# Solutions
# We triage what other platforms can't
Other AI SOC platforms have coverage ceilings. They rely on pre-defined logic and follow fixed triage questions.
Radiant uses a structured 5-step investigation process designed to handle any alert, from the common to the complex.
[Book a Demo](https://radiantsecurity.ai/book-a-demo/)
Other AI SOC platforms have coverage ceilings. They rely on pre-defined logic and follow fixed triage questions.
Radiant uses a structured 5-step investigation process designed to handle any alert, from the common to the complex.
[Book a Demo](https://radiantsecurity.ai/book-a-demo/)
# Triage any alert with Radiant’s
5-Step Methodology
# The triage process: What we do
Radiant follows the same investigative flow a human analyst would: understand → enrich → plan → execute → conclude.
### Classification
AI interprets the characteristics of a raw alert to determine it’s type of threat, and understand whether it has encountered it before. This determines if a plan will be re-used or generated from scratch in step 3.
### Enrich
AI automatically pulls in context from across your environment: threat intelligence, identity data, asset information, and more, so your team has everything they need to make a decision without manually stitching data together.
### Plan
AI plans the structured set of steps that determines exactly how the alert will be investigated. Plans are built dynamically based on: Radiant’s expert knowledge, your unique environment, and context memory.
### Execute
AI runs automatically to answer each investigative question, pulling information from your connected security tools, SIEMs, and external data sources without any manual effort from your analysts.
### Conclude
AI provides a transparent verdict by weighing malicious indicators against benign ones. Once analysts review and validate the reasoning of escalated alerts, they can group related alerts into a case, where they can view the full threat picture and take action from a single place.
### Classification
AI interprets the characteristics of a raw alert to determine it’s type of threat, and understand whether it has encountered it before. This determines if a plan will be re-used or generated from scratch in step 3.
### Enrich
AI automatically pulls in context from across your environment: threat intelligence, identity data, asset information, and more, so your team has everything they need to make a decision without manually stitching data together.
### Plan
AI plans the structured set of steps that determines exactly how the alert will be investigated. Plans are built dynamically based on: Radiant’s expert knowledge, your unique environment, and context memory.
### Execute
AI runs automatically to answer each investigative question, pulling information from your connected security tools, SIEMs, and external data sources without any manual effort from your analysts.
### Conclude
AI provides a transparent verdict by weighing malicious indicators against benign ones. Once analysts review and validate the reasoning of escalated alerts, they can group related alerts into a case, where they can view the full threat picture and take action from a single place.
# The output for analysts: What you see
See how we deliver the details that matter the most once triage is completed.
Click through to see examples of each alert type.
Dark Web Endpoint DLP Identity WAF Network OT/IoT Cloud Insider Threat SIEM Supply Chain Email
#####  Recommended Malicious
#### Active phishing site impersonating customer portal
 Escalate to Case
##### Classification
#### Site Impersonation
A suspicious domain impersonating Blast Labs' customer portal was identified and confirmed active. It is presenting a near-identical replica of the legitimate login page and posing a credible phishing risk to both employees and customers.
##### Classification
#### Site Impersonation
A suspicious domain impersonating Blast Labs' customer portal was identified and confirmed active. It is presenting a near-identical replica of the legitimate login page and posing a credible phishing risk to both employees and customers.
##### Planning and Execution
#### AI triage findings
  
