The reasoning engine inside WedgeX.
Investigates every alert end to end, cites the evidence the verdict relied on, and proposes containment for a human to approve. Built on a layered architecture that keeps the reasoning observable from start to finish.
Deterministic where it must be. Reasoned where it should be.
The brain follows one rule: a model is only used where reasoning is required, never where facts are gathered. Every layer is observable from the audit log.
Tools and data
Connectors to your SIEMs, EDRs and threat intel. Deterministic enrichment. No model runs below this line, so facts come in as facts.
Reasoning
Hypothesis formation, tool selection and evidence weighing. This is where the agent thinks, and where every step is written to the trace as it happens.
Recommendation
Risk, confidence and a recommended action. Always presented for a human to review before anything changes your environment.
The audit log wraps everything. No matter which layer is doing the work, the step is written down as it happens.
Two sides to what the agent knows.
The reasoning is fed by two distinct sources. One is baked in from day one. One grows with your environment.
Encoded methodology.
The agent reasons from the same methodology the SOC and DFIR teams at Australia's leading cyber firm use every day. Patterns from years of real investigations are encoded into its reference knowledge: what to check, what to discount, what to escalate.
- Triage patterns drawn from real cases
- Severity and confidence calibration from real outcomes
- Specific check sequences for common attack patterns
Learning cycle.
Every verdict your team confirms or overturns is fed back into the agent's view of your environment. The methodology that ships on day one stays the same. What grows is the agent's picture of your context: what matters, what is routine, what counts as a true positive in your world. Verdicts get sharper week by week.
- Learns what your team treats as true vs false positive
- Builds a picture of your environment's normal: assets, accounts, after-hours patterns
- Re-tunes verdict thresholds as context evolves
Both feed every investigation. One sets the baseline, the other tunes to you.
Three phases. One product. Every step on the record.
WedgeX runs the same three-phase investigation on every alert it touches. Each phase produces evidence you can read, in the order it was gathered.
Enrichment
Strictly deterministic
The agent pulls events from your connected SIEM, EDR and other sources, aggregates related activity, surfaces related alerts in recent history, and checks observed indicators against your threat intel.
- No model in this phase, so nothing can be made up
- Builds the evidence the agent will reason on
- Runs in seconds before investigation begins
Investigation
Reasons, pivots, confirms
The agent works the alert the way a senior analyst would. It forms hypotheses from the enriched evidence, picks the tools that will confirm or rule each one out, pivots across your stack, and writes every step to the trace as it happens.
- Hypothesis-driven, not playbook-driven
- Tool selection adapts to what each step reveals
- Iterates until each hypothesis is confirmed or ruled out
Recommendation
Risk, confidence, action
The agent produces a risk level, a confidence level and a recommended action: escalate, close, verification required, or monitor. It cites the specific evidence and lists what a human still needs to check.
- Every claim points to the evidence behind it
- Always presented for a human to review
- Never closes or contains on its own
How the agent actually reasons.
Most of the value lives in the middle phase. The agent runs the same loop on every alert: form a hypothesis, find the evidence, update the picture, repeat until the picture is clear.
- SIEM queries (Splunk, Sentinel, QRadar)
- EDR queries (CrowdStrike, SentinelOne, Defender)
- Threat intel lookups (OTX, MISP, AbuseIPDB, your feeds)
- Identity provider queries (Azure AD, Okta)
- Asset and baseline lookups
- Custom tools and MCP servers
Selection is judgement. Execution is deterministic. Both end up on the trace.
Form a hypothesis
From the enriched evidence, the agent works out what might be happening. Credential stuffing, a benign service account login from a new region, lateral movement, a misconfigured backup running off-hours.
Pick a tool that would prove it
The agent selects the next tool call from a fixed catalogue: query a SIEM for a specific entity, check the EDR for that host, look the indicator up in your threat intel. Selection is judgement, execution is deterministic.
Read the result
Tool results come back as structured data. The agent reads them, weighs them against the hypothesis, and writes the next line of the trace.
Pivot or confirm
If the hypothesis fits, the agent moves on. If it does not, a new one is formed and the loop runs again. The agent stops when every hypothesis has an answer.
The loop runs until every open hypothesis is answered. Then the agent makes its recommendation.
Every tool call. Every result. In order.
The agent writes the trace as it works. Each step is a tool call, a result the tool returned, or a reasoning note. The verdict at the end points back to the lines that produced it.
Nothing is summarised away. If a verdict looks wrong, the analyst reads the same evidence the agent did, in the order the agent saw it.
- 09:14:02 splunk.query user=alice, last_24h
- 09:14:02 result 14 events, 08:30 → 09:14
- 09:14:03 hypothesis unusual sign-in location?
- 09:14:05 baseline.lookup user=alice, src_ip pattern
- 09:14:05 result src_ip 10.0.0.5 not seen in last 30 days
- 09:14:08 crowdstrike.device src_ip 10.0.0.5
- 09:14:08 result device unknown, registered today
- 09:14:10 azure_ad.signin user=alice, mfa_state, token_age
- 09:14:10 result token age 2m, MFA accepted on unknown device
- 09:14:11 recommendation ESCALATE · risk HIGH · confidence HIGH
Every action, spelled out.
When the verdict calls for action, the agent proposes a specific response. The target is named. The evidence is cited. The justification is on the page. An analyst approves or rejects, and both decisions are written to the audit log.
Available actions follow what your connected platforms can do, and extend naturally with your own connectors, custom tools and MCP servers. The set of things the agent can propose grows with your environment.
Unauthorised privilege escalation followed by lateral movement to two adjacent hosts. Containment limits blast radius while investigation continues.
- → splunk-55320 · investigation trace
- → crowdstrike-12044 · device telemetry
- → 3 threat-intel matches
See the agent on a real alert.
Thirty minutes with our team. We run a real alert from start to finish, walk you through the investigation trace and the proposed response, and answer any question along the way. No slide deck.