Context
Source connector
GitHub OAuth and repo selection keep source context tied to the investigation.
RepoBranchProvider tokenServer-side storage
Case study / Agentic security operations
Agentic SOC workflow
Security teams are looking at agentic SOC, AI alert triage, autonomous investigation, and SOC automation for a practical reason: analysts need better context before they act.
Northwall connects a GitHub source, builds repository context, shows an investigation graph, lets the analyst review the plan, streams the run, and turns approved findings into GitHub issues.
Next.js 15React 19Tailwind CSSHonoSocket.IOZodSupabase Auth
Project
Northwall
Category
Agentic SOC, AI alert triage, and security operations automation
Core loop
Connect source, build context, review plan, run agents, approve handoff
First connector
GitHub repository context and issue creation
Safety boundary
Owned systems, defensive analysis, analyst approval, no destructive actions
Repository
github.com/Inferensys/northwall
Product challenge
SOC automation works when analysts can verify the path.
Context before action
Northwall inventories repositories, routes, auth, config, CI, packages, and ownership context before the investigation starts.
Approval before response
The analyst sees the agent team, graph, task order, and approval notes before the run starts.
Findings need evidence and owners
Each finding carries severity, confidence, evidence, owner notes, issue text, and labels before it becomes a GitHub issue.
Demo
Watch the investigation from source to handoff.
The walkthrough shows source selection, context build, agent plan review, live investigation, findings review, and approved GitHub issue creation.
GitHub source selection and context build
Investigation graph with agent plan review
Finding handoff drafted as GitHub issues
Repository
Review the Northwall codebase.
The repo includes the Next.js frontend, Hono backend, shared schemas, agent runtime packages, screenshots, and demo video.
github.com/Inferensys/northwallSource repositoryProduct architecture
The product surfaces security teams expect.
Northwall treats source context, evidence, authorization, and handoff as product surfaces, not hidden backend steps.
Source map
Context inventory
The backend reads the files analysts need during response: routes, auth, config, CI, packages, and ownership hints.
RoutesAuthConfigCI
Reasoning
Investigation graph
Services, dependencies, owners, and work items become a graph the analyst can review.
ServicesDependenciesOwnersWork items
Approval
Agent plan
Specialist agents and task order are shown before the investigation run starts.
Agent teamTask orderApproval notesScope
Action
Findings handoff
Findings become GitHub issues after the analyst selects and approves them.
SeverityEvidenceOwner notesIssue body
Use cases
Where agentic SOC workflows create value.
Northwall is shaped around security work that needs context, evidence, approval, and a clear owner handoff.
Triage
AI alert triage
Turn noisy signals into a reviewed investigation plan with source context and analyst approval.
Alert triageContext buildSeverityConfidence
Investigation
Threat investigation AI
Map services, dependencies, auth paths, routes, and owner hints into an investigation graph.
Threat investigationGraphEvidenceOwners
Vulnerabilities
Vulnerability management AI
Use repository context to draft actionable findings with evidence and suggested owner notes.
Vulnerability reviewSource evidenceRisk notesGitHub issues
Response
AI incident response
Create a response record that shows what was checked, what agents found, and which actions need approval.
Incident responseRun logHandoffApprovals
Remediation
Security work item creation
Convert selected findings into GitHub issues with severity, confidence, evidence, labels, and owner notes.
Issue bodyLabelsOwner notesRemediation
Integration pattern
GitHub first, with a path to the wider SOC stack.
Northwall starts with repository context and issue handoff. The same product pattern can extend to SIEM, EDR, cloud, identity, ticketing, and evidence stores.
GitHub
Repository context
Read repo, branch, packages, routes, auth files, config, CI, and ownership hints before running agents.
ReposBranchesPackagesCI
Detection
SIEM and alert sources
Alert data can feed the same triage workflow when teams connect Splunk, Sentinel, Datadog, or other detection sources.
SIEMAlertsEventsTriage
Endpoint
EDR and endpoint context
Endpoint findings can be reviewed against source context before creating response work.
EDREndpointEvidenceResponse notes
Cloud
Cloud and identity signals
Cloud configuration and identity events fit the same graph model when a team needs wider attack-path context.
CloudIAMPermissionsAttack path
Action
Ticketing and SOAR handoff
Approved findings can move into GitHub, Jira, ServiceNow, or SOAR workflows with evidence already attached.
SOARJiraServiceNowGitHub
Workflow showcase
Screens built for analyst review.
The main product screens keep source context, agent planning, live work, and handoff decisions visible.
Source selection
Start with a repo and branch.
The analyst chooses the source system up front. Tokens stay server-side, and the frontend sees connection metadata only.
GitHubRepoBranch
Plan review
Review the investigation before agents run.
Northwall shows source context, the investigation graph, the agent team, task order, and approval notes in one place.
Agent planGraphApproval
Live run
Watch evidence appear as agents work.
Socket.IO events keep the run log, findings, and evidence trail visible while the investigation is active.
Run logEvidenceFindings
Handoff
Send approved findings to owners.
The analyst chooses which findings become GitHub issues and reviews the issue text before creation.
SeverityOwner notesGitHub issue
Operating loop
From source context to approved response work.
01
Connect the source
The analyst selects a GitHub repo and branch. Provider credentials stay on the backend.
02
Build the source map
Northwall inventories packages, routes, handlers, auth, config, CI, and ownership context.
03
Review the plan
The agent team, task order, graph, and approval notes are shown before the run starts.
04
Watch the run
The live stream shows agent activity, evidence, findings, confidence, and severity.
05
Approve the handoff
Selected findings are previewed as GitHub issues and sent only after analyst approval.
Core screens
The SOC workflow stays readable.
01
Landing and positioning
The entry page explains the agentic SOC workflow in plain operational terms.
02
Plan approval
The analyst sees the investigation plan, graph, agent roles, and approval notes before the run starts.
03
Findings handoff
Approved findings move into GitHub with evidence, severity, confidence, owner notes, and labels.
Search questions
Questions teams ask about agentic SOC.
These questions map to searches around AI SOC automation, alert triage automation, AI incident response, and security operations AI.
What is an agentic SOC platform?
An agentic SOC platform uses AI agents to help with security operations work such as alert triage, threat investigation, evidence gathering, run logging, and response handoff. The analyst still needs clear review and approval points.
How does Northwall support AI alert triage?
Northwall connects source context, builds an investigation graph, shows the agent plan, streams the run, and presents findings with severity, confidence, evidence, and owner notes.
Is Northwall built for autonomous SOC response?
Northwall is designed for human-in-the-loop security operations. It helps agents investigate and draft findings, but response work moves forward after analyst approval.
Which SOC integrations fit this workflow?
The first connector is GitHub for repository context and issue handoff. The same workflow can extend to SIEM, EDR, cloud, identity, ticketing, SOAR, and evidence storage systems.
What security use cases fit Northwall?
Northwall fits AI alert triage, threat investigation, vulnerability review, incident response support, security work item creation, and source-aware remediation planning for owned systems.
Product coverage
Desktop and mobile surfaces for the same SOC product.
The build includes the marketing entry point, source picker, plan review, live run, findings handoff, and mobile login flows.
Landing
Source selection
Agent plan
Live run
Findings
Mobile login
Contact
Talk to the team about your AI system.
Share what you are building, where you need help, and what needs to ship next. We will reply with the right next step.
01
NDA available
We can start under NDA when the work requires it.
02
Direct team access
You speak directly with the team doing the technical work.
03
Clear next step
We reply with a practical recommendation on scope, implementation, or rollout.
30m
working session
Direct
team access