Human + AI Investigations

Five agents, one complete attack story.

Decanos deploys five specialized AI agents in parallel across endpoint, identity, network, cloud, and threat intel to reconstruct the full attack story across every domain in under 60 seconds.

Five AI agents reconstruct the full attack story across every domain in under 60 seconds.

See It in Action Talk to Sales

Supported by security leaders at 20+ enterprises across Europe and North America

decanos.com/decanos-enterprise-platform/alert-id/agent-activity

LIVE

Malicious Behavior Prevention: Potential Memory Dumping via ddHIGH

Attack Path

Handoff

Agent Analysis

Multi-domain sweep

Human Review

Context surfaced

Action Agent

Response staged

Analysis

Classification

Human Handoff

Severity

Critical

MITRE

T1059 · +4

Correlated

8 alerts

Confidence

92%

Priority

High · 91

Evidence Collected

Endpoint

Memory dump artifact

ws-104

Identity

OAuth token replay

identity-svc-01

Cloud

S3 exfil beacon

prod-s3-02

Investigating...

Investigation domains

endpoint, identity, network, cloud, threat intel

<0s

Full attack timeline

complete kill chain reconstructed

Evidence trail

every finding fully documented and auditable

Parallel agents

simultaneous cross-domain analysis

The Problem

Every tool sees a piece. None see the full picture.

All the signal is there. It's locked across 8 vendor silos that were never built to connect.

EDR / Endpoint

Cloud Security

SIEM / Raw Logs

Vulnerability Management

Threat Intel

Identity / IAM

Email Security

Network / FW

EDR / Endpoint

Cloud Security

SIEM / Raw Logs

Vulnerability Management

Threat Intel

Identity / IAM

Email Security

Network / FW

How It Works

From raw alert to full resolution

Agents Investigate in Parallel

Specialized agents launch simultaneously across EDR, SIEM, cloud, identity, and network the moment an alert arrives.

Autonomous Triage + Handoff

Alerts auto-close or escalate to analysts with full context pre-loaded. 95%+ of noise never reaches a human.

Malicious Behavior Prevention: Potential Memory Dumping via dd

Human HandoffHigh85%76

Autopilot Summary

Coordinated credential dumping on ubuntu-s-2vcpu. Memory extraction via dd, correlated with 9 alerts across identity and endpoint domains.

Evidence

MITRE

Correlated

Actions

Instant ActionsAI Generated

Add Node Tag

Tag device as under investigation

Execute

Isolate Endpoint

Prevent lateral movement

Execute

Unified Investigations, Response, and Escalation

All signals unified in one workspace. 95%+ of alerts auto-close. True positives escalate with AI-staged response actions ready in one click.

Malicious Behavior Prevention Alert: Potential Memory Dumping via dd

Priority Score

Status:Human HandoffSeverity:HighConfidence:85%Priority:High (76)Created:2026-02-17 00:40:10 CST

Alert Details

Alert Graph & Timeline

Users & Assets

Evidence & IOCs

Tactics & Techniques

Correlations

Activity

Actions

This alert is correlated with 9 other alerts.

›

Autopilot Summary

This alert detected a coordinated credential dumping attack on ubuntu-s-2vcpu where the dd command extracted process memory to a file named after MITRE ATT&CK technique T1003.007. The activity was part of a scripted sequence including memory reconnaissance and suspicious echo commands for potential data exfiltration, all within a 2-minute window from a single parent process. No lateral movement has been confirmed yet, but the correlated identity signals suggest privilege escalation may be underway.

View Reasoning

Autopilot Conclusion

This alert represents a coordinated credential dumping attack chain with 9 correlated alerts on ubuntu-s-2vcpu. Human verification required to confirm legitimacy and assess potential credential exposure. Recommend immediate isolation of affected host and rotation of all credentials associated with the impacted user context.

Alert Informationfbe92d5e-11e5-4f02...

Timeline

Created

2026-02-17 00:40

Last Updated

2026-02-17 07:46

Affected Assets

User

No user identified

Device

ubuntu-s-2vcpu

Data Sources (2)

Unified Security Graph

Decanos Endpoint Security

Total Evidence

MITRE Techniques

Correlated Alerts

Available Actions

Activity Hub

Close Alert

StatusHuman Handoff

Assigned To

Activity History

Decanos Admin

Ran 8 Instant Actions

07:46

Misc. Alerts Agent

Assigned User

00:48

Unified Security Graph

Received Alert

00:40

Instant ActionsAI Generated

Unified Security Graph

Add Node Tag

Tag ubuntu device as under investigation due to the coordinated incident.

View details

Execute

CrowdStrike Falcon

Isolate Endpoint

Prevent lateral movement from the affected ubuntu device.

View details

Execute

03Everything Unified?

All signals, EDR, SIEM, identity, cloud, and network, correlated in one workspace. No tool-switching.

05Escalate or Resolve?

95%+ of alerts auto-close. True positives escalate with full context and a recommended disposition already loaded.

04Instant Actions?

AI-staged response actions ready in one click, isolate, tag, revoke, or ticket, across your connected stack.

Core Capabilities

Investigation that never misses a dimension

Parallel Agent Analysis2/5 complete

Endpoint

Complete

Identity

Complete

Network

Analyzing

Cloud

Analyzing

Threat Intel

Analyzing

Multi-Agent Parallel Analysis

Five domains investigated simultaneously, not sequentially.

