Features Security Docs GitHub Get Started

$ triage-warden --status OPERATIONAL

AI-powered incident triage for modern SOCs

Automatically analyze, classify, and prioritize security incidents with AI that explains its reasoning. Cut triage time by 90% and never miss a real threat.

Get Started View on GitHub

triage-warden v2.4.0

$ tw analyze INC-2026-0847

Analyzing incident...

Enriching with threat intel... done

Running RAG context lookup... done

Evaluating MITRE techniques... done

Verdict: MALICIOUS (confidence: 0.96)

Type: Credential Phishing

MITRE: T1566.001 → T1078 → T1534

Action: Quarantine mailbox, reset creds

Awaiting analyst approval...

Integrates with the tools you trust

SplunkCrowdStrikeMicrosoft 365OktaJira

🧠

AI-Powered Analysis

Advanced LLMs provide human-level reasoning with full explainability for every decision.

⚡

90% Faster Triage

Reduce MTTR dramatically and eliminate the backlog of unreviewed alerts.

🔗

Seamless Integrations

Connect your entire security stack with native connectors and webhooks.

🔒

Your Data, Your Control

Self-hosted options, full audit trails, and bring your own API keys.

90%

Reduction in triage time

24/7

Automated monitoring

10x

Analyst productivity boost

Built for Security Operations

A complete platform with AI at its core, designed for the way modern SOC teams actually work.

Explainable AI

AI that explains its reasoning

Unlike black-box solutions, Triage Warden shows you exactly why it classified each incident. Every verdict comes with detailed reasoning, IOC extraction, and MITRE ATT&CK mapping.

Learn more

analysis_output.log

# Investigation Steps

1. Parsed email headers → spoofed sender

2. URL detonation → credential harvest page

3. Domain age: 2 days (suspicious)

4. TI match: APT-29 infrastructure

5. Similar incident: INC-2026-0791 (confirmed)

# Verdict

classification: MALICIOUS

confidence: 0.96

mitre: T1566.001, T1078, T1534

Policies

Policy-driven automation

Define exactly how Triage Warden should respond to different scenarios. Configure approval workflows, automate low-risk responses, and ensure sensitive actions get proper review.

See examples

policy.toml

# Auto-quarantine high-confidence phishing

[[policy.rules]]

name = "auto_quarantine_phishing"

action = "quarantine_email"

classification = "malicious"

confidence_min = 0.9

decision = "allowed"

Security-first architecture

Built with security as a core principle, not an afterthought. Your security data stays under your control.

🏠

Self-Hosted Option

Deploy in your own environment with full control.

📝

Complete Audit Trail

Every action logged and traceable for compliance.

🔑

Bring Your Own Keys

Use your own API keys for AI providers.

👤

Role-Based Access

Granular permissions for your entire team.

Ready to transform your SOC?

See how Triage Warden can reduce alert fatigue and accelerate your incident response.

Get Started Documentation