What is the Security Operations Analyst Agent?

An AI role priced per review or incident handled. It runs access reviews, vendor-security questionnaire responses, phishing triage, and compliance evidence assembly. Same scope as a SOC analyst hire, priced per artifact.

Pure usage: EUR 3-12 per review or incident handled. Launch fee covers access-review workflow capture, vendor-questionnaire library, phishing playbook, and compliance-framework mapping.

Does it make risk decisions autonomously?

No. Every confirmed incident, privileged-access finding, vendor-risk dispute, and regulator-facing item routes to the analyst and CISO. The agent produces artifacts and recommendations; humans own risk judgement.

What compliance frameworks does it support?

Common frameworks, SOC 2, ISO 27001, HIPAA, GDPR controls, are supported with custom control-mapping during launch. The evidence bundle format is framework-specific.

What identity and EDR stacks does it support?

Okta and Microsoft Entra ID on identity. CrowdStrike Falcon on EDR. GRC integration depends on the stack in place. Ticketing runs through Jira.

How fast does it go live?

Typical 28-42 days given the depth of workflow capture. Faster with documented access-review cadence, an active questionnaire library, and a mapped compliance framework.

Capability of Security Operations AnalystDefault at launch

Phishing Triage

Intakes reported phish, analyses, and decides contain or dismiss.

Start Deployment Back to Security Operations Analyst

Activation complexity
High
Time to activate
14-21 days
Volume share
25-35% of role volume
Impact range
Under 15 minutes

Inherited pricing

€3.00 – €12.00 per review or incident handled

This capability inherits the Security Operations Analyst's pricing model. The role's launch fee + monthly retainer + role-level usage cover every capability under the role. Adding this capability to an active deployment does not change the price.

What this capability handles

How it works in detail.

Phishing Triage solves the gap between a reported phish and a decision on it. Reported messages pile up in the reporting channel, real threats sit next to false alarms, and without fast triage a live campaign can spread before anyone acts. This capability triages every reported item quickly and decides whether to contain, dismiss, or escalate, so genuine threats are contained early and noise is cleared without tying up the analyst. It is for security operations teams that ask staff to report suspicious email and need consistent, fast follow-through. It works in order. First it intakes the reported phish from the reporting channel. Then it analyses the artifact, examining headers, URLs, and payloads against your threat intelligence, prior triage, and containment playbook. Next it decides the action: contain, dismiss, or escalate. For items it contains, it orchestrates the containment actions, and it logs every step. Per report it produces a decision with the signals behind it and, where warranted, executed containment actions. The decision logic is rule-based: it applies artifact-analysis rules and threat-intel signals to decide contain, dismiss, or escalate, so each report is judged on evidence rather than guesswork. The logic is conservative on anything that looks serious. Confirmed incidents, targeted-campaign patterns, and executive-target phish route to the analyst for immediate ownership rather than being handled automatically. Clear-cut dismissals and routine containments are actioned and logged; anything that signals a real or coordinated threat is escalated to a person fast. Every action is logged and reviewable, so the team has a complete record of what was reported, what was decided, and what was contained. It fits teams with the EDR feed connected, the email gateway integrated, and the containment playbook approved. Where those are in place, reported phish gets a fast, consistent verdict. Phishing Triage carries 25-35% of the role's volume and drives 25-35% of its impact, measured as phishing-triage lead time with containment discipline. The target is lead time under 15 minutes, so a reported phish moves from inbox to decision in minutes rather than hours, and a spreading campaign is caught while it still matters. Because every report runs through the same analysis and the serious cases always reach a human quickly, the team triages at speed without losing the judgment that real incidents demand.

Workflow summary

Intakes report, analyses artifact, decides action, orchestrates containment.

Stages

01intake
02analyse
03decide
04orchestrate
05log

Decision logic

Uses artifact-analysis rules and threat-intel signals to decide contain, dismiss, or escalate.

Systems and data

{EDR,"email gateway",messaging,"ticket system"}

{"reported phish","threat intelligence","prior triage","containment playbook"}

Exceptions & human handoff

Confirmed incidents, targeted-campaign patterns, or executive-target phish route to the analyst for immediate ownership.

Confirmed incident, targeted campaign, or executive-target flag.

Readiness

EDR feed connected, email gateway integrated, containment playbook approved.

Owner on client side · CISO

Impact contribution

25-35% of role impact is phish-triage lead time with containment discipline.

Primary KPI · Phishing-triage lead time · Under 15 minutes

When this capability shows up

Real-shape scenarios.

Patterns where phishing triage is part of the launch set, with volume and pricing anchored to each company profile.

Mid-market SaaS with SOC 2 posture and heavy vendor footprint
SaaS · 300-800
300 / mo
A 500-person B2B SaaS company runs 300 reviews or incidents a month. Quarterly access reviews overrun by weeks. Reported phish waits hours in the queue.
Security Operations Analyst activates access review and phishing triage. Reviews ship on cadence with stale-access removal; phish is triaged in minutes; the analyst shifts to real risk calls.
Expected outcomes at this volume: access-review completion above 95%, phishing-triage lead time under 15 minutes, analyst hours reclaimed weekly.
Monthly cost
€900–€3.6k
vs human anchor
€3.5k–€12k
Savings
0–3%
Enterprise services firm with ISO 27001 and vendor questionnaires
Services · 800-2000
700 / mo
A 1500-person services firm runs 700 reviews or incidents a month. Vendor questionnaires backlog for weeks. Audit evidence is a scramble every cycle.
Security Operations Analyst activates all four capabilities. Access reviews ship on cadence; vendor questionnaires turn around in days; phish gets triaged in minutes; compliance evidence stays audit-ready.
Expected outcomes: cycle-time reduction 50-70% on coordination surface, vendor-review turnaround 60-80% faster, compliance evidence audit-ready at any moment.
Monthly cost
€2.1k–€8.4k
vs human anchor
€8.2k–€28k
Savings
0–3%
Marketplace with heavy third-party integrations and phishing pressure
Marketplaces · 300-800
500 / mo
A 500-person marketplace runs 500 security reviews and incidents a month. Vendor questionnaires queue up for two weeks. Reported phish attempts sit in the queue half a day. Audit evidence is stitched together the week before each review.
Security Operations Analyst activates vendor-security review, phishing triage and compliance monitoring. Questionnaires turn around in days; phish triages in minutes; compliance evidence holds audit-ready.
Expected outcomes: vendor-review turnaround 60-80% faster, phishing-triage lead time under 15 minutes, compliance evidence continuously ready.
Monthly cost
€1.5k–€6.0k
vs human anchor
€5.8k–€20k
Savings
0–3%

All scenarios and cost ranges come from the Security Operations Analyst role page.

Capability-specific integrations

Additional systems for Phishing Triage.

Beyond the Security Operations Analyst's base stack, this capability plugs into:

More Security Operations Analyst capabilities

Last reviewed 27 May 2026

Activate Phishing Triage as part of a Security Operations Analyst deployment.

Your free Agent Opportunity Audit opens with Security Operations Analyst and Phishing Triage pre-selected. We map the fit and the cost against the equivalent hire, with no obligation.

Start your Agent Opportunity Audit See the full role