Endpoint, Identity, Network, Cloud, and Threat Intel agents run simultaneously, completing investigations in a fraction of the time a human team requires. Each agent is specialized for its domain and queries every relevant data source in parallel.

Five specialized agents investigate endpoint, identity, network, cloud, and threat intel simultaneously.

Cross-Domain Correlation4 matched

Memory Dumping via dd

Status:Human HandoffSeverity:High

Priority:76Created:2026-02-17 00:40:09

Analysis:

Fourth memory dumping instance on ubuntu-s-2vcpu-4gb-syd1-01, temporally aligned with the main alert. Likely part of the same batch credential harvest operation running across multiple processes.

Suspicious Echo Execution

Status:Human HandoffSeverity:High

Priority:73Created:2026-02-17 00:40:10

Analysis:

Echo commands post-dump on ubuntu-s-2vcpu-4gb-syd1-01 suggest base64 exfiltration or C2 persistence. Occurred immediately after all memory dump alerts concluded.

Cross-Domain Correlation

Attack paths that span domains are found automatically.

Connect the dots across endpoint telemetry, identity logs, network flows, and cloud events, surfacing attack paths no single-domain tool can see. The Security Graph links every entity involved in an incident regardless of which data source it came from.

Surfaces attack paths across endpoints, identity, network, and cloud that no single-domain tool can see.

Attack Graph & Timeline4 stages · 2h37m

T+0:14

Initial Access

T+0:47

Cred Dump

T+1:23

Lateral Move

T+2:51

Data Exfil

Automated Attack Timelines

The complete kill chain, reconstructed in seconds.

The full kill chain, reconstructed automatically from initial access to lateral movement to impact, with timestamps and evidence at every step. What takes an analyst hours to build manually is generated in under 60 seconds.

Full kill chain from initial access to impact, with timestamps and evidence, generated in under 60 seconds.

Evidence & IOCs

All Evidence3

Process1

File1

Device1

Network

Device Evidence

suspicious

Hostname:ubuntu-s-2vcpu

IP:127.0.0.1

Status:active

Risk:informational

Analysis:

7 critical alerts in same window: coordinated credential dump operation.

Process Evidence

suspicious

Name:dd

PID:3921

Path:/usr/bin/dd

Parent:dash (3909)

Analysis:

dd dumping /proc/mem → T1003.007. OS Credential Dump via Proc Filesystem.

Evidence Management

Every finding documented, auditable, and transferable.

Complete audit trail for every investigation finding, structured for compliance review, legal requirements, and analyst knowledge transfer. Investigations do not live in analysts' heads. The full case file is preserved, accessible, and reviewable regardless of who originally ran it.

Complete audit trail for every finding, structured for compliance, legal, and knowledge transfer.

Ready to see a live investigation in under 60 seconds?

Most environments are live and running their first investigation within 48 hours.

See a Live Investigation

Why Decanos

The investigation advantage

Decanosautonomous AI

Manual Investigationstatus quo

SOAR Platformplaybook-based

Investigation scope

5 domains in parallel

One domain at a time

Playbook-limited scope

Time to full picture

Under 60 seconds

2-4 hours per incident

Still analyst-dependent

Cross-domain correlation

Automatic via Security Graph

Manual, tool-hopping

Pre-defined integrations

Evidence documentation

Automatic, audit-ready

Manual reconstruction

Partial logging

Analyst expertise required

Analyst reviews AI findings

Senior analyst hours

Playbook author hours

Scales with alert volume

No additional cost per incident

Linear analyst cost

Playbook maintenance burden

Investigation scope

Decanos

5 domains in parallel

Manual Investigation

One domain at a time

SOAR Platform

Playbook-limited scope

Time to full picture

Decanos

Under 60 seconds

Manual Investigation

2-4 hours per incident

SOAR Platform

Still analyst-dependent

Cross-domain correlation

Decanos

Automatic via Security Graph

Manual Investigation

Manual, tool-hopping

SOAR Platform

Pre-defined integrations

Evidence documentation

Decanos

Automatic, audit-ready

Manual Investigation

Manual reconstruction

SOAR Platform

Partial logging

Analyst expertise required

Decanos

Analyst reviews AI findings

Manual Investigation

Senior analyst hours

SOAR Platform

Playbook author hours

Scales with alert volume

Decanos

No additional cost per incident

Manual Investigation

Linear analyst cost

SOAR Platform

Playbook maintenance burden

Investigations

See the complete attack story in under 60 seconds

Five AI agents investigate in parallel across every domain your attacker touched. The complete kill chain, full evidence trail, and response actions, ready before a human analyst opens their first console.

See a Live Investigation Talk to Sales

Advisory

Managed Services

Product

Company

Five agents, one complete attack story.

Every tool sees a piece. None see the full picture.

From raw alert to full resolution

Agents Investigate in Parallel

Autonomous Triage + Handoff

Unified Investigations, Response, and Escalation

Investigation that never misses a dimension

Multi-Agent Parallel Analysis

Cross-Domain Correlation

Automated Attack Timelines

Evidence Management

The investigation advantage

Additional Resources

Decanos Launches Enterprise Platform with Autonomous Security Operations, EDR, and Cloud Security

Decanos EDR and CDR Now Generally Available for Enterprise Customers

Decanos and Deutsche Telekom Partner to Bring Autonomous Security Operations to Europe

Decanos Achieves SOC 2 Type II Certification Across All Five Trust Services Criteria

See the complete attack story in under 60 seconds