**Is the flagged domain still live and serving content?**
The site is confirmed live, rendering a full replica of Blast Labs customer login page.
**Does the phishing site closely resemble the legitimate Blast Labs portal?**
Logo, color scheme, and login form are near-identical to portal.blastlabs.com .
**Was the domain recently registered with signs of malicious intent?**
The domain was registered 6 days ago with privacy protection enabled — consistent with phishing infrastructure.
**Is the hosting IP linked to any known phishing campaigns?**
IP is tied to other phishing campaigns targeting SaaS companies in the past 60 days.
##### Enrichment
#### Involved artifacts
 blastlabs-secure-login.com
resolving to attacker-controlled infrastructure
 91.238.181.44 (Sofia, Bulgaria)
serving a convincing replica of
 https://blastlabs-login.com/login
visually mimicking legitimate protected asset
 https://portal.blastlabs.com/login
presenting an untrusted TLS certificate
 blastlabs-secure-login.com
##### Response
#### Take action
##### Submit domain takedown request
#### ZeroFox
##### Block domain
#### Palo Alto Networks
##### Notify customer success and employees
#### Email
#####  Recommended Malicious
#### Disguised update file triggered ransomware on corporate endpoint
 Escalate to Case
##### Classification
#### Ransomware Disguised as Update
Employee executed a file disguised as a routine software update on their corporate endpoint — triggering a ransomware deployment that attempted encrypting local and network-accessible files within seconds.
##### Classification
#### Ransomware Disguised as Update
Employee executed a file disguised as a routine software update on their corporate endpoint — triggering a ransomware deployment that attempted encrypting local and network-accessible files within seconds.
##### Planning and Execution
#### AI triage findings
 
**Did the process spawn any child processes or attempt lateral movement?**
Update.exe spawned svchost.exe and began enumerating network shares within seconds of execution.
**Is the contacted domain associated with any known malicious activity?**
The domain is flagged as an active ransomware command-and-control server with recent malicious activity.
**Has this user executed similar suspicious files recently?**
No prior suspicious executions found — this is the user's first encounter with this file.
##### Enrichment
#### Involved artifacts
 blastlabs-secure-login.com
resolving to attacker-controlled infrastructure
 91.238.181.44 (Sofia, Bulgaria)
serving a convincing replica of
 https://blastlabs-login.com/login
visually mimicking legitimate protected asset
 https://portal.blastlabs.com/login
presenting an untrusted TLS certificate
 blastlabs-secure-login.com
##### Response
#### Take action
##### Submit domain takedown request
#### ZeroFox
##### Block domain
#### Palo Alto Networks
##### Notify customer success and employees
#### Email
#####  Recommended Malicious
#### Sensitive file download detected from Salesforce
 Escalate to Case
##### Classification
#### High-priority insider data exfiltration
A departing employee downloaded a sensitive sales leads file from Salesforce without authorization and immediately uploaded it to a personal Gmail account.
##### Classification
#### High-priority insider data exfiltration
A departing employee downloaded a sensitive sales leads file from Salesforce without authorization and immediately uploaded it to a personal Gmail account.
##### Planning and Execution
#### AI triage findings
  
**Does this user have the permissions to access sensitive CRM sales data?**
The user holds no IAM roles or entitlements authorizing access to sensitive Salesforce sales records.
**Was the downloaded file transferred to any external destination?**
A follow-on DLP alert confirmed the file was uploaded to Gmail shortly after the Salesforce download.
**Is the user currently flagged offboarding or a departure risk or?**
The user is actively marked as departing the organization in Workday, placing this event in a high-risk insider threat context.
##### Enrichment
#### Involved artifacts
 amelia@blastsecurity.com
using managed device
 agreen-MacBook Air
from Columbus, Ohio
 3.146.43.227
logged into SaaS app
 Salesforce
and downloaded file
 026 enterprise salesleads.xlsx
##### Response
#### Take action
##### Suspend Amelia Green’s account
#### Google IAM
##### Revoke active sessions and auth tokens
#### Google IAM
##### Notify stakeholders to recover lost data
#### Email
#####  Recommended Malicious
#### Suspicious VPN login bypassed MFA on registered device
 Escalate to Case
##### Classification
#### Anomalous VPN Login
Employee's account was accessed from an unfamiliar location behind a consumer VPN — MFA challenges failed three times, and no ZTNA client was found on their registered device.
##### Classification
#### Anomalous VPN Login
Employee's account was accessed from an unfamiliar location behind a consumer VPN — MFA challenges failed three times, and no ZTNA client was found on their registered device.
##### Planning and Execution
#### AI triage findings
  
