Skip to content

First Conversation#

After logging in, start with the same workflow shown on the AttackTrace homepage: connect evidence, ask with natural language, review the attack path, and preserve the result.

Step 1: Start from a security signal#

Use an alert, IOC, account, host, cloud event, or hypothesis. You do not need to write a special command.

Good first prompts:

We received a SIEM alert involving IP 185.220.101.1.
Check available threat intelligence, explain the evidence, and list the next pivots.

Investigate whether this domain looks related to phishing infrastructure: example-login-security.com.
Show the evidence, confidence, and recommended follow-up checks.

Review this CloudTrail event summary and tell me what attack path I should investigate next:
<paste event summary>

Step 2: Review evidence and pivots#

AttackTrace may use built-in threat intelligence and any customer-configured tools available to your workspace. Tool results appear as expandable cards so you can verify:

  • Which source was queried.
  • What parameters were used.
  • What evidence was returned.
  • Whether the conclusion is supported by the source context.

Step 3: Connect more evidence when needed#

If the initial answer needs environment-specific evidence, connect the relevant data source:

  • SIEM or log platform for event search.
  • Cloud logs and services for identity, network, and resource context.
  • Ticketing or knowledge-base systems for handoff.
  • Private APIs or MCP servers for internal tools.

Step 4: Preserve the result#

When the investigation is useful, turn it into reusable context:

  • Keep the reasoning trail and evidence in the conversation.
  • Save useful environment knowledge to memory where appropriate.
  • Generate a structured report for handoff.
  • Reuse the case context in future investigations.

!!! warning "Analyst review required" AttackTrace produces AI-assisted investigation output. Review the evidence, confidence, and source context before taking action.

Model selection#

Hosted AttackTrace workspaces may provide ready-to-use model options. Enterprise and private deployments can use customer-selected model providers or private models where configured.

Choose a stronger model for complex attack-path reconstruction and a faster model for routine alert triage.

Next steps#