LogSeam Book a demo
§ The AI

Specialized agents. At swarm scale. Under your control.

A growing fleet of purpose-built agents and the runtime to scale them to thousands. Memory, pods, swarms, and a complete governance harness — every action mapped, audited, and human-approvable when it matters.

The roster

Many specialists. One harness.

The fleet maps the way SOCs actually work — analyst-grade specialists who answer the questions, operational agents that close the loop, and platform agents that run the room. The harness is open, so you can add your own.

01
— The analysts —
  • Triage
  • Investigations
  • Case Briefing
  • Threat Hunting
  • Detection Engineer
  • Forensics
  • Malware Analyst
  • Network Analyst
  • Data Analyst
02
— The operations —
  • Correlation
  • Rule Generation
  • MITRE ATT&CK
  • IOC Worker
  • Threat Intel
  • Vulnerability
  • Incident Response
  • Compliance
03
— The platform —
  • Canvas
  • SOC Platform
  • Dashboard
  • Composer
  • Reports
  • Librarian
  • Integrations
  • Data Advisor
  • Agent Creation
Surface area

Agents at every level of the platform.

Agents aren't bolted to one screen. They interface at every layer of the system — searching the lake, working alerts and incidents, running deep threat-intelligence investigations, and anywhere in between. If a human can do it on the platform, an agent can do it too.

THE LAKE

Search and query raw data.

Agents speak SQL natively. They pivot across sources, join enrichment, and reach back through years of retention — the same data your analysts see.

ALERTS & INCIDENTS

Work the case load.

Triage every alert with full context. Carry an incident through evidence, containment, and closure — with the audit trail every action leaves behind.

THREAT INTEL

Investigate at depth.

Long-running hunts across campaigns, profiles, and coverage. Agents keep state in memory and compound findings across days and analysts.

ANY SURFACE

Anywhere in the system.

Dashboards, reports, detections, integrations, the canvas, MCP — any tool the platform exposes is a tool an agent can call.

Context

Agents reason on a graph, not a log line.

Every event we ingest is linked to the entities it touches — users, hosts, identities, processes, files, IPs, alerts, tickets. The result is a live context graph that grows with your data. When an agent asks "who else touched this account?" or "what assets does this host depend on?", the answer is one hop away — not a half-hour pivot through a dozen tools.

authenticated accessed triggered on linked Alert INC-4471 USER d.park HOST web-01 IDENTITY Okta FILE config.yaml IP 1.2.3.4 TICKET JIRA-882
01

Built at ingest.

Every record is parsed for the entities it references and stitched into the graph as it lands. No batch ETL, no separate enrichment pipeline.

02

Queried by agents.

Agents traverse the graph instead of fanning out raw SQL. "Show me everything connected to this alert" is a single hop — not a series of joins.

03

Grounded in your data.

Identities from your IdP. Assets from your CMDB. Tickets from your ITSM. The graph reflects your environment — not a generic schema we picked.

04

Open and queryable.

The graph isn't a black box. It's exposed via MCP, SQL, and the API — for your agents, your analysts, and any tool you want to point at it.

Scale

Agent Pods. Swarms. Horizontal by default.

Every agent runs in an isolated pod — its own state, its own memory, its own scope. Need 1,000 agents triaging in parallel? The runtime spreads pods across the cluster. Need agents that coordinate? Compose them into a swarm working a single job together.

pod-01 pod-02 pod-03 pod-04 pod-05 pod-06 pod-07 pod-08 pod-09 pod-10 pod-11 pod-12 pod-13 pod-14 pod-15 pod-16 pod-17 pod-18 pod-19 pod-20 pod-21 pod-22 pod-23 pod-24 — Swarm —

Agents don't share process state — each one runs in its own pod, with isolated memory and a scoped view of the lake. Pods are cheap; the runtime starts thousands and tears them down on the second.

For jobs too big for one agent, compose a swarm — a coordinated group of agents that share intermediate findings and divide the work. One swarm can hunt across a year of data while another triages today's inbound.

  • per-pod isolation — own memory · own scope · own audit
  • swarm coordination for large or branching jobs
  • horizontal scale — thousands of pods in parallel
  • elastic — pods spin up per job, dissolve when done
  • built on a battle-tested distributed Elixir runtime
Custom agents

The harness is open. Build your own.

The same harness our built-in agents run on is open to you. Define new agents, give them tools, declare their memory model — and they ride on the same pods, the same swarms, the same governance. No second runtime.

