Choose a system or custom agent for your chat.
To use the Agentic Assistant, you first select the agent best suited for the task. Each agent is designed with specific goals and toolsets to address different aspects of security operations.
You can choose from system agents, public agents other users have created, or agents you have personally built and configured.
Within the chat prompt, click the agent icon on the left.
You can hover over each agent in the list to view a brief description of its primary focus.
Select the agent that best suits your current task or investigation.
Select an agent from Slack
Select an agent from Slack by sending a request and tagging your configured bot name in a thread (for example @Your bot name). Cortex Agentic Assistant returns a dropdown menu of available agents to select.
Note
Only public agents are supported via Slack.
System agents
System agents are pre-built, mission-focused virtual personas provided out-of-the-box by Cortex Cloud to handle specific security use cases without requiring manual configuration.
System agents come with defined roles and permissions, for example, the Threat Intel agent is pre-configured to enrich indicators, while the Help Center agent is designed specifically to retrieve documentation.
You can access additional system agents by enabling specific modules or licenses. Ensuring you have the relevant licenses active (for example, Cloud Posture or XSIAM Enterprise) will ensure the corresponding agents appear in your list. For instance, the Exposure Management agent helps prioritize risks but explicitly requires the Exposure Management add-on to function.
If a system agent is missing from your chat, it may be disabled or not included in your license. Go to the Agents Hub, where you can view a list of all enabled and disabled agents (accessible via the side panel in the Agentic Assistant menu). An administrator may need to re-enable it to make it visible in your chat again.
Examples of specialized system agents:
Agent Type | Description |
|---|---|
Case Investigation | Accelerate and simplify the analyst's workflow by converting complex data points, case context, and event relationships into clear, actionable insights. It understands the whole structure of a case, automatically highlights what matters most, and offers concise summaries that reduce noise and cognitive load. Beyond interpretation, it provides quick-access actions and guided steps that help analysts progress investigations with confidence and consistency. Its strength comes from its ability to reason across diverse evidence, stitch narrative context, and translate technical signals into meaningful next moves - enabling a smoother, more intuitive investigation experience end to end. |
Email Investigation | Automates the full lifecycle of email-borne threat response, spanning mailbox search, forensic collection, analysis, containment, and incident closure across all major mail platforms and security layers. |
Help Center | Provides answers to questions by referencing product documentation. If further assistance is needed, the agent assists you in opening a support case. |
Network Security | Audits next-gen firewalls for vulnerabilities, expired certificates, outdated software, risky or unused rules, capacity limits, and other misconfigurations. It searches logs for threats and then automates or guides clean-ups and upgrades to keep the network secure. |
Exposure Management | Helps understand, triage, and remediate vulnerabilities and misconfigurations across enterprise and cloud. Streamlines work for security analysts by helping to proactively prioritize risks, enrich identified exposures with ownership information, and take actions to reduce remediation times. NoteRequires the Exposure Management add-on. |
Cloud Posture | Helps understand, triage, and remediate misconfigurations, attack paths, and posture issues across cloud environments. Streamlines work for security analysts by proactively prioritizing risks, enriching identified exposures with ownership information, and automatically taking mitigating or remediating actions, such as blocking network access or updating protection policies, to reduce the organization's exposure footprint. |
Application Security | Operates as an intelligent, autonomous co-pilot within the security program. It provides full-cycle management by continuously monitoring AppSec maturity and driving a prevention-first strategy. The agent performs key actions such as opening pull requests (PRs) to resolve issues, identifying true risks and critical weaknesses in code, and using that context to suggest and apply prevention guardrails that eliminate risky environments. Its core function is to guide the organization’s AppSec journey by proactively improving coverage and measuring maturity, ensuring that security is automated, not merely audited. |
Recommended agents
In some cases, the system may suggest you switch agents based on the page you are viewing. For example, if you are viewing a case and have a chat with the Threat Intel agent open, the system will suggest switching to the Case Investigation agent for more relevant results.