**Is the login IP associated with a VPN or anonymizing service?**
The IP resolves to an ExpressVPN exit node in Iceland — absent from this user's entire login history.
**Did the user successfully complete MFA during this login?**
MFA failed three times — session access was granted via a legacy authentication fallback policy.
**Is a VPN client installed on the user's registered endpoint?**
No VPN client is installed on the registered device — confirming the VPN traffic originated elsewhere.
##### Enrichment
#### Involved artifacts
 blastlabs-secure-login.com
authenticated via desktop browser
 Remote Azure AD — MFA: Failed
originating from commercial VPN exit node
 104.223.87.34 (Reykjavik, Iceland)
flagged against registered device baseline
 srodriguez-DELL-WIN11
with prior clean login pattern from expected location
 76.102.44.19 (Austin, Texas)
##### Response
#### Take action
##### Suspend user account
#### Microsoft Entra ID
##### Terminate active sessions
#### Microsoft Entra ID
##### Force MFA re-enrollment
#### Microsoft Entra ID
#####  Recommended Malicious
#### Persistent web attack bypassed WAF and reached application
 Escalate to Case
##### Classification
#### External SQL injection
An external attacker cycled through evasion techniques across dozens of blocked attempts until a modified SQL injection payload slipped past WAF rules and hit Blast Labs' application layer.
##### Classification
#### External SQL injection
An external attacker cycled through evasion techniques across dozens of blocked attempts until a modified SQL injection payload slipped past WAF rules and hit Blast Labs' application layer.
##### Planning and Execution
#### AI triage findings
 
**Analyze requests from this IP in the last 30 days.**
47 requests were sent and blocked over 11 minutes before the 48th attempt evaded detection.
**Is this IP associated with known malicious or anonymizing infrastructure?**
The IP is a confirmed Tor exit node with a history of automated web application attacks.
**Did the successful request cause anomalous behavior in the application or database?**
The request returned an HTTP 500 error, indicating the payload reached and interacted with the backend.
##### Enrichment
#### Involved artifacts
 185.220.101.34
repeatedly targeted
 https://portal...com/api/v2/auth
with escalating attack technique
 SQL Injection—WAF Evasion Variant
blocked across 47 attempts by
 SQLi-Detection-Rule-09
until modified payload triggered response
 write → failure (HTTP 500)
exposing backend
 portal.blastlabs.com
##### Response
#### Take action
##### Block attacker IP
#### Imperva Cloud WAF
##### Escalate to incident response
#### PagerDuty
##### Patch bypassed WAF rule
#### Imperva Cloud WAF
#####  Recommended Malicious
#### Persistent web attack bypassed WAF and reached application
 Mark Benign
##### Classification
#### Low-Fidelity Outbound Alert
A corporate device triggered a network alert for unusual outbound traffic patterns — flagged by firewall rules as potentially suspicious but lacking clear indicators of
malicious intent.
##### Classification
#### Low-Fidelity Outbound Alert
A corporate device triggered a network alert for unusual outbound traffic patterns — flagged by firewall rules as potentially suspicious but lacking clear indicators of
malicious intent.
##### Planning and Execution
#### AI triage findings
 
**Is the destination IP or domain associated with any known threats?**
Domain resolves to a verified Google infrastructure endpoint with no threat associations.
**Has this device shown any signs of compromise or suspicious process activity?**
No malicious processes, file executions, or behavioral anomalies detected on the device.
**Has this device communicated with this destination before?**
The device has made repeated connections to this domain over the past 90 days — consistent with normal usage.
##### Enrichment
#### Involved artifacts
 srodriguez@blastlabs.com
generated outbound traffic to
 142.250.80.46 — Google LLC, US
associated with external domain
 clients6.google.com
triggered firewall policy
 Outbound-Anomaly-Low-Confidence-Rule-447
##### Response
#### Take action
##### Close alert as benign
#### Palo Alto Networks
##### Tune low-fidelity rule
#### Palo Alto Networks
#####  Recommended Malicious
#### Authorized engineer scan flagged as OT reconnaissance activity
 Mark Benign
##### Classification
#### Potential reconnaissance
A scheduled OT diagnostic scan triggered a Dragos reconnaissance alert — Radiant confirmed the activity was authorized, change-ticket approved, and identical in pattern to scans run by the same engineer the month prior.
##### Classification
#### Potential reconnaissance
A scheduled OT diagnostic scan triggered a Dragos reconnaissance alert — Radiant confirmed the activity was authorized, change-ticket approved, and identical in pattern to scans run by the same engineer the month prior.
##### Planning and Execution
#### AI triage findings
  
