Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.clarion.cantina.xyz/llms.txt

Use this file to discover all available pages before exploring further.

Agents are AI-powered responders that investigate every alert. They get the alerts, pick the right skill to follow, run tools to gather context, and either close the alert, escalate it to an incident, or ask a human for approval to continue.

What an agent is

An agent is a configured responder defined by:
  • Monitors: The alert sources it pays attention to.
  • Skills: A skill is a reusable playbook that teaches the agent how to perform a specific class of tasks to a known standard, along with the tools available to investigate and remediate security alerts.
  • Tools: The actions it can execute, assigned through skills (Slack, DNS, Jira, AWS, and more).
  • Notification preferences: How it requests human approval or clarification.
Start from a template, with pre-built agents for common SOC workflows like Smart Contract Security, Identity & Access, or DNS Infrastructure, or build one from scratch.

What an agent does

  • Triages alerts: Produces a summary, report, recommendations, and risk assessment for every alert that matches its monitors.
  • Investigates incidents: Runs deeper analysis when an alert is escalated.
  • Executes response: Calls tools to remediate (revoke a token, change a DNS record, post to Slack, file a Jira ticket).
  • Asks for approval: Requests human approval before sensitive actions, or clarification when input is needed to proceed.
  • Resumes: Suspended or paused investigations resume automatically once a human responds.
Agents only do what their skills tell them to do. The right way to change an agent’s behavior is to update or add a skill, not to rewrite the agent itself.

Creating agents

Build an agent from a template or from scratch.

Monitors

Configure the alert sources your agents pay attention to.