CASE STUDY

Agentic Triage Accelerates Insider Threat Detection and Investigations

How DTEX Triage Guardian helped a lean cyber team reduce alert fatigue, improve decision quality, and free analysts for proactive threat hunting.

REQUEST A DEMO

Industry

Government

Company Size

~4000 employees

Location

Australia

Solution

DTEX Triage Guardian DTEX Platform

Key Results
  • 40 hours saved per analyst each month
  • Improved investigation quality
  • Stronger decision confidence
  • Proactive threat hunting

An Australian government agency needed to reduce alert triage time, improve investigation quality, and ease pressure on a lean cyber operations team.
 
With DTEX Triage Guardian, the agency was able to remove much of the manual effort analysts previously spent reconstructing activity around each alert. Instead of trawling through logs and piecing together context themselves, analysts now receive clear summaries of surrounding behavior and why an alert matters, helping them make faster, higher-quality decisions and spend more time on proactive threat hunting.
 
Within two weeks of installing the DTEX Triage Guardian, our analysts found it highly beneficial. It’s been 100% accurate so far, and the ability to summarize surrounding activity and explain how it reached a decision is fantastic. What would normally take our analysts hours to investigate is now surfaced for them immediately. That has improved the quality of investigations, reduced fatigue, and freed the team up to do more proactive threat hunting rather than just responding to alerts. From a security perspective, it puts us in a much better position to detect and respond.
 
Assistant Director – Cyber Operations, government agency.
 

Company profile

This organization is a government agency responsible for protecting sensitive systems, data, and services across a broad public-sector mission. Its lean cyber operations team manages daily alerts with limited resources and needs fast, accurate triage, strong behavioral visibility, and reliable decision support.

The need

Security teams are under constant pressure to investigate alerts faster, reduce analyst fatigue, and make sound decisions with limited resources. For this government agency, that challenge was especially acute. Its security team needed to triage alerts efficiently, understand surrounding behavior quickly, and determine whether activity was normal or genuinely risky, all without overwhelming an underfunded, already stretched analyst team.

The solution

Almost immediately after deploying the DTEX Triage Guardian, Triage Guardian for short, the agency began to see measurable value. 

According to the Assistant Director of Cyber Operations at the agency, analysts found the technology highly beneficial from the start. What stood out was not just speed, but the quality of the insight. DTEX was able to summarize surrounding activity, explain how it reached its conclusions, and surface context that would otherwise take analysts hours to piece together manually. 

As the Assistant Director put it, “The fact that it can summarize all the surrounding activity and explain how it came to its decision is absolutely fantastic.” 

That mattered for a lean team where time and attention are limited. 

The results

Faster alert triage without sacrificing depth 

The agency estimates that DTEX saves each analyst approximately 40 hours per month by reducing the manual effort required to triage alerts and assemble investigation context. Instead of spending time digging through activity, reviewing surrounding behavior, and determining whether an alert warrants escalation, analysts are presented with a clear summary of what happened and why it matters. This recovered capacity helps the team improve investigation quality, reduce fatigue, and spend more time on proactive threat hunting instead of reactive alert review.

To understand surrounding activity and determine what was really happening, analysts often spent 30 minutes to an hour per alert reviewing context. In some cases, it could take a couple of hours to dig deeper and gather everything needed to make a confident decision. 

DTEX reduced that burden significantly. 

By pulling together surrounding activity and presenting a clear explanation of what it found, the platform cut down the manual digging analysts had to do. For the agency, that created an immediate operational benefit. In the words of the Assistant Director, “When resources are tight, having that legwork taken away is phenomenal.” 

Better context, better decisions 

The agency also found that DTEX improved the quality of investigations. 

Before Triage Guardian, analysts might look at an alert and dismiss it as part of someone’s normal job activity. That kind of judgment call is common in busy SOC environments, particularly when teams do not have time to investigate every alert in depth. 

What DTEX changed was the level of context available to the analyst. 

