This article demonstrates how AI agents can scale security operations by automating the triage of unstructured vulnerability reports. It highlights the importance of human-in-the-loop systems and structured data collection in maintaining high response standards during rapid growth.
By Kelly McCracken and Raaghavv Devgon.
In our Engineering Energizers Q&A series, we highlight the engineering minds driving innovation across Salesforce. Today, we spotlight Kelly McCracken, Senior Vice President of Information Security, whose Cyber Security Operations Center team built an AI-driven security system using Agentforce to triage and respond to customer-reported vulnerability findings at scale, successfully managing a 30% increase in report volume year over year without expanding their team.
Explore how Kelly’s team addressed the challenge of ingesting highly unstructured vulnerability reports across diverse formats while correctly identifying the relevant product across a large portfolio, and managing rapidly increasing report volume without expanding the team and meeting strict response time requirements.
The team operates a security model designed to detect and analyze threats across all environments with speed and consistency. To support this mission, the team built a product vulnerability response agent to handle security findings reported by third-party researchers and assessments.
This agent functions as an AI-assisted triage system that analyzes incoming reports to determine if a finding represents a real issue or expected behavior. It then generates recommended responses for security engineers, moving the team away from a fully manual model toward an accelerated workflow.
By embedding this agent into the process, engineers retain final decision-making authority while scaling their ability to respond to increasing report volumes. This approach ensures the team maintains response requirements and addresses customer concerns accurately.
The variability and density of incoming vulnerability reports can pose many challenges. Customers submit findings in multiple formats, such as PDFs, spreadsheets, and security tool outputs. These reports often contain complex diagrams and machine-generated data, which often requires significant time to parse manually.
To address this, the team built a format-agnostic approach that extracts meaningful signals across these different structures. However, the system also needed to identify the correct product within a large portfolio of SaaS and on-premises offerings. Early versions lacked this specific context, which limited the accuracy of their recommendations.
The team solved these issues by using Agentforce to process diverse inputs and by introducing parsing logic. This logic infers product context, allowing the system to align reports with the correct product knowledge and generate accurate triage recommendations.
Workflow of a product vulnerability report being processed by the Product Vulnerability Response Agent.
Salesforce growth led to a direct increase in potential vulnerability report submissions as more customers conducted third-party assessments. This surge created a scaling challenge where the workload grew significantly without a corresponding increase in team size, placing pressure on response times.
The team designed the system to absorb this growth by automating key parts of the triage workflow. This allowed the team to handle a 30% increase in reports over one year without adding headcount while still meeting response commitments.
A critical improvement came from eliminating delays in routing and initial analysis. The system completes routing and initial triage in seconds, allowing analysis to start immediately and reducing end-to-end response times.
Inconsistent and incomplete reports submitted via email created a significant bottleneck for the team. Many submissions lacked reproducible steps or sufficient context, forcing analysts to spend time following up with reporters before triage could begin.
In response, we replaced unstructured emails with a web-based interface and structured reporting workflows. This new form enforces the inclusion of required data fields to ensure every report contains the information needed for immediate analysis.
Standardizing inputs at the point of submission improved data quality and processing efficiency. The system now begins analysis without waiting for additional clarification, which reduces back-and-forth communication and accelerates the triage lifecycle.
The team integrated the system directly into Slack to ensure recommendations and analysis occur within existing workflows. This approach avoids the need for a separate interface and reduces friction for security engineers. By functioning as a collaborative participant, the system improves adoption across the organization.
The architecture emphasizes a human-in-the-loop model where the system generates triage recommendations while security engineers retain final decision authority. This structure accelerates workflows and maintains high standards for accuracy.
This integration also enables continuous learning. Analysts provide feedback directly within the workflow, which allows the system to improve over time based on real usage patterns.
Distinguishing between true vulnerabilities and expected behavior remains a complex challenge for security systems. Many reports describe scenarios that appear to be security issues but actually function as designed. In response, the team built a comprehensive knowledge foundation that goes beyond surface-level analysis.
The system achieved over 90% accuracy in initial triage. It also identifies cases where confidence is low to signal the need for human review. By combining a structured knowledge base with human validation, the team created a system that produces reliable recommendations and maintains trust in security decisions.
The post Scaling Trust: How Salesforce’s Security Team Uses Agentforce to Triage Security Reports at Speed appeared first on Salesforce Engineering Blog.
Continue reading on the original blog to support the author
Read full articleEnterprise AI requires real-time context and verifiability. This architecture solves hallucination problems by grounding LLMs in live web data with a citation engine, making AI outputs reliable for critical business decisions and ensuring transparency through traceable source metadata.
It demonstrates how to build a scalable, trust-first AI agent architecture. By integrating deterministic graphs with unstructured data and open standards like MCP, it provides a blueprint for enterprise-grade AI orchestration and governance beyond simple chat interfaces.
This shift to native speech automation eliminates third-party security risks and simplifies complex AI integration. It demonstrates how to build resource-intensive AI features within a multi-tenant environment while maintaining strict data residency and platform stability.
AI tools accelerate code creation but overwhelm traditional review workflows. Salesforce’s approach shows how to scale human oversight using intent-based analysis and automated context, ensuring technical rigor and security aren't sacrificed for development speed.
