This article demonstrates how AI agents can scale security operations by automating the triage of unstructured vulnerability reports. It highlights the importance of human-in-the-loop systems and structured data collection in maintaining high response standards during rapid growth.
By Kelly McCracken and Raaghavv Devgon.
In our Engineering Energizers Q&A series, we highlight the engineering minds driving innovation across Salesforce. Today, we spotlight Kelly McCracken, Senior Vice President of Information Security, whose Cyber Security Operations Center team built an AI-driven security system using Agentforce to triage and respond to customer-reported vulnerability findings at scale, successfully managing a 30% increase in report volume year over year without expanding their team.
Explore how Kelly’s team addressed the challenge of ingesting highly unstructured vulnerability reports across diverse formats while correctly identifying the relevant product across a large portfolio, and managing rapidly increasing report volume without expanding the team and meeting strict response time requirements.
The team operates a security model designed to detect and analyze threats across all environments with speed and consistency. To support this mission, the team built a product vulnerability response agent to handle security findings reported by third-party researchers and assessments.
This agent functions as an AI-assisted triage system that analyzes incoming reports to determine if a finding represents a real issue or expected behavior. It then generates recommended responses for security engineers, moving the team away from a fully manual model toward an accelerated workflow.
By embedding this agent into the process, engineers retain final decision-making authority while scaling their ability to respond to increasing report volumes. This approach ensures the team maintains response requirements and addresses customer concerns accurately.
The variability and density of incoming vulnerability reports can pose many challenges. Customers submit findings in multiple formats, such as PDFs, spreadsheets, and security tool outputs. These reports often contain complex diagrams and machine-generated data, which often requires significant time to parse manually.
To address this, the team built a format-agnostic approach that extracts meaningful signals across these different structures. However, the system also needed to identify the correct product within a large portfolio of SaaS and on-premises offerings. Early versions lacked this specific context, which limited the accuracy of their recommendations.
The team solved these issues by using Agentforce to process diverse inputs and by introducing parsing logic. This logic infers product context, allowing the system to align reports with the correct product knowledge and generate accurate triage recommendations.
Workflow of a product vulnerability report being processed by the Product Vulnerability Response Agent.
Salesforce growth led to a direct increase in potential vulnerability report submissions as more customers conducted third-party assessments. This surge created a scaling challenge where the workload grew significantly without a corresponding increase in team size, placing pressure on response times.
The team designed the system to absorb this growth by automating key parts of the triage workflow. This allowed the team to handle a 30% increase in reports over one year without adding headcount while still meeting response commitments.
A critical improvement came from eliminating delays in routing and initial analysis. The system completes routing and initial triage in seconds, allowing analysis to start immediately and reducing end-to-end response times.
Inconsistent and incomplete reports submitted via email created a significant bottleneck for the team. Many submissions lacked reproducible steps or sufficient context, forcing analysts to spend time following up with reporters before triage could begin.
In response, we replaced unstructured emails with a web-based interface and structured reporting workflows. This new form enforces the inclusion of required data fields to ensure every report contains the information needed for immediate analysis.
Standardizing inputs at the point of submission improved data quality and processing efficiency. The system now begins analysis without waiting for additional clarification, which reduces back-and-forth communication and accelerates the triage lifecycle.
The team integrated the system directly into Slack to ensure recommendations and analysis occur within existing workflows. This approach avoids the need for a separate interface and reduces friction for security engineers. By functioning as a collaborative participant, the system improves adoption across the organization.
The architecture emphasizes a human-in-the-loop model where the system generates triage recommendations while security engineers retain final decision authority. This structure accelerates workflows and maintains high standards for accuracy.
This integration also enables continuous learning. Analysts provide feedback directly within the workflow, which allows the system to improve over time based on real usage patterns.
Distinguishing between true vulnerabilities and expected behavior remains a complex challenge for security systems. Many reports describe scenarios that appear to be security issues but actually function as designed. In response, the team built a comprehensive knowledge foundation that goes beyond surface-level analysis.
The system achieved over 90% accuracy in initial triage. It also identifies cases where confidence is low to signal the need for human review. By combining a structured knowledge base with human validation, the team created a system that produces reliable recommendations and maintains trust in security decisions.
The post Scaling Trust: How Salesforce’s Security Team Uses Agentforce to Triage Security Reports at Speed appeared first on Salesforce Engineering Blog.
Continue reading on the original blog to support the author
Read full articleAs AI-generated code accelerates development, traditional manual reviews can't keep up. MuleSoft’s Golden Gate provides a scalable model for automated, AI-powered PR governance that maintains high security and trust without slowing down developer velocity or increasing false positives.
Engineers need ways to bridge the gap between unpredictable LLM reasoning and the deterministic requirements of enterprise systems. Agent Script provides a structured control plane that ensures security and consistency while allowing agents to remain flexible and easy to develop.
Engineers must balance LLM flexibility with enterprise reliability. AgentScript provides a deterministic control plane for AI agents, ensuring security-sensitive workflows like authentication remain predictable while maintaining the reasoning power of modern large language models.
As AI agents move to complex multi-system workflows, siloed security fails. This platform-centric approach ensures consistent identity, data, and API governance, preventing unauthorized access and ensuring auditability across distributed enterprise environments.
