The Auth Sentry Difference: Autonomous Investigation
1
Evidence Collection via Graph Database
Our AI Agents don't just flag anomalies—they continuously link evidence across your identity graph until patterns emerge. Only when sufficient evidence exists does an alert get created.
Example: Lateral Movement Detection
When user "james.hernandez14" accesses 4 systems in 5 minutes, the agent:
- Queries the graph for all identity events related to james.hernandez14
- Discovers account was dormant for 6 months (evidence #1)
- Correlates access pattern with lateral movement signatures (evidence #2)
- Links to previous suspicious OAuth token activity (evidence #3)
- Calculates confidence score based on evidence weight: 0.98 (98%)
- Creates alert only when threshold reached
Why Graph Databases Matter
Traditional tools analyze events in isolation. Graph databases connect the dots—linking users, permissions, apps, OAuth tokens, and actions across time. This reveals attack chains that single-point analysis misses.
2
Automatic Enrichment from Your Security Stack
Instead of handing you a generic "suspicious activity" alert, AI Agents autonomously gather context from your existing tools before creating the alert.
SIEM Query
Pulls related security events from same timeframe
SaaS Platform Logs
Retrieves authentication and access logs
MDM Systems
Checks device compliance status
Threat Intel
Correlates with known attack patterns
Result: Analysts get enriched context automatically, not raw alerts requiring manual investigation.
3
Human-in-the-Loop Validation
AI Agents can message affected users directly via Slack or Microsoft Teams to validate suspicious activity in real-time.
"Hey James, did you just access the production database from a new location in Singapore?"
Reply 'yes' to approve, or we'll revoke access in 2 minutes.
Possible Outcomes:
- ✓ User confirms: "Yes, I'm traveling" → Alert closed as false positive
- ✗ User denies: "No, my device was stolen!" → Escalate to critical
- ⏱ No response in 2 minutes → Auto-revoke tokens, block access
Result: Faster validation, fewer false positives, immediate containment when threats confirmed.
What You Receive: Not an Alert, a Complete Investigation
ALERT ID: 528
SEVERITY: HIGH
Suspicious Lateral Movement Detected - james.hernandez14
Identity [email protected] accessed 4 different systems within 5 minutes, indicating potential lateral movement.
EVIDENCE COLLECTED BY AI AGENT:
- • [Graph Database] Dormant account (no activity for 6 months) suddenly active
- • [Pattern Match] Access pattern matches known lateral movement signatures
- • [Auto-enriched from SIEM] Failed authentication attempts from same IP 30 min prior
- • [Auto-enriched from Okta] MFA push accepted after 3 denials (MFA fatigue attack)
- • [User validation via Slack] User reports device stolen 2 hours ago
THREAT VECTOR
Lateral Movement
CONFIDENCE SCORE
0.98 (98%)
INVESTIGATION TIME
<2 minutes
AI AGENT ACTIONS ALREADY TAKEN:
✓ Gathered evidence from 3 systems automatically
✓ Contacted user via Slack (confirmed compromise)
✓ Auto-revoked all OAuth tokens for this identity
✓ Blocked source IP address
⏳ Awaiting SOC approval to fully disable account
RECOMMENDED NEXT STEPS:
1. Review access logs for other compromised accounts
2. Force password reset for james.hernandez14
3. Audit all systems accessed in past 24 hours for data exfiltration
4. Consider triggering incident response playbook IR-001
Your SOC gets cases, not noise. 10x faster investigations.
Specialized AI Agents for Specialized Threats
One generic ML model misses nuanced attacks. Auth Sentry deploys dedicated agents, each expert in specific threat domains.
OAuth Token Agent
Monitors OAuth and refresh token lifecycles, detecting:
- Token usage from impossible locations (impossible travel)
- Cross-IP token sharing patterns
- Tokens used outside normal application workflows
- Dormant tokens suddenly activating
- Token lifespans exceeding security policies
Service Account Agent
Learns "normal" behavior for non-human identities, flagging:
- API key rotations outside change windows
- Privilege escalations and permission changes
- Dormant service accounts suddenly active
- Access to resources outside typical patterns
- Service accounts used from unexpected IP ranges
Lateral Movement Agent
Maps access chains across systems, identifying:
- Unusual system-to-system pivots
- Access to multiple high-value targets in short timeframes
- Credential usage across disparate environments
- Movement from dev → staging → production
- Access path deviations from established patterns
Toxic Combo Agent
Detects dangerous application permission combinations:
- GitHub access → AWS credential retrieval → production database
- Email + file storage + admin console in sequence
- CI/CD pipeline access combined with prod environment permissions
- Third-party app integrations with over-privileged access
- Chained access that individually appears legitimate but together forms attack path
Why specialized agents? Each agent operates independently, continuously learning YOUR organization's specific patterns. When threats intersect multiple domains (e.g., OAuth token abuse + lateral movement), agents collaborate to build the complete picture before alerting.
Identity Rx: Continuous Learning from YOUR Environment
Off-the-shelf AI doesn't understand YOUR business. Our AI Agents continuously learn your organization's unique identity DNA.
DevOps deploys on Friday afternoons?
Agent learns this is normal for YOUR team.
Sales accesses CRM + LinkedIn + ZoomInfo in sequence?
Agent baselines the pattern specific to YOUR workflow.
Finance runs monthly scripts touching prod databases?
Agent expects it based on YOUR calendar.
The longer it runs, the smarter it gets about YOUR specific environment.
70% reduction in false positives. Detections tailored to your organization, not generic rules.