Skip to main content

Cybersecurity Operations

Business Problem

Cybersecurity teams need workflows that connect assets, detections, incidents, evidence, remediation, third-party risk, and governance reporting. The work is fast-moving and evidence-heavy, making structure critical.

Four-Step Application

This scenario works best as a four-step, human-in-the-loop application. The required object model already gives this scenario a strong delivery backbone for a four-step operating experience.

  • Mission metric focus: lower time-to-resolution, higher retention, and better support productivity.
  • Human + AI pattern: Each step combines structured workflow data with chat assistance, background generation, document understanding, and accessible interaction patterns when they improve the experience.

Step 1. Capture demand and context

  • Goal: Make it easy for the user to start the Cybersecurity Operations journey with complete, trusted context.
  • Required data: ClientTenant (secured tenant), Asset (protected asset), Identity (identity record), Vulnerability (vulnerability), and ThreatIndicator (threat indicator).
  • AI support: Use chat to guide intake, generate clearer prompts, create accessible summaries, and assist with voice or vision-led capture when a form alone is not the best experience. EAI can support structured intake, chat workflows, and document-centred capture today; richer native multimodal capture may still need workflow extensions or connected services.
  • Business impact: Improve completion rate, reduce first-touch effort, and raise customer or staff confidence in the UX from the very first interaction.
  • EAI delivery: Model the intake as tenant-isolated object types and resources, then use actions, chat workflows, and document indexing or classification to keep the initial record complete and usable.

Step 2. Prepare the decision

  • Goal: Turn the captured context into the next best action for Cybersecurity Operations without forcing the human reviewer to assemble the case manually.
  • Required data: DetectionRule (detection rule), Alert (security alert), Incident (security incident), InvestigationCase (investigation case), and EvidenceArtifact (forensic artefact).
  • AI support: Run background summarisation, extraction, classification, recommendation drafting, and answer generation so a reviewer sees a prepared case instead of raw fragments. EAI delivers the structured records and AI workflow hooks for this today; specialised scoring engines, external rules, or advanced reasoning controls may still need integration work.
  • Business impact: Reduce cycle time, improve quality and consistency, and protect the mission-critical metric before the case moves into execution.
  • EAI delivery: Link records across the scenario, persist decision state as resources, and use workflow actions plus chat assistance to keep humans in control while AI prepares the work.

Step 3. Execute and collaborate

  • Goal: Coordinate the actual work, handoffs, approvals, and user updates needed to deliver the service or outcome.
  • Required data: Playbook (response playbook), ContainmentAction (containment action), RecoveryTask (recovery task), ThirdPartyRisk (third-party risk record), and AwarenessTraining (training activity).
  • AI support: Draft replies, produce work packets, monitor exceptions in the background, and surface the next action for each operator. EAI can orchestrate tenant-isolated records, actions, chats, and document workflows today; deeper system-to-system automation may require additional connectors or workflow capability.
  • Business impact: Increase operator productivity, reduce rework across handoffs, and improve service consistency across the application journey.
  • EAI delivery: Use linked object types, actions, resource updates, and workflow-triggered AI assistance so the team can execute in one model instead of splitting work across disconnected tools.

Step 4. Resolve, explain, and improve

  • Goal: Close the loop with a clear outcome, an understandable explanation, and feedback that improves the next case.
  • Required data: ControlAssessment (control assessment), AuditFinding (audit finding), ExposureReport (exposure report), SLAClock (response timer), and PostIncidentReview (post-incident review).
  • AI support: Generate outcome summaries, customer-friendly answers, compliance-ready notes, management insights, and accessible follow-up content. EAI can store outcome records and support answer generation today, while richer proactive agents, advanced analytics, or channel-specific accessibility features may need additional product capability.
  • Business impact: Increase trust, quality, and measurable business value through lower time-to-resolution, higher retention, and better support productivity.
  • EAI delivery: Keep the full audit trail in structured resources, use AI workflows to explain outcomes, and feed the resulting signals into future product, service, and operational improvement work.

EAI Platform Support By Step

EAI provides the safe service boundary for Cybersecurity Operations through Object Types, tenant-scoped resources, document processing, chat workflows, and CLI verification. For this scenario, the main records are ClientTenant, Asset, Identity, Vulnerability, ThreatIndicator, and 17 more Object Types.

