incident_management · travel · workflow
Agoda improves security incident response with LLM-powered alert triage, phishing classification, and incident report generation
Agoda's Security IR team faced growing volume across three core workflows — alert triage, phishing review, and incident reporting — that manual processes could not sustain at scale: each alert took 20–40 minutes to handle, phishing reports required individual analyst review despite most being harmless, and incident reports took 5–7 hours to compile from scattered sources.
How it works
Common implementation structure
How this type of workflow is generally built, generalized across documented cases — not tied to any one vendor's stack. Click any stage to read what happens there. Specific products that implement these stages appear in “Tools commonly seen” below.
Stage 1 · Security alert enters pipeline
Alerts enter the system through Agoda's existing security pipeline.
Tools used
LLMsRAGvector database
Outcome
LLM-powered workflows reduced alert analysis time from 20–40 minutes to under 5 minutes with 97%+ human-analyst alignment; cut phishing response time to under 25 seconds with 99%+ classification precision and no known false negatives; and reduced incident report drafting from 5–7 hours to under 10 minutes with 95%+ factual accuracy.
Results
Time saved20 to 40 minutes
Volumeover 400 alerts every 15 days
Grounding & classification
Source type: technical build writeup
46 fields verified against source quotes.
content generationdocument classificationragsummarizationemailknowledge basesupport ticketbuilder submittedhuman review describedmetric backednamed customerproduction runtime claimedproduction verifiedtools describedworkflow describedtravelaccuracy improvementautomation ratecycle time reductionemployee productivityerror reductiontime savedtechnical build writeupcompliance monitoringincident managementticket triageautonomous resolutioncase to summaryextract classify routerag answering