Instead of a bare signal, the team received detailed explanations and surrounding behavioral information, often in the form of paragraphs of context, that helped them understand what was normal, what was unusual, and why a particular alert mattered. 

“It has improved the quality of investigations,” said the Assistant Director. 

For a team comprised primarily of Tier 1 and Tier 2 analysts, that added context was especially valuable. It meant analysts did not need to be deep experts in every underlying technology to make sound decisions. They could review the findings, assess the recommendations, and decide whether an alert was accurate without always needing to escalate it further unless there was real ambiguity. 

That not only improved consistency but also lowered the skill barrier. 

Less fatigue, more proactive work 

One of the clearest benefits the agency described was the impact on analyst workload: higher quality work with significantly reduced time. 

Security analysts spend a great deal of time trawling through logs, correlating events, and reconstructing what happened. That work is time-consuming, repetitive, and mentally draining, especially for smaller teams carrying multiple responsibilities. 

The agency’s Assistant Director said DTEX helps remove much of that burden. Instead of spending all their time reacting to alerts, analysts now have more capacity to do proactive threat hunting across the DTEX Platform.

As the Assistant Director explained, “Instead of being reactive, our analysts can now take on a much more proactive role.” 

That shift from reactive alert handling to more proactive security operations was one of the most meaningful outcomes of the deployment. It also helped the team operate more efficiently and to focus on the work that matters the most. 

“We can do more with less,” the Assistant Director added. 

For security leaders, that point is significant. Time savings alone matter, but the bigger gain is what those hours can be redirected toward: higher-value analysis, better prioritization, and earlier detection of risk. 

Behavioral visibility beyond traditional monitoring 

The agency already uses tools such as Cisco Splunk and Microsoft Sentinel but sees the DTEX Platform as providing a different layer of value. 

Where traditional tools help with log collection, monitoring, and event correlation, the DTEX Platform gives the team visibility into end-user behavior; specifically, how people interact with systems and data. That behavioral lens has helped the agency identify trends and emerging behaviors early enough to act before risky activity becomes a larger issue. 

Much of what the team sees is insider negligence: the kinds of sloppy practices and weak signals that can create avoidable risk if left unchecked. 

Examples include: 

  • Documents created with “password” in the title 
  • Passwords stored in ways they should not be 
  • Attempts to use personal webmail 
  • File uploads and other forms of data movement

Even when certain sites are blocked at the firewall, DTEX still surfaces the attempted behavior, giving the team a useful early signal. 

That kind of visibility matters because many insider and user-driven risks do not always stand out in conventional monitoring tools. According to the Assistant Director, the DTEX Platform helps the team identify not just what happened, but who may be becoming risky and why. 

That supports earlier intervention and a stronger insider risk posture. 

Strong early confidence, and plans to expand 

The agency reports 100% accuracy from Triage Guardian and says the system’s output has been consistent and highly valuable. The team was surprised by how much information it could glean, how well it understood user behavior, and how effectively it identified what was normal. 

From the Assistant Director’s perspective, the impact goes beyond analyst productivity alone. “From a security perspective, it puts us in a much better position to detect and respond.” 

Looking ahead, the agency is interested in expanding its use of DTEX further, especially around DTEX’s DLP capabilities, DTEX AI Risk Management, and broader use of its AI capabilities. 

For security teams that are short on time, short on people, and under pressure to respond faster, the agency’s experience offers a practical example of where autonomous triage can deliver value: reducing fatigue, improving investigation quality, and helping analysts spend less time assembling context and more time acting on it. 

In this case, the DTEX Triage Guardian has already started to do exactly that. 

Customer highlights

  • 40 hours saved per analyst each month
  • Value realized almost immediately 
  • 100% accuracy to date
  • Improved quality of investigations 
  • More time for proactive threat hunting 
  • Reduced analyst fatigue 
  • Lowered the skill barrier for Tier 1 and Tier 2 analysts 
  • Stronger visibility into end-user behavior, emerging trends, and insider risk

Related Case Studies

Ready to Learn More?

For further insights on how the DTEX Platform secures critical infrastructure, request a demo.

Request a demo