**Has this user performed identical OT scanning activity before?**
Matching scan patterns from the same user and device were recorded during last month's maintenance window.
**Is the tool used for scanning recognized and approved by the security team?**
Nmap 7.94 is on the approved diagnostic tooling list and carries a valid code signature.
**Has this device communicated with this destination before?**
The device has made repeated connections to this domain over the past 90 days — consistent with normal usage.
##### Enrichment
#### Involved artifacts
 rpalmer@blastlabs.com
logged into corporate engineering workstation
 rpalmer-DELL-WIN11
ran authorized network diagnostic tool
 Nmap 7.94 — code-signed
approved scanning OT network segment from
 10.0.12.45 - internal
corporate LAN sweeping known OT asset range
 10.0.12.45:49152
reaching industrial control assets
 PLC-HVAC-CTRL-07
##### Response
#### Take action
##### Close alert as benign
#### Dragos
##### Log authorized scan activity
#### ServiceNow
##### Tune OT reconnaissance detection rule
#### Dragos
#####  Recommended Malicious
#### Compromised API credentials exploited misconfigured S3 bucket
 Escalate to Case
##### Classification
#### Compromised API Credentials
A production service account's API credentials were used from a Tor exit node to enumerate and access S3 buckets — actions outside the account's normal behavior, due to a misconfigured public-read access policy that was never remediated.
##### Classification
#### Compromised API Credentials
A production service account's API credentials were used from a Tor exit node to enumerate and access S3 buckets — actions outside the account's normal behavior, due to a misconfigured public-read access policy that was never remediated.
##### Planning and Execution
#### AI triage findings
**Are the API actions consistent with this service account's normal behavior?**
This account has never previously performed bucket enumeration or cross-resource object reads.
**Is the accessed S3 bucket misconfigured or overly permissive?**
The bucket had a public-read ACL applied — granting access far beyond the service account's intended scope.
**Was any data successfully read from the exposed bucket?**
2,418 API read calls completed successfully across multiple file types before the session was flagged.
##### Enrichment
#### Involved artifacts
 blastlabs-prod-svc-dataops
API credentials used anomalously from external IP
 197.231.221.211
authenticating to AWS production environment
 BlastLabs-Prod-us-east1
accessing sensitive production storage
 s3://blastlabs-prod-customer-data
exposed due to misconfigured access policy
 s3:GetObject — Scope: public-read (misconfigured ACL)
##### Response
#### Take action
##### Rotate API credentials
#### AWS IAM
##### Restrict bucket ACL
#### AWS S3
##### Block IP
#### AWS WAF
#####  Recommended Malicious
#### High-risk user accessing sensitive resources before likely departure
 Escalate to Case
##### Classification
#### Pre-Departure Data Gathering
An employee was observed accessing authorized but infrequently used sensitive resources over a 30-day period — a pattern consistent with pre-departure data gathering, corroborated by repeated job site visits and personal Gmail upload activity.
##### Classification
#### Pre-Departure Data Gathering
An employee was observed accessing authorized but infrequently used sensitive resources over a 30-day period — a pattern consistent with pre-departure data gathering, corroborated by repeated job site visits and personal Gmail upload activity.
##### Planning and Execution
#### AI triage findings
  
