How Salesforce Built an AI Security Agent for Autonomous Threat Triage
Summary
Salesforce developed an autonomous AI security agent called SATA to tackle the overwhelming volume and complexity of security alerts across their enterprise environment. SATA acts as the first line of triage by integrating data from fragmented systems, applying analyst-modeled logic to prioritize threats, and reducing false positives. This enables security analysts to focus on high-priority cases and accelerates incident response. The approach addresses real challenges faced by large Salesforce environments in scaling cybersecurity operations while maintaining high accuracy and trust. Salesforce teams can learn from this autonomous triage model to enhance their own security operations using AI-driven workflows.
Takeaways
- Leverage AI agents for initial triage to handle high-volume security alerts efficiently.
- Integrate logs, case systems, and operational data into a unified workflow for accurate context.
- Use confidence scoring to balance automation with human review for trusted autonomous triage.
- Apply multi-agent perspectives to improve detection accuracy and reduce false positives.
- Plan future enhancements for autonomous incident response to reduce containment times.
In our Engineering Energizers Q&A series, we highlight the engineering minds driving innovation across Salesforce. Today, we spotlight Mor Levi, Vice President of Detection, Analysis and Response at Salesforce, who leads the teams responsible for enterprise cyber defense across 80,000 employees and an attack surface spanning infrastructure, platforms, and cloud environments. Explore how the team enabled autonomous triage across multi-layered security platforms, helping to ensure analyst-grade precision across a distributed data landscape. What is your team’s mission in protecting Salesforce through threat detection, incident response, and enterprise security operations? Our team protects Salesforce from cybersecurity threats across our employees, infrastructure, and production systems. We detect suspicious activity early to contain threats before they expand. Our operations evolve to protect an increasingly dynamic environment.