Agoda improves security incident response with LLM-powered alert triage, phishing classification, and incident report generation
Agoda's Security IR team faced growing volume across three core workflows — alert triage, phishing review, and incident reporting — that manual processes could not sustain at scale: each alert took 20–40 minutes to handle, phishing reports required individual analyst review despite most being harmless, and incident reports took 5–7 hours to compile from scattered sources.
LLM-powered workflows reduced alert analysis time from 20–40 minutes to under 5 minutes with 97%+ human-analyst alignment; cut phishing response time to under 25 seconds with 99%+ classification precision and no known false negatives; and reduced incident report drafting from 5–7 hours to under 10 minutes with 95%+ factual accuracy.
Show all 13 reported metrics
Frequently asked questions
What did this team achieve with this AI workflow?
LLM-powered workflows reduced alert analysis time from 20–40 minutes to under 5 minutes with 97%+ human-analyst alignment; cut phishing response time to under 25 seconds with 99%+ classification precision and no known…
What tools did this team use?
LLMs, RAG, vector database, Slack, Jira, Confluence, Teams.
What results were reported?
Alert analysis time before automation: 20 to 40 minutes; Alert analysis time after automation: under 5 minutes; Alerts handled per 15 days: over 400 alerts every 15 days; LLM-human analyst alignment: 97%+ (source-reported, not independently verified).
How is this incident management AI workflow structured?
Security alert enters pipeline → RAG queries historical incidents → LLM triage generates verdict → Phishing email parsed and enriched → LLM classifies phishing email → Automated response sent to reporter → Multi-source investigation data collected → LLM drafts structured incident report → Human review and publication.