**Has this user's Exabeam risk score changed significantly in the past 30 days?**
Risk score escalated from 21 to 94 over 30 days — driven by access anomalies and behavioral drift.
**Which resources did the user access that were authorized but outside their normal patterns?**
User accessed internal pricing models and contract templates not touched in the prior 12 months.
**Has the user shown any signs of data staging or unusual file activity recently?**
Large volumes of internal documents were opened and copied to a local folder in the past two weeks.
**Has the user uploaded or transferred any files to external services recently?**
Several file transfers to personal Gmail were detected via browser upload in the past 10 days.
##### Enrichment
#### Involved artifacts
 Marcus Wilson — Sr Solutions Engineer
Authenticating as
 mwilson@blastlabs.com
accessed sensitive internal files
 2024-Enterprise-Pricing-Model.xlsx
 Master-Services-Agreement.docx
from managed corporate device
 mwilson-DELL-WIN11
with browser activity across job search platforms
 linkedin.com/jobs
alongside repeated file transfers to personal email
 Gmail — mail.google.com
##### Response
#### Take action
##### Suspend user account
#### Okta
##### Revoke active sessions
#### Okta
##### Notify HR and legal team
#### ServiceNow
#####  Recommended Malicious
#### Splunk detected quarterly report executed outside authorized reporting window
 Escalate to Case
##### Classification
#### Stale Permission Abuse
A former FP&A analyst ran a restricted quarterly earnings report in the ERP system outside its authorized window — using elevated permissions that were never revoked after they changed roles.
##### Classification
#### Stale Permission Abuse
A former FP&A analyst ran a restricted quarterly earnings report in the ERP system outside its authorized window — using elevated permissions that were never revoked after they changed roles.
##### Planning and Execution
#### AI triage findings
 
**Does this user still hold a role requiring access to this report?**
The user left the FP&A team four months ago and no longer holds a financial reporting role.
**Has this user run this report before?**
The report was run twice before — both times within authorized Q3 and Q4 reporting windows.
**Was the timing of this execution consistent with the user's normal behavior?**
Execution occurred at 11:47 PM — outside business hours and inconsistent with all prior activity.
##### Enrichment
#### Involved artifacts
 lfortier@blastlabs.com
executed sensitive financial report
 SAP ERP
running restricted report at anomalous time
 QTR-EARNINGS-CONSOLIDATED
using permissions that should have been revoked
 SAP Role — Status: Active (stale)
from corporate device during off-hours
 lfortier-LENOVO-WIN11
##### Response
#### Take action
##### Suspend user account
#### Okta
##### Notify finance team
#### ServiceNow
##### Preserve audit logs
#### Splunk
#####  Recommended Malicious
#### Vulnerable library executed and communicating with C2 server
 Escalate to Case
##### Classification
#### Vulnerable Library Executed
A known-vulnerable third-party library was committed to the production codebase and subsequently executed on a developer endpoint - establishing an outbound connection to a confirmed malicious command-and-control server.
##### Classification
#### Vulnerable Library Executed
A known-vulnerable third-party library was committed to the production codebase and subsequently executed on a developer endpoint - establishing an outbound connection to a confirmed malicious command-and-control server.
##### Planning and Execution
#### AI triage findings
  
**Is the flagged library version associated with any known vulnerabilities?**
lodash 4.17.15 is confirmed vulnerable to CVE-2026-23337, a critical command injection flaw.
**Was the vulnerable library executed on a developer endpoint after commit?**
The library executed via a Node.js process on dchen's corporate MacBook within 4 hours of commit.
**Did the executing process make any outbound network connections?**
The process established an outbound HTTPS connection to cdn-pkg-delivery[.]io, a confirmed C2 domain.
##### Enrichment
#### Involved artifacts
 dchen@blastlabs.com
committed third-party library to production repo
 lodash-4.17.15.min.js-SHA256:a1...
containing known critical vulnerability
 CVE-2026-23337 — Command Inject...
library executed on developer workstation
 chen-MacBook-Pro-M2
spawning suspicious outbound process
 node.js → lodash-4.17.15.min.js
establishing connection to malicious external server
 10.0.4.31:52847→91.212.166.21:443
##### Response
#### Take action
##### Isolate developer endpoint
#### CrowdStrike Falcon
##### Block malicious domain
#### Palo Alto Networks
##### Open ticket - rotate keys and undo code changes
#### Jira
#####  Recommended Malicious
#### Executive impersonation attempt targetting finance team
 Escalate to Case
##### Classification
#### Executive Impersonation Attempt
A employee-reported email was confirmed as a targeted business email compromise (BEC) attempt — originating from a spoofed executive domain registered three days prior and deliberately composed in Spanish to evade English-language detection controls.
##### Classification
#### Executive Impersonation Attempt
A employee-reported email was confirmed as a targeted business email compromise (BEC) attempt — originating from a spoofed executive domain registered three days prior and deliberately composed in Spanish to evade English-language detection controls.
##### Planning and Execution
#### AI triage findings
  
