palo Alto Networks
Notify customer success and employees
Recommended Malicious
Sensitive file download detected from Salesforce
Escalate to Case
Classification
High-priority insider data exfiltration
A departing employee downloaded a sensitive sales leads file from Salesforce without authorization and immediately uploaded it to a personal Gmail account.
Classification
High-priority insider data exfiltration
A departing employee downloaded a sensitive sales leads file from Salesforce without authorization and immediately uploaded it to a personal Gmail account.
Planning and Execution
AI triage findings
Does this user have the permissions to access sensitive CRM sales data?
The user holds no IAM roles or entitlements authorizing access to sensitive Salesforce sales records.
Was the downloaded file transferred to any external destination?
A follow-on DLP alert confirmed the file was uploaded to Gmail shortly after the Salesforce download.
Is the user currently flagged offboarding or a departure risk or?
The user is actively marked as departing the organization in Workday, placing this event in a high-risk insider threat context.
Enrichment
Involved artifacts
amelia@blastsecurity.com
agreen-MacBook Air
3.146.43.227
Salesforce
026 enterprise salesleads.xlsx
Response
Take action
Suspend Amelia Green’s account
Google IAM
Revoke active sessions and auth tokens
Google IAM
Notify stakeholders to recover lost data
Recommended Malicious
Suspicious VPN login bypassed MFA on registered device
Escalate to Case
Classification
Anomalous VPN Login
Employee's account was accessed from an unfamiliar location behind a consumer VPN — MFA challenges failed three times, and no ZTNA client was found on their registered device.
Classification
Anomalous VPN Login
Employee's account was accessed from an unfamiliar location behind a consumer VPN — MFA challenges failed three times, and no ZTNA client was found on their registered device.
Planning and Execution
AI triage findings
Is the login IP associated with a VPN or anonymizing service?
The IP resolves to an ExpressVPN exit node in Iceland — absent from this user's entire login history.
Did the user successfully complete MFA during this login?
MFA failed three times — session access was granted via a legacy authentication fallback policy.
Is a VPN client installed on the user's registered endpoint?
No VPN client is installed on the registered device — confirming the VPN traffic originated elsewhere.
Enrichment
Involved artifacts
blastlabs-secure-login.com
Remote Azure AD — MFA: Failed
104.223.87.34 (Reykjavik, Iceland)
srodriguez-DELL-WIN11
76.102.44.19 (Austin, Texas)
Response
Take action
Suspend user account
Microsoft Entra ID
Terminate active sessions
Microsoft Entra ID
Force MFA re-enrollment
Microsoft Entra ID
Recommended Malicious
Persistent web attack bypassed WAF and reached application
Escalate to Case
Classification
External SQL injection
An external attacker cycled through evasion techniques across dozens of blocked attempts until a modified SQL injection payload slipped past WAF rules and hit Blast Labs' application layer.
Classification
External SQL injection
An external attacker cycled through evasion techniques across dozens of blocked attempts until a modified SQL injection payload slipped past WAF rules and hit Blast Labs' application layer.
Planning and Execution
AI triage findings
Analyze requests from this IP in the last 30 days.
47 requests were sent and blocked over 11 minutes before the 48th attempt evaded detection.
Is this IP associated with known malicious or anonymizing infrastructure?
The IP is a confirmed Tor exit node with a history of automated web application attacks.
Did the successful request cause anomalous behavior in the application or database?
The request returned an HTTP 500 error, indicating the payload reached and interacted with the backend.
Enrichment
Involved artifacts
185.220.101.34
https://portal...com/api/v2/auth
SQL Injection—WAF Evasion Variant
SQLi-Detection-Rule-09
write → failure (HTTP 500)
portal.blastlabs.com
Response
Take action
Block attacker IP
Imperva Cloud WAF
Escalate to incident response
PagerDuty
Patch bypassed WAF rule
Imperva Cloud WAF
Recommended Malicious
Persistent web attack bypassed WAF and reached application
Mark Benign
Classification
Low-Fidelity Outbound Alert
A corporate device triggered a network alert for unusual outbound traffic patterns — flagged by firewall rules as potentially suspicious but lacking clear indicators of <br> malicious intent.
Classification
Low-Fidelity Outbound Alert
A corporate device triggered a network alert for unusual outbound traffic patterns — flagged by firewall rules as potentially suspicious but lacking clear indicators of <br> malicious intent.
Planning and Execution
AI triage findings
Is the destination IP or domain associated with any known threats?
Domain resolves to a verified Google infrastructure endpoint with no threat associations.
Has this device shown any signs of compromise or suspicious process activity?
No malicious processes, file executions, or behavioral anomalies detected on the device.
Has this device communicated with this destination before?
The device has made repeated connections to this domain over the past 90 days — consistent with normal usage.
Enrichment
Involved artifacts
srodriguez@blastlabs.com
142.250.80.46 — Google LLC, US
clients6.google.com
Outbound-Anomaly-Low-Confidence-Rule-447
Response
Take action
Close alert as benign
Palo Alto Networks
Tune low-fidelity rule
Palo Alto Networks
What security leaders say?
