The Problem: We’re All Digital Janitors
Here’s the dirty secret of cybersecurity: most of us spend 80% of our time doing glorified data entry. We’re manually correlating the same five data points over and over again. It’s like hiring a race car driver to parallel park all day.
When a security alert fires, the investigation process looks something like this:
- Check the alert details (5 minutes)
- Look up file hashes in threat databases (5–10 minutes)
- Research suspicious IP addresses (5–10 minutes)
- Investigate running processes on the affected machine (20 minutes)
- Write up findings in a coherent report (30 minutes)
- Realize you missed something and start over (D’ooohh!)
That’s a lot of time spent per alert. And the scary part? Most of this work can be automated to a certain extent.
Building the AI Detective Workflow
Using n8n, I built a workflow that turns alert triage from a lengthy archaeological dig into a five-minute coffee break.
Here’s how it works:
Step 1: The Smart Listener
Instead of alerts disappearing into a ticket queue to die, a webhook catches every endpoint detection in real-time. No alerts slip through the cracks because someone was in a meeting.
Step 2: The Parallel Processing Beast
While traditional investigation happens sequentially (check this, then check that), the workflow splits into multiple paths:
- One thread pulls detailed detection data from the EDR
- Another extracts file hashes and queries VirusTotal instantly
- A third grabs suspicious IP addresses for reputation checks
- A fourth runs automated reconnaissance on the affected host
All of this happens simultaneously. What used to take quite a bit of time now takes minutes.
Step 3: The AI SOC Analyst Node
This is where things get interesting. All that collected data gets fed to an LLM node that’s been instructed to think like a security analyst: what to do, how to do it, and what not to do. But here’s the key: it’s not just summarising data or regurgitating generic advice.
The LLM node actually investigates, and it can:
- Execute additional reconnaissance commands on potentially compromised hosts
- Cross-reference IOCs across threat intelligence sources
- Identify patterns humans might miss
- Explain its reasoning
Step 4: The Report That Doesn’t Suck
Instead of scattered notes across multiple tools, the AI generates one comprehensive incident report. Formatted in clean HTML, includes all relevant technical details, and most importantly, explains what everything means in plain English.
Real Talk: What This Actually Changes
I’m not going to blow sunshine and tell you AI solves everything. But here’s what actually improved:
Time savings are real. Average investigation time dropped significantly.
Quality went up, not down. The AI doesn’t get tired, doesn’t skip steps when it’s late, and doesn’t forget to check parent processes. Reports are more thorough than when humans did everything manually.
We catch more bad stuff. When investigation time drops, you can investigate more alerts with the same resources.
The goal isn’t to replace security analysts. It’s to free them from repetitive tasks so they can do actual analysis work.
To put this to the test I injected some known malicious IOCs into the detection details and ran the workflow:
# A known malicious IP
146.185.182.65
# A known malicious hash
2d47ed933cc60ea6b6ad013f150ed48231c9ddbac377fe03d37213292b06f02e
What the Final Report Actually Looks Like
Let me show you what this automation produces. Here’s a real incident report generated completely automatically from an EDR alert:
The report starts with a clear incident summary that immediately tells you what happened. No buried ledes, no technical jargon soup, just the facts presented in a way that makes sense to both technical and non-technical stakeholders.
The threat intelligence section automatically correlates IOCs across multiple sources. In this case, it identified a malicious IP address (146.185.182.65) flagged by multiple security vendors, while also noting that other IP addresses in the investigation were legitimate (like Amazon AWS endpoints).
The system activity analysis section shows what was actually happening on the compromised host. It automatically pulls running processes, listening services, and network connections, then correlates them with known threat patterns, flagging suspicious processes while marking expected system processes as normal.
The network analysis digs into ARP caches, routing tables, and host files to identify any signs of network-level compromise or persistence mechanisms.
The whole report gets automatically delivered via email with a direct link to the original ticket, complete with executive summary and technical details.
A Reality Check: This Isn’t CSI Cyber
Before you get too excited, let me be completely honest about what this automation actually does and doesn’t do.
This investigation approach barely scratches the surface of what a thorough manual investigation would uncover. A skilled analyst spending several hours on the same incident would likely find additional indicators, understand the attack timeline better, and provide more nuanced context about the threat landscape.
What this automation excels at:
- Rapid initial triage and IOC enrichment
- Consistent data collection across all incidents
- Baseline system reconnaissance
- Structured documentation of findings
- Freeing up analyst time for complex investigations
What it definitely cannot do:
- Understand complex attack chains spanning multiple systems
- Provide business context for why certain systems matter more than others
- Make nuanced decisions about false positives
- Adapt to novel attack techniques it hasn’t seen before
- Replace human judgment in containment decisions
Think of this as an investigation starter pack, not a final answer. It’s designed to provide a foundation of facts and correlations in minutes, so you can spend your brain cycles on the interesting investigative work instead of manual data gathering.
The Bottom Line
AI in cybersecurity isn’t about replacing human expertise. It’s about amplifying it. When machines handle the grunt work, humans can focus on creative problem-solving, strategic thinking, and actually preventing breaches.
Alert triage doesn’t have to be a manual slog through browser tabs. Build tools that work for you, not against you.
What repetitive security task is eating up your team’s time? Start there, automate it, and get your time back for the interesting problems.