Build a security investigation agent that responds to detections (agent-as-code)

In this video we demonstrate how to build a custom security investigation agent using LimaCharlie’s agentic SecOps platform.

Using the AI Agent Builder and a plain-language prompt, we create an investigation bot called SSH Bot that runs automatically whenever sensitive SSH credential material is accessed on an endpoint.

When the detection fires, the agent:

• Analyzes the process, command line, user, and host involved
• Looks for signs of credential theft, persistence, or lateral movement
• Reviews surrounding telemetry for suspicious activity
• Writes a structured investigation report directly into LimaCharlie case management

The agent is saved as code, allowing it to be triggered by detections, run asynchronously across infrastructure, or executed on a schedule.

To demonstrate the workflow, we trigger the detection by accessing the.ssh directory on a Mac endpoint. The platform launches the agent, performs the investigation, and automatically creates a case summarizing the findings and risk level.

This is an example of agent-as-code security operations, where investigation workflows can be created with prompts instead of weeks of engineering work.