Skip to main content
An agent is an AI-powered workflow that can reason, make decisions, and take actions across your security stack. Unlike traditional automation that follows predefined logic, agents use Large Language Models (LLMs) to understand context, plan their actions, and adapt to different situations.

How Agents Work

Agents combine four key components:
Agents use state-of-the-art LLMs (hosted or custom) to:
  • Understand natural language instructions
  • Reason about complex problems
  • Decide which tools to use and when
  • Generate human-readable summaries
Tools are structured functions that agents can call to:
  • Query APIs (search Splunk logs, list SentinelOne alerts)
  • Take actions (create Jira tickets, send Slack messages)
  • Transform data (parse emails, extract indicators)
  • Access context (read memories, fetch documents)
Agents can access relevant context from:
  • Google Docs and Notion pages (runbooks, policies)
  • Previous executions (memories)
  • Integration data (user info, asset inventories)
  • Trigger payloads (the event that invoked them)
System prompts guide agent behavior by defining:
  • The agent’s role and responsibilities
  • When and how to use tools
  • Output format and tone
  • Decision-making criteria

Agent Execution Flow

When an agent runs, it follows this lifecycle:
1

Invocation

Agent receives a task from:
  • Trigger (Jira issue created, Slack mention, cron schedule)
  • Chat (user asks a question in the UI)
  • API call (programmatic invocation)
2

Context Loading

Agent loads relevant context:
  • System prompt and configuration
  • Context documents (Google Docs, Notion)
  • Agent memories
  • Trigger payload data
3

Planning (Optional)

If planning mode is enabled, the agent:
  • Analyzes the task
  • Creates a step-by-step plan
  • Identifies required tools and information
4

Execution Loop

Agent iteratively:
  • Decides next action (call a tool or respond)
  • Calls tools to gather data or take actions
  • Evaluates results and plans next steps
  • Continues until task is complete
5

Response

Agent produces output:
  • Text summary of findings and actions
  • Structured data (JSON, tables, charts)
  • Side effects (tickets created, messages sent)
  • Memories saved for future reference

Agent Types

Cotool supports two primary agent modes:
  • Autonomous Agents
  • Copilot Agents
Autonomous agents run without human intervention, triggered automatically by events.Examples:
  • Alert triage (triggered by security alerts)
  • Ticket enrichment (triggered when Jira issues are created)
  • Scheduled reports (triggered by cron)
  • Phishing analysis (triggered by emails)

Key Capabilities

Multi-Tool Orchestration

Agents can coordinate across dozens of tools in a single run, fetching data from Splunk, enriching with VirusTotal, and updating Jira—all autonomously.

Adaptive Reasoning

Agents adapt their approach based on what they discover. If one data source is unavailable, they can pivot to alternatives.

Context-Aware

Agents remember past executions and can reference organizational knowledge stored in docs and memories.

Auditable & Safe

Every tool call is logged. Agents only have access to explicitly granted tools and integrations.