How Salesforce Built an AI Security Agent for Autonomous Threat Triage

Salesforce EngineeringMay 19, 2026

Why it matters

Scaling security operations manually is impossible in complex cloud environments. SATA demonstrates how AI agents can automate high-volume triage with 95% accuracy, allowing engineers to focus on critical threats while maintaining trust through confidence scoring and orchestration.

Key takeaways

Salesforce developed SATA (Security Alerts Triage Agent) to automate the initial triage of hundreds of daily security alerts.
The agent overcomes data fragmentation by using orchestration workflows to pull context from disparate logs and case-management systems.
SATA improves accuracy by evaluating surrounding context and utilizing multiple agents to review cases from different perspectives.
The system achieved a 95% agreement rate with human analysts during benchmarking against historical security data.
A confidence scoring mechanism ensures high-risk or low-certainty cases are automatically routed to human experts for manual review.

Keywords

Autonomous TriageThreat Detection

Content preview

In our Engineering Energizers Q&A series, we highlight the engineering minds driving innovation across Salesforce. Today, we spotlight Mor Levi, Vice President of Detection, Analysis and Response at Salesforce, who leads the teams responsible for enterprise cyber defense across 80,000 employees and an attack surface spanning infrastructure, platforms, and cloud environments.

Explore how the team enabled autonomous triage across multi-layered security platforms, helping to ensure analyst-grade precision across a distributed data landscape.

What is your team’s mission in protecting Salesforce through threat detection, incident response, and enterprise security operations?

Our team protects Salesforce from cybersecurity threats across our employees, infrastructure, and production systems. We detect suspicious activity early to contain threats before they expand.

Our operations evolve to protect an increasingly dynamic environment. We augment traditional controls with AI-driven insights to enable continuous visibility and stay ahead of rapidly shifting threat behaviors.

We focus on accelerating incident response and maintaining operational discipline. This combination of rapid containment and threat prioritization defines our approach to modern cyber defense.

When security operations were handling several hundred alerts per day and thousands per month, what pressures pushed the team to engineer SATA (Security Alerts Triage Agent) instead of simply adding more analysts?

Scale is our primary driver for innovation. While our analysts are world-class, the sheer velocity of cases in an increasingly complex environment requires a level of processing speed that transcends manual effort. This is why we built the SATA agent. It serves as a force multiplier for our team, serving as the first line of triage.

The environment also gains complexity every day. Constant cloud changes, new acquisitions, and AI tools create additional risk signals for evaluation. Traditional security operations cannot scale fast enough to match this expansion.

These pressures led the team to build SATA Agent. This autonomous system serves as the first line of triage. Instead of routing every alert to an analyst, the agent reviews signals, gathers context, and prioritizes cases that require expert attention.

SATA agent manages high-volume initial triage and analysis, allowing analysts to focus their energy on high-stakes investigations and the highest-priority threats.

What technical challenges did the team solve to build SATA Agent for autonomous security triage across fragmented alerts, logs, and case-management systems?

Fragmentation created the first challenge. Critical context lived across case systems, log platforms, and operational tools. While analysts move across these systems manually, an AI agent requires fast access to everything within a single workflow.

The team discovered that case-management data alone may not provide sufficient level of detail. Accurate triage decisions require querying logs and reviewing operational guidance from multiple sources. Without this broader context, the agent makes weaker decisions than experienced analysts.

Data volume presented the second challenge. Raw logs often grow too large for standard retrieval, causing latency or timeouts. Pulling every data point into memory fails at enterprise scale.

Internal security orchestration and automation capabilities solved these issues by acting as the hands of SATA Agent. The agent identifies the necessary data, and orchestration workflows retrieve targeted information. This architecture returns only the most relevant context for faster triage.

What makes distinguishing benign activity from malicious behavior difficult in large enterprise environments, and how does SATA Agent improve threat detection accuracy?

Enterprise environments can often generate constant noise and false positives. Employees install software and run scripts that often resemble malicious activity. Simultaneously, real unauthorized access attempts produce similar telemetry.

This overlap creates a difficult problem in threat detection. The same signal represents either normal business or a real attack depending entirely on context. Too many false positives bury urgent threats and waste analyst time.

SATA Agent improves detection accuracy by evaluating surrounding context and applying logic modeled after experienced analysts. Multiple agents review the same case from different perspectives to improve decision quality.

What trust, governance, and analyst-quality accuracy requirements had to be met before Salesforce relied on autonomous security triage in production?

Data underscores trust. Before production use, the team tested SATA Agent against historical security cases. Comparing these results with human analyst decisions helped measure agreement and identify gaps.

This process produced a key metric showing roughly 95% agreement with human analysts. We also introduced confidence scoring to assign a certainty level to every decision. Lower-confidence cases stay with humans, while higher-confidence cases move faster.

Governance extends beyond a single metric. Multiple agents review decisions, and spot checks validate automated outcomes. Prioritization logic routes the highest-risk items first. This layered model enables controlled autonomy in production.

What results has SATA Agent delivered so far, and what challenges must be solved next to reduce incident containment time by 20%?

Speed is an early and promising result. In initial testing, this agent ecosystem triaged and prioritized hundreds of security cases in a fraction of the time it would take manually. Based on early estimates of analyst effort per alert, this has the potential to redirect significant manual work to higher-value security operations.

Analysts now focus on confirmed threats, root cause analysis, and deeper investigations. This shift moves human judgment to where it matters most.

The next challenge involves deeper autonomous incident response. Future workflows include threat scoping, timeline reconstruction, and selective automation. These actions require strong safeguards to prevent disruption to users or systems.

The current target focuses on reducing incident containment time by 20%. This extends SATA Agent from triage acceleration into autonomous cyber defense.

Learn more

Stay connected — join our Talent Community!
Check out our Technology and Product teams to learn how you can get involved.

The post How Salesforce Built an AI Security Agent for Autonomous Threat Triage appeared first on Salesforce Engineering Blog.

Continue reading on the original blog to support the author

Read full article