Orchestrator
Purpose
Master orchestrator that coordinates the 10 specialist agents via ACP HandoffTool delegation. Also owns SIEM log analysis, IOC extraction, MITRE ATT&CK mapping, and compliance framework assessment directly.
MCP Domains
| Domain | Description |
|---|---|
soar | Task dispatch, playbook orchestration |
siem | Direct log analysis, IOC extraction |
osint | OSINT triage |
document | Finding synthesis, report assembly |
Handoff tools
The orchestrator dispatches tasks to specialists via ACP HandoffTool:
| Handoff | Target agent |
|---|---|
delegate_to_threat_hunter | Threat Hunter |
delegate_to_malware_analyst | Malware Analyst |
delegate_to_incident_responder | Incident Responder |
delegate_to_network_security | Network Security |
delegate_to_cps_security | CPS Security |
delegate_to_threat_intel | Threat Intel |
delegate_to_endpoint_security | Endpoint Security |
delegate_to_forensic_analyst | Forensic Analyst |
delegate_to_web_security | Web Security |
delegate_to_report_generator | Report Generator |
Guardrails
- Tier resolver: Routes tasks based on type classification (alert type, required expertise). The resolver consults the agent registry to match required MCP domains to available agents.
- HITL gate: Requires human approval for high-risk actions. The
orchestrator sets
requires_human_approval = trueon any action that modifies production infrastructure, revokes credentials, or touches OT/ICS equipment. - Blast radius quotas: Limits concurrent destructive actions per site. At most one isolation, one credential revocation, and one certificate revocation can be in-flight per site at any time.
Direct tools
| Tool | Description |
|---|---|
search_logs | Direct SIEM search |
extract_ioc | IOC extraction from log text |
mitre_map | MITRE ATT&CK technique mapping |
assess_compliance | Compliance framework mapping (NIST CSF 2.0, ISO 27001, SOC 2, GDPR, HIPAA, IEC 62443) |
delegate_to_* | ACP HandoffTool dispatch to specialist agents |
Input schema
{
"alert_id": "string",
"case_id": "string",
"query": "string",
"compliance_frameworks": ["string"],
"dispatch_agents": ["string"]
}
Output schema
{
"severity": "Critical | High | Medium | Low | Info",
"confidence": "float",
"mitre_techniques": ["string"],
"iocs": [
{"type": "string", "value": "string"}
],
"affected_assets": ["string"],
"compliance_violations": [
{
"framework": "string",
"control_id": "string",
"finding": "string"
}
],
"physical_impact_assessment": "string",
"agent_findings": [
{
"agent": "string",
"finding": "string",
"confidence": "float"
}
],
"recommended_actions": [
{
"action": "string",
"priority": "string",
"requires_human_approval": "boolean"
}
],
"synthesized_report": "string"
}
Memory config
| Parameter | Value |
|---|---|
sliding_window | 60 |
enable_episodic | true |
enable_threat_intel | false |
auto_persist_interval | 25 |
Allow-list
soar, siem, osint, document