Product · Agent

The reasoning engine inside WedgeX.

Investigates every alert end to end, cites the evidence the verdict relied on, and proposes containment for a human to approve. Built on a layered architecture that keeps the reasoning observable from start to finish.

AUDIT LOG · EVERY ACTION RECORDEDWedgeXAGENTSIEMEDRThreat IntelCustom tools & MCPNotificationsTicketing
Architecture

Deterministic where it must be. Reasoned where it should be.

The brain follows one rule: a model is only used where reasoning is required, never where facts are gathered. Every layer is observable from the audit log.

Bottom

Tools and data

Connectors to your SIEMs, EDRs and threat intel. Deterministic enrichment. No model runs below this line, so facts come in as facts.

Middle

Reasoning

Hypothesis formation, tool selection and evidence weighing. This is where the agent thinks, and where every step is written to the trace as it happens.

Top

Recommendation

Risk, confidence and a recommended action. Always presented for a human to review before anything changes your environment.

The audit log wraps everything. No matter which layer is doing the work, the step is written down as it happens.

What it draws on

Two sides to what the agent knows.

The reasoning is fed by two distinct sources. One is baked in from day one. One grows with your environment.

Day one

Encoded methodology.

The agent reasons from the same methodology the SOC and DFIR teams at Australia's leading cyber firm use every day. Patterns from years of real investigations are encoded into its reference knowledge: what to check, what to discount, what to escalate.

  • Triage patterns drawn from real cases
  • Severity and confidence calibration from real outcomes
  • Specific check sequences for common attack patterns
Over time

Learning cycle.

Every verdict your team confirms or overturns is fed back into the agent's view of your environment. The methodology that ships on day one stays the same. What grows is the agent's picture of your context: what matters, what is routine, what counts as a true positive in your world. Verdicts get sharper week by week.

  • Learns what your team treats as true vs false positive
  • Builds a picture of your environment's normal: assets, accounts, after-hours patterns
  • Re-tunes verdict thresholds as context evolves

Both feed every investigation. One sets the baseline, the other tunes to you.

How a triage runs

Three phases. One product. Every step on the record.

WedgeX runs the same three-phase investigation on every alert it touches. Each phase produces evidence you can read, in the order it was gathered.

01

Enrichment

Strictly deterministic

The agent pulls events from your connected SIEM, EDR and other sources, aggregates related activity, surfaces related alerts in recent history, and checks observed indicators against your threat intel.

  • No model in this phase, so nothing can be made up
  • Builds the evidence the agent will reason on
  • Runs in seconds before investigation begins
02

Investigation

Reasons, pivots, confirms

The agent works the alert the way a senior analyst would. It forms hypotheses from the enriched evidence, picks the tools that will confirm or rule each one out, pivots across your stack, and writes every step to the trace as it happens.

  • Hypothesis-driven, not playbook-driven
  • Tool selection adapts to what each step reveals
  • Iterates until each hypothesis is confirmed or ruled out
03

Recommendation

Risk, confidence, action

The agent produces a risk level, a confidence level and a recommended action: escalate, close, verification required, or monitor. It cites the specific evidence and lists what a human still needs to check.

  • Every claim points to the evidence behind it
  • Always presented for a human to review
  • Never closes or contains on its own
The investigation loop

How the agent actually reasons.

Most of the value lives in the middle phase. The agent runs the same loop on every alert: form a hypothesis, find the evidence, update the picture, repeat until the picture is clear.

Tools the agent can reach for
  • SIEM queries (Splunk, Sentinel, QRadar)
  • EDR queries (CrowdStrike, SentinelOne, Defender)
  • Threat intel lookups (OTX, MISP, AbuseIPDB, your feeds)
  • Identity provider queries (Azure AD, Okta)
  • Asset and baseline lookups
  • Custom tools and MCP servers

Selection is judgement. Execution is deterministic. Both end up on the trace.

01

Form a hypothesis

From the enriched evidence, the agent works out what might be happening. Credential stuffing, a benign service account login from a new region, lateral movement, a misconfigured backup running off-hours.

02

Pick a tool that would prove it

The agent selects the next tool call from a fixed catalogue: query a SIEM for a specific entity, check the EDR for that host, look the indicator up in your threat intel. Selection is judgement, execution is deterministic.

03

Read the result

Tool results come back as structured data. The agent reads them, weighs them against the hypothesis, and writes the next line of the trace.

04

Pivot or confirm

If the hypothesis fits, the agent moves on. If it does not, a new one is formed and the loop runs again. The agent stops when every hypothesis has an answer.

The loop runs until every open hypothesis is answered. Then the agent makes its recommendation.

Inside an investigation

Every tool call. Every result. In order.

The agent writes the trace as it works. Each step is a tool call, a result the tool returned, or a reasoning note. The verdict at the end points back to the lines that produced it.

Nothing is summarised away. If a verdict looks wrong, the analyst reads the same evidence the agent did, in the order the agent saw it.

Investigation trace Complete · 9s
  • 09:14:02 splunk.query user=alice, last_24h
  • 09:14:02 result 14 events, 08:30 → 09:14
  • 09:14:03 hypothesis unusual sign-in location?
  • 09:14:05 baseline.lookup user=alice, src_ip pattern
  • 09:14:05 result src_ip 10.0.0.5 not seen in last 30 days
  • 09:14:08 crowdstrike.device src_ip 10.0.0.5
  • 09:14:08 result device unknown, registered today
  • 09:14:10 azure_ad.signin user=alice, mfa_state, token_age
  • 09:14:10 result token age 2m, MFA accepted on unknown device
  • 09:14:11 recommendation ESCALATE · risk HIGH · confidence HIGH
Response proposal

Every action, spelled out.

When the verdict calls for action, the agent proposes a specific response. The target is named. The evidence is cited. The justification is on the page. An analyst approves or rejects, and both decisions are written to the audit log.

Available actions follow what your connected platforms can do, and extend naturally with your own connectors, custom tools and MCP servers. The set of things the agent can propose grows with your environment.

Proposed action Pending approval
Action Contain host Target SRV-APP-05 · 10.0.0.5
Justification

Unauthorised privilege escalation followed by lateral movement to two adjacent hosts. Containment limits blast radius while investigation continues.

Cited evidence
  • → splunk-55320 · investigation trace
  • → crowdstrike-12044 · device telemetry
  • → 3 threat-intel matches
Reject Approve action

See the agent on a real alert.

Thirty minutes with our team. We run a real alert from start to finish, walk you through the investigation trace and the proposed response, and answer any question along the way. No slide deck.