Powered by Lemma Series
/
Jae Surh - Software Engineer at Thread AI
Sam Olson - Security Engineer at Omada Technologies
August 28, 2025
In this installment of our customer series, Powered by Lemma, we showcase a workflow on alert triaging in cyber security with Omada Technologies, a provider of technology solutions for network infrastructure, information security, data protection, and storage.
Alert triaging is the rapid process of filtering, categorizing, and prioritizing incoming security alerts to determine which ones are real threats, which are false positives, and which require immediate escalation.
Alert triaging presents numerous challenges.
Most security-minded organizations utilize multiple security tools. Each can generate a large volume of alerts that might overwhelm analysts, causing alert fatigue and making it difficult to isolate valid threats. Also, each alert lacks the full context of the possible security threat as attack attempts can be dispersed across multiple systems, requiring analysts to correlate data from many different sources. Furthermore, attack vectors evolve constantly, so security analysts must maintain their knowledge of the latest cyber attack patterns. Despite all these challenges, security analysts are constantly working against the clock to reduce the MTTR (mean time to respond) as any delay could have catastrophic consequences.
For Omada, the magnitude of this concern is much greater as they manage the security of numerous clients. Each new customer entails a new attack surface to protect, with new devices and software, as well as different user and network patterns. Consequently, every customer environment is unique, possibly necessitating a brand new security approach. This not only increases the cardinality of alerts and data, but also increases the complexity of scaling with a unified approach that can be extended to any customer.
To tackle these issues, Omada utilizes a number of tools whose alerts consolidate in a SIEM (Security Information and Event Management), providing a powerful solution for collecting, analyzing, and managing all security data. To add a force multiplier to their existing powerful tools that they’ve invested time and resources in, they wanted to integrate customizable and autonomous AI workflows into their existing tools.
Working with Lemma, Omada looked for key out-of-the-box capabilities that would allow for an iterative, context-rich workflow with human intervention.
1
Utilize an Iterative Agent
Utilize an iterative agent-tool-call approach that pulls and parses only the data that it requires, iteratively building an understanding of the possible incident. This follows the actual approach a security analyst would take to triage an alert, rather than a naive one-shot approach.
2
Incorporate Human-in-the-Loop
Incorporate HITL into the workflow to allow a security analyst to provide feedback or instructions on the LLM agent’s responses, and to sign off on any compensating actions that should be taken.
3
Build a modular, scalable solution
Build a modular, scalable solution by being able to easily templatize, replicate, and customize workflows for each customer. This requires effortless integration of new APIs and the ability to orchestrate different workflows together with subflows.
4
Support a complex auth scheme
Support a complex auth scheme to provide the appropriate access controls for users and workflows to support multiple customers in a unified setting.
5
Build a CVE knowledge base
Automate the building and maintenance of CVE knowledge bases for relevant attack vectors for each customer directly in the platform, updated periodically by pulling data of the latest cyber threats and security best practices from a variety of sources.
The result is the Alert Triage Worker.
The Alert Triage Worker can be triggered by a host of Connectors, including the CrowdStrike Falcon Connector, which contains details of possible malicious suspicious activity on a machine, or the Okta User Connector, which contains suspicious access logs, and more. Lemma Connectors provide integrations to ingest data from various APIs and data sources into the platform to run workflows. Being modular and easy to set up, new Connectors can be added and switched out for different use cases, providing easy integration to any existing alerting setups.
The information from the Connector is fed into an LLM agent that is instructed to triage the alert using tools to gather more information as needed. These tools can easily be generated by importing OpenAPI schemas or cURLs, or generated manually. In the pared-down example above, the LLM agent is given access to APIs such as the Okta Users API, the CrowdStrike Falcon API, the Palo Alto PAN-OS API, and AWS CloudWatch API to gather information on suspicious user activity, machine logs, malicious IPs, and network logs respectively.
This Lemma Worker also has an appropriately scoped access to a vector database in the platform that is periodically hydrated with the latest attack patterns that are relevant and contextual to the customer. This vector database is hydrated with another workflow that periodically gathers the latest threat intelligence, picks those relevant to the customer profile, embeds them, and stores them into the DB. The agent can query this vector database to get critical context for each customer.
In a loop loosely following the ReAct Agent pattern, the agent iterates between parsing data and calling tools until it decides that it has enough information to conclude whether the alert is a false positive or a valid incident, in which case it also categorizes the incident. Once the agent reaches a conclusion, any relevant incident playbooks are pulled and a report is generated with the data, recommendations, and playbooks.
Upon report generation, a security analyst is notified and the workflow waits for the analyst to review the findings. The security analyst can view the report within the platform and either accept the agent’s conclusion, or provide feedback and instructions on the agent’s approach. If the security analyst provides feedback, the agent starts the iteration loop again with the feedback, executing additional tool calls to fulfill the analyst’s instructions. It continues this cycle until the security analyst is satisfied with the report and recommendations that have been generated.
If the analyst accepts the report, they can also sign off on any playbooks or compensating actions, such as isolating a compromised machine, or terminating a user session. These compensating actions are executed asynchronously as subflows, spawning off separate durable workflows in the platform that can orchestrate their own complex logic and tasks. Once all playbooks are executed, an event is created in the security team’s incident management platform to document the incident and the entire process.
As for any Worker, this Triage Worker can easily be turned into a Worker Template within Lemma to be utilized as the basis for new workflows. This provides a balance between being able to scale solutions with a generic workflow template and being able to provide customizations for each customer by updating each instance of the template with different APIs, data sources, prompts, and access.
This approach unlocks the full potential of Omada’s existing tools, merging the data and capabilities of their existing stacks with autonomous, customized AI agents to accelerate response time and reduce alert fatigue. This AI-driven force multiplier frees analysts to make the actual high-fidelity decisions sooner, allowing them to utilize insights from the best tools and models with no vendor and cloud lock-in.
