Slack Security Engineering builds multi-agent AI pipeline to streamline on-call security investigations
Slack's Security Engineering team handles a vast volume of security events from diverse data sources and spends on-call shifts doing the laborious work of manually gathering and reviewing alert evidence.
A prompt-based prototype produced highly variable results — sometimes jumping to spurious conclusions without adequately questioning its methods — and prompt refinement alone could not achieve the fine-grained control needed for consistent investigation performance.
Slack's on-call team has shifted from manually gathering evidence to supervising AI investigation teams, with agents making spontaneous and unprompted discoveries and yielding interactive, verifiable investigation reports.
Frequently asked questions
What did this team achieve with this AI workflow?
Slack's on-call team has shifted from manually gathering evidence to supervising AI investigation teams, with agents making spontaneous and unprompted discoveries and yielding interactive, verifiable investigation rep…
What tools did this team use?
coding agent CLI.
What results were reported?
Security events ingested per day: billions; On-call work mode shift: switching to supervising investigation teams, rather than doing the laborious work of gathering evidence; Agent discovery capability: spontaneous and unprompted discoveries; Overall benefit: meaningful benefits (source-reported, not independently verified).
What failed first in this deployment?
A prompt-based prototype produced highly variable results — sometimes jumping to spurious conclusions without adequately questioning its methods — and prompt refinement alone could not achieve the fine-grained control…
How is this incident management AI workflow structured?
Detection alert triggers investigation → Director broadcasts discovery questions → Expert agents gather domain findings → Critic scores and validates findings → Director routes to next phase → Interactive investigation report.