Every day, security teams face the time-intensive process of building context around security signals. When alerts fire, analysts must manually piece together fragmented information across disconnected systems: sifting through logs, correlating user identities, examining historical patterns, and analyzing rule logic. This process can take over 30 minutes of focused work for a single alert, and with dozens of alerts generated daily, the workload can often exceed team capacity.

The consequences are real: slower resolution times, inconsistent triage quality, burnout from repetitive tasks, and the constant risk of missing nuances buried in the details. Security teams constantly strive to compress the time between alert generation and informed action without sacrificing analytical quality. Panther AI helps address this challenge by automating the most time-consuming aspects of alert triage while keeping your security team in the loop on critical decisions. In this post, we’ll explain how it works with real-world examples.

One-Click Context: Instantly Analyze Alerts

Panther AI kick-starts the triage process by automating the collection and correlation of security log data to contextualize the alert within seconds, which is just a fraction of the time required for manual triage and querying.

Without AI assistance, analysts must manually examine matched events, review enrichments, check past alerts, and investigate surrounding activity within and outside the alert's log type. Now, users can click the "Start Panther AI Triage" button, which automatically fetches:

• User identity information

• Historical alert patterns

• Detection rule logic

• Indicator enrichments

• All events matched by the rule

Results stream in real-time as the AI processes information, displaying its reasoning through transparent "thinking steps" that include internal links to verify the source data:

When complete, a structured report is provided with the following sections:

• Summary: An overview of the activity

• Key Findings: Five important observations

• Security Implications: Benign or Risk indicators

• Timeline: The sequence of key events

• Recommended Actions: Next steps for remediation or investigation

Each triage is persisted and linked directly to the generated alert, allowing it to be referenced later for compliance, audit, or security purposes.

Panther AI's automated analysis sets a new standard for alert investigation efficiency while serving as a virtual mentor for analysts. It reduces cognitive load and guides analysts through a structured learning process, explaining the security implications of each finding. By combining rapid processing with thorough data collection, the system empowers analysts to make critical decisions faster and deepen their understanding of security patterns and behaviors.

Let's explore how analysts can guide and enhance Panther AI's triage process through targeted prompts, ensuring investigations align with their expertise and priorities.

Guided Investigation: Execute with Urgency

While one-click analysis provides immediate time savings and baseline information, investigation often requires following threads to find new answers to security questions. Panther AI's custom prompting capability allows you to direct the AI investigation based on your expertise. As with all AI prompting, the more precise you are about the request, the more likely you'll get a high-quality answer. For example, you may want Panther AI to examine a dataset it didn't consider during the initial run. You might create a new thread with the following prompt to pull a time window from aws_cloudtrail logs:

The analysis will be re-run with this context in mind. The AI may also use this hint to examine related information as it dynamically solves how to best answer the question with the available tools and data. With this contextualized response, analysts gain additional clarity.

Other example follow-up prompts include:

• “Analyze all privileged EC2 events in CloudTrail immediately following this alert in US regions”

• "Compare this activity with the user's behavior over the past 30 days."

• "Examine related network traffic logs around the time of this event and look for exfiltration."

Each prompt builds on the previous context, creating a continuous investigation thread in which the AI maintains awareness of all previously gathered information. This eliminates repetitive queries, allowing for deeper and more focused analysis without starting over.

This iterative process continues until your team has answered all critical business questions and gathered sufficient evidence to determine the scope and impact of the activity. With a comprehensive understanding built through AI-assisted investigation, it's time to formalize the resolution.

Resolution: Preserve Investigation Outcomes

Once the investigation is complete, it's time to document and act on the findings. Panther AI streamlines the alert resolution process by generating actionable recommendations and one-click next steps:

The default quick actions are:

• Assign Ownership: Self-assign the alert to the analyst responsible for triage

• Save Analysis to Alert: Preserve the AI's findings as part of the permanent alert record

• Set Alert Status: Close the alert as either Resolved or Invalid (false positive, benign, etc)

Each saved analysis becomes part of a searchable knowledge base, creating an institutional memory that improves future investigations and detection engineering. This feedback loop also ensures that each investigation enhances the efficiency of future alert handling.

Finally, Panther AI also creates tailored recommendations based on its analysis and findings to take action outside the SIEM, such as in cloud buckets, identity providers, or by contacting users directly. This guidance can help analysts consider all angles for possible remediation.

With Panther AI's automated analysis, intelligent prompting, and secure resolution workflow, security teams can now focus on what matters most: protecting their organizations from evolving threats while maintaining complete control and visibility over the investigation process.

Transparent and Secure by Design

Security teams require complete confidence in their tools, particularly those incorporating AI. Panther AI is built with transparency and security as foundational principles:

• Explainable Reasoning: Every analysis is transparent, with clear justifications traced back to source data. The system's "thinking steps" document each conclusion with explicit reasoning, connecting specific data points to security implications and providing direct links to verify findings.

• Human-in-the-Loop: AI assists, but never replaces, human judgment in critical security decisions. The system presents findings and recommendations but leaves final determinations about alert status, escalation, and remediation to your security team.

• Auditability: Every AI interaction is recorded and linked to specific alerts, creating a clear audit trail of analysis and decision-making for compliance requirements and post-incident reviews.

By combining powerful AI capabilities with rigorous security controls and complete transparency, Panther AI is a system that security teams can trust for sensitive investigations.

Getting Started with Panther AI

Panther AI is now available to all Panther customers, and its capabilities are integrated throughout the Console. We recommend starting with these steps:

1. Enable Panther AI in your environment in General Settings → Enable Panther AI

2. Try one-click analysis on recent alerts

3. Experiment with custom prompts to refine investigations

Using Panther AI aids in future triage effectiveness, becoming increasingly tailored to your specific security needs and alert patterns. This capability is powered by direct team activity within your Panther instance and does not involve custom model training.

Panther AI represents the future of security operations—not by replacing analysts, but by removing the tedious, time-consuming tasks that prevent them from fully applying their expertise. By dramatically reducing the time between alert generation and informed action, security teams can finally break the linear relationship between alert volume and analyst headcount, scaling effectively against growing threats.