Process stepWhat EAI providesCalling pattern
Step 1. Capture demand and contextTenant-scoped intake resources for ClientTenant (secured tenant), Asset (protected asset), Identity (identity record), Vulnerability (vulnerability), and ThreatIndicator (threat indicator). Object Type validation, starter forms, optional document intake, and chat-guided capture keep the first record complete.Define fields in src/eai.config/object-types.ts, run eai types validate and eai types seed, create initial ClientTenant records with useResources('ClientTenant') or eai resources create ClientTenant, and keep browser calls behind /api/eai/....
Step 2. Prepare the decisionLinked resource queries over DetectionRule (detection rule), Alert (security alert), Incident (security incident), InvestigationCase (investigation case), and EvidenceArtifact (forensic artefact). Search, schema checks, document classification or RAG indexing, and chat summaries turn raw context into a prepared decision.Use useResources('ClientTenant') list/query/search patterns, verify shape with eai resources schema, use useDocuments().upload/classify/ragIndex, eai docs upload, eai docs classify, and eai docs index where supporting material exists, and send decision-support prompts through useChat(workflowId, 'chat') or eai chat send.
Step 3. Execute and collaborateResource updates and actions for Playbook (response playbook), ContainmentAction (containment action), RecoveryTask (recovery task), ThirdPartyRisk (third-party risk record), and AwarenessTraining (training activity). Status changes, assignments, notes, generated work packets, and chat support keep humans in control during execution.Model actions in the Object Type code, call client.resources.executeAction(type, id, action) or the app hook equivalent, update records through the app service layer, and verify with eai resources get/list/query.
Step 4. Resolve, explain, and improveOutcome resources for ControlAssessment (control assessment), AuditFinding (audit finding), ExposureReport (exposure report), SLAClock (response timer), and PostIncidentReview (post-incident review). Audit-friendly links, indexed final documents, reporting snapshots, and answer generation make the result explainable and reusable.Persist outcomes as resources, index final material with eai docs index or useDocuments().ragIndex, send explanation prompts with useChat or eai chat stream, and use eai resources aggregate/search for reporting checks.

Prompt, Code, And Service Pattern Mapping

When this scenario is turned into code, eai-gofer should generate Object Type definitions and app calls from the process model instead of inventing direct backend calls.

Use this prompt shape when asking eai-gofer or another coding agent to implement the scenario:

Use the EAI App Template. Model Cybersecurity Operations with Object Types for ClientTenant, Asset, Identity, Vulnerability, ThreatIndicator. Use useResources for records and actions, useDocuments for uploads/classification/RAG where documents appear, useChat for workflow assistance, and verify with eai types/resources/docs/chat commands. Use eai publicapi only when no named command covers the required platform call.
Scenario artifactHow it maps to EAI service calls
Four-step processStep 1 becomes resource creation, Step 2 becomes resource query/search plus optional document or chat preparation, Step 3 becomes resource update/action calls, and Step 4 becomes outcome persistence plus explanation/reporting calls.
Object Type definitionseai types validate, eai types seed, and eai resources schema make the model available and checkable before UI work starts.
Properties and indexesFields become useResources payloads, filters, list views, and eai resources create/list/query/search checks. Indexed fields should support lookup and triage, not duplicate canonical records.
Links between Object TypesRelationships become linked-resource UI, timeline context, and audit trails that app code loads through resource queries rather than separate bespoke stores.
Actions and status fieldsWorkflow buttons and operator transitions call resource action/update helpers, then verify state with eai resources get/list/query.
Document and chat promptsPrompts should call the platform documents and chat patterns: useDocuments().upload/classify/ragIndex, eai docs upload, eai docs classify, and eai docs index for documents, and useChat, eai chat send, or eai chat stream for conversational assistance.

Required Object Model (22 object types)

This scenario needs more than 20 object types because it spans intake, delivery, exceptions, governance, and reporting.

Security Context

  • ClientTenant — secured tenant
  • Asset — protected asset
  • Identity — identity record
  • Vulnerability — vulnerability
  • ThreatIndicator — threat indicator
  • DetectionRule — detection rule
  • Alert — security alert
  • Incident — security incident

Response Workflow

  • InvestigationCase — investigation case
  • EvidenceArtifact — forensic artefact
  • Playbook — response playbook
  • ContainmentAction — containment action
  • RecoveryTask — recovery task
  • ThirdPartyRisk — third-party risk record
  • AwarenessTraining — training activity
  • ExceptionApproval — risk exception approval

Assurance and Reporting

  • ControlAssessment — control assessment
  • AuditFinding — audit finding
  • ExposureReport — exposure report
  • SLAClock — response timer
  • PostIncidentReview — post-incident review
  • ExecutiveBrief — executive brief

Delivery Workflow

  1. Authenticate and choose the tenant you want to work in.

    eai login
    eai tenant select

  2. Pull environment values, validate the type definitions, and seed the model.

    eai env pull --include-secrets
    eai types validate
    eai types seed

  3. Verify that the full model is available for the active tenant before building UI and workflows.

    eai resources schema --format json
    eai verify calls --format json

  4. Load pilot data and exercise the operational workflows for the scenario.

AI and Document Opportunities

  • Classify alerts and evidence into investigation cases and recommended playbooks.
  • Summarise active incidents and unresolved exposure for leadership briefings.
  • Generate remediation worklists from vulnerabilities, findings, and exception approvals.

Why This Scenario Is High-Value

Security programs become manageable when detections, incidents, and governance are linked. This scenario helps teams move from alert noise to structured operational control.