In security operations, structure is a necessity. The OSCAR framework, which originated in a 2012 book about network forensics investigations, provides a disciplined approach to full scale detection and response – and it has long been the investigative backbone of the Rapid7 SOC. When stakes are high and time is limited, the framework delivers, while something flashier and more theoretical might not. But as attack surfaces expand and the tempo of threats increases, the feasibility of applying that structure consistently across thousands of alerts without intelligent assistance is diminishing.
With our recently announced agentic AI workflows, we're encoding OSCAR as a model of reasoning by embedding a disciplined investigation strategy directly into our next-gen SIEM. This operationalizes analysts’ best habits at speed and scale, and extends their ability to make informed decisions using the investigative discipline they already rely on.
OSCAR, encoded with intent
Every investigation begins with Obtain, a phase that goes beyond reading the alert. The AI agent builds a mental map; it parses the alert signal, evaluates metadata against current asset intelligence, and identifies what context is immediately available versus what is missing. For example, it may assess whether the impacted system recently changed users, is running newly deployed software, or sits within a sensitive network segment. This orientation defines the scope and hypotheses for the investigation.
In Strategize, the agent draws from documented playbooks, but doesn’t follow them blindly. It assesses the volatility of the signal, the confidence level of any existing model classifications, and even prior alert outcomes for similar contexts. Is this a routine trigger, or does the surrounding telemetry suggest escalation potential? Strategizing helps map the right approach and keep the investigation focused and proportionate to the risk.
The Collect phase prioritizes relevance over volume. The agent interrogates sources contextually by reviewing alert history, target system behavior, and related log data to assemble a coherent picture. This is built to include user behavior analytics, endpoint telemetry, and enrichment from threat intelligence. Rather than defaulting to static queries, it adapts based on mid-investigation findings. If an unusual parent process emerges, it expands to include sibling process behavior; if geolocation anomalies surface, it pivots to identity and access logs.
During Analyze, the system applies behavioral modeling, pattern matching, and sequence reconstruction to weigh potential indicators of compromise. It surfaces inconsistencies, outliers, and supporting evidence, correlating across multiple data points to form defensible narratives.Reflecting real analyst findings, this process is iterative, contextual, and grounded in human judgment.
In Report, the agent compiles its findings with structured rationale: outlining the chain of logic, the confidence of disposition, and any assumptions made along the way. This delivers both a conclusion and a clear account of how that conclusion was reached, arming analysts with context they can trust and act on.
This applied investigation logic – designed to be transparent, traceable, and aligned with analyst intuition – represents a significant expansion beyond workflow automation without compromising consistency.
What it means for customers
We’re already seeing the impact of AI in the Rapid7 SOC:
200+ analyst hours saved per week, reducing fatigue and reallocating talent to proactive defense.
99.93% benign disposition accuracy, driving confidence in triage precision.
Seamless transparency via the SIEM, enabling agentic outputs to appear alongside traditional investigation artifacts.
The efficiency gains within our SOC, and resulting benefits for customers, reflect a shift in how work gets done today. With foundational triage increasingly handled by the AI engine, analysts can now focus their time and cognitive energy on the complex, ambiguous, or higher-stakes investigations that benefit most from human insight. This allows SOCs to respond faster and smarter, tackling multi-stage intrusions, lateral movement, and evasive behaviors with more focus and fewer distractions.
Agentic AI enables every alert to benefit from the same structured scrutiny our top analysts bring to priority cases – ensuring quality doesn’t degrade with volume and empowering analysts to elevate their role in the detection and response lifecycle.
Structured reasoning, transparent execution
Trust in AI needs more than results, it requires clarity and evidence. That’s why every action taken by the agent is recorded and explainable. Security leaders can inspect both the outcome and the thought process, providing auditability for internal teams and external stakeholders alike.
With agentic AI and the OSCAR framework, we’re scaling human judgment with machine speed. And in today’s threat landscape, that may be the most important shift a SOC can make. To learn more about how agentic AI is empowering Rapid7 MDR, get in touch with an expert.