The CardinalOps Agentic Fleet

Agentic Detection Engineering is the process of using agentic AI to automate the manual, time-consuming aspects of detection lifecycle management. Agents operate autonomously using multi-step planning and execution workflows to identify coverage gaps, develop new rules, tune existing rules, and operationalize threat intelligence and threat hunting findings into new detection coverage.

With Agentic Detection Engineering, AI agents can observe the effects of their actions and incorporate feedback from human detection engineers to continuously learn and improve their approach to detection engineering.

In general, the agents within the Fleet are embedded directly into existing CardinalOps platform UI components. The Fleet’s findings for optimizing your detection environment are delivered as “Agentic Recommendations” under the Cards. All of the Fleet’s actions are logged and accessible via the Dashboard under “Agentic Activities”

Wingman is accessible via a dedicated tab in the side menu, allowing you to engage in a familiar generative AI chat user experience. You can prompt Wingman to generate new rules, survey existing coverage, review tools in your environment, and much more.

CardinalOps does not train our models on any specific sensitive customer data. Insights that our models generate for optimizing detection workflows will only ever use aggregated, anonymized data, ensuring sensitive customer data is never exposed. We also have enterprise agreements with each underlying LLM vendor that explicitly prohibit any use of our customers’ data for their own platforms, further ensuring customer data privacy.

Collaboration workflows largely depend on how many agents are included in the customer’s license package. For customers that don’t have all agents in the Fleet, agentic workflows will be limited in scope to accomplish tasks aligned with the agents they’ve purchased.

For customers with the entire Fleet, all agents will collaborate as necessary to complete their tasks. For example, if a user prompts Wingman to review coverage for a specific APT and create a relevant detection, Wingman may reference findings from Threat Interpreter and engage the False Positive Terminator to provide proactive tuning recommendations.

No. At CardinalOps, our philosophy is that AI should augment–never replace–human detection engineers, preferring human-in-the-loop or human-on-the-loop AI workflows that allow your end users to review and approve the Fleet’s recommendations before deploying changes. While the agents in the Fleet may act autonomously to complete discrete tasks, they won’t deploy anything that impacts production systems unless given end user approval.

Since the Fleet is embedded into the existing CardinalOps platform, the deployment timeline is the same as any standard platform deployment. It largely depends on how quickly the customer can work through the necessary API integrations with the CardinalOps support team. The Fleet can be operational in a matter of hours.

Qualifying prospects may include the Fleet within the broader scope of a standard proof of value (POV) deployment. Customers can request access to the Fleet for a limited period of time on a trial basis before upgrading to the full, paid version.