**Is the sender domain a lookalike impersonating Blast Labs?**
Blastlabs-finance.com was registered 3 days ago with no affiliation to any legitimate Blast Labs domain.
**Has the targeted employee received prior emails from this domain?**
Two emails from the same domain reached tnavarro's inbox in the past 5 days — both unopened.
**Does the email contain indicators of wire fraud intent?**
The email demands an urgent $84,000 wire transfer to an overseas account, written entirely in Spanish.
##### Enrichment
#### Involved artifacts
 dchen@blastlabs.com
and sent from spoofed address
 cfo-office@blastlabs-finance.com
impersonating legitimate executive
 Diego Santiago — CFO, Blast Labs
targeting finance team employee
 tnavarro@blastlabs.com
delivered through external mail infrastructure
 185.234.219.44 (Bucharest,Romania)
routed via lookalike domain registered 3 days ago
 blastlabs-finance.com
##### Response
#### Take action
##### Block sender domain
#### Microsoft Defender for Office 365
##### Quarantine all emails
#### Microsoft Defender for Office 365
##### Submit domain for takedown
#### ZeroFox
## What security leaders say?
From the first day of the POC, Radiant was catching things our MSSP was missing. Their platform is the most accurate agentic SOC we’ve seen, with investigations going significantly deeper than anything else we looked at.
Brian Rowe
Vice President Information Technology
Most organizations can bring their SOC in-house today thanks to AI SOC. Validating alerts is simpler than it used to be, and pulling log data into a single view means you're not searching through multiple systems.
Rodney Stewart
Infrastructure Engineering and Security Manager
“Radiant Security consistently goes above and beyond to adapt to our specific security needs, their leadership team is closely involved, and every custom request is taken seriously and delivered in a short time”
Josh Lanners
Director, IT Ops and Security
“Radiant cuts through the ambiguity of traditional managed security. It provides the deep context and speed we need, often alerting us to threats well before a manned SOC. Getting detailed, correlated information in a sensible manner, and getting it quickly, makes my job a lot easier.”
Rob Boyd
Manager of information security
“Thanks to Radiant, we can now focus on our customer's real threats instead of drowning in alert noise.”
Gregory Morawietz
Owner
"Our mean time to detect is 10X better than the industry average, and our mean time to respond is 2X better. We're saving between 200-300 hours a month.
Michael Butler
Director of Information Security Operations
”As much as I would like to keep Radiant a secret for my own competitive advantage, I would definitely recommend it to any MSSP who is serious about their cybersecurity.”
Grigoriy Milis
CIO
## Additional resources
[
AI
### Continuous feedback loops: Why training your AI-SOC doesn’t stop at deployment
A pre-trained AI-SOC can perform on day one and fail by day ninety. Static models can’t keep up with changing behavior or new threats. A continuously learning AI-SOC can. This article shows how feedback loops turn AI into a true member of the team.
Shahar Ben-Hador
Nov 10, 2025 | 15 min read](https://radiantsecurity.ai/blog/continuous-feedback-loops/)
[
AI
### What happens to MSSPs and MDRs in the age of the Al-SOC?
MSSPs and MDRs filled a gap, but AI-SOC platforms now let security teams bring more capability in-house. This article explores how AI-driven triage and correlation change cost, visibility, and response for organizations reconsidering managed security.
Shahar Ben-Hador
Nov 3, 2025 | 9 min read](https://radiantsecurity.ai/blog/mssps-and-mdrs-al-soc/)
[
Expert Content
### When your $2M security detection fails: Can your SOC save you?
When your $2M in detection tools inevitably fail, your SOC is the only thing standing between a missed alert and a catastrophic breach. Without a strong last line of defense, you're leaving the door wide open to threats that detection was never actually built to catch.
Shahar Ben-Hador
Dec 2, 2025 | 6 min read](https://radiantsecurity.ai/blog/can-soc-save-you/)