DECLARE

Role · tools · scope

Define what the agent does, which tools it can call, and what part of the lake it can read. Versioned in code.

COMPOSE

Reuse our agents as tools

Your custom agent can call Triage, Hunt, Investigate as sub-tools. Stand on what's already there.

GOVERN

Inherits the harness

Same actions, same audit trail, same approval gates as built-in agents. No custom-action escape hatch.

SHIP

Ride the same pods

Deploys onto the existing pod runtime. Scales with the rest of your fleet. One operational model.

Agent memory

Recall, not re-query.

Two layers. Session memory captures the raw work — queries, findings, reasoning. The Library captures the curated knowledge — who you are, what you own, who's after you. Together, investigations compound; compute spend doesn't.

agent memory · session recall
# Tuesday — Hunt agent investigates 10.0.4.22
> hunt: lateral movement from 10.0.4.22
  847 results stored → memory: inv-4a7f
# Thursday — Investigate agent picks it up
> recall: inv-4a7f — correlate with new C2 indicators
  12 matches found across stored results
  no re-query needed — 0 additional compute
library · curated knowledge
★ Company information
org chart · critical assets · acceptable-use policy
★ Threat actor profiles
APT29 · FIN7 · Lazarus — TTPs, IOCs, write-ups
★ Environment knowledge
network topology · IAM model · tiering · golden paths
★ Risk register
crown jewels · exposure · compensating controls
Governance harness

Every function is an action. Every action is accounted.

There is no "agent did something" black box. Every tool call an agent makes is a typed action with a caller, a scope, a policy, and an audit record. Sensitive actions wait for a human.

Action lifecycle AGENT respond.containment caller · d.park POLICY · SCOPE classify action auto · or · approve AUTO execute HUMAN approve analyst · oncall AUDIT LOG action · result signed · timestamped policy classifies · human gates the rest · everything is recorded

Every tool an agent invokes — query, enrich, ticket, block, isolate, page — is a typed action. Actions carry the caller's identity, the agent that emitted them, the scope, the inputs, and the policy classification.

Read-only actions auto-execute. Anything destructive or sensitive — containment, deletion, deployment, ticket creation — pauses for a human approval from the analyst or on-call engineer you've designated. Nothing happens behind your back.

  • typed actions — no free-form side effects
  • per-action policy: auto · approve · forbid
  • RBAC + scope inherited from the caller
  • signed, timestamped audit log — every step replayable
  • bring-your-own-model — Claude, GPT, self-hosted
Models

Any model. Your choice.

Pick one or many models that fit your latency, cost, and accuracy budget — and swap any time without rewriting an agent.

Anthropic OpenAI MiniMax Gemini Kimi Bedrock

+ Self-hosted models available upon request.

Cost control

AI spend you can see. And tune.

Every token an agent spends is profiled. Roll up by agent, by model, by capability, or by action — set budgets per dimension, alert on overruns, and tune the fleet without guessing where the money goes.

BY AGENT

Per agent.

Spend rolled up by agent — Triage vs Hunt vs Detect vs the custom agents you've built. See which agents earn their keep.

BY MODEL

Per model.

Spend per provider — Anthropic, OpenAI, Bedrock, self-hosted. Decide which model does which work, and watch the bill shift.

BY CAPABILITY

Per capability.

Spend per capability — sigma authoring, enrichment, summarization, pivoting. See where the budget actually goes inside the agent loop.

BY ACTION

Per action.

Every typed action carries a cost line — input tokens, output tokens, tool-call overhead. Audit the cheapest step and the most expensive one.

MCP · headless

Drive every agent from any MCP client. No UI required.

The full agent fleet — built-in and custom — is exposed as a native MCP server. Plug Claude, Cursor, your own client, or your existing SOAR into LogSeam and run agents headless. Same harness, same governance, same audit.

NATIVE MCP SERVER

Every agent is a tool

Triage, Hunt, Investigate, Detect, Respond, Intelligence — and your custom agents — discoverable as MCP tools. Schema-aware. Session-scoped. Memory persists across calls.

  • Compatible with any MCP client
  • Schema-aware tool discovery
  • Persistent agent memory across sessions
  • Per-caller authorization and audit
HEADLESS BY DESIGN

UI is optional

The platform was built for the agent runtime first. The UI is one client among many. Drive every workflow, every agent, every dataset programmatically — without giving up governance or audit.

  • Run from Claude / Cursor / your IDE
  • Embed in your own front-end
  • Drive from existing SOAR / orchestration
  • Same governance harness as the UI

Put agents on your data.

Book a demo Get MCP access