Architecture
Use for large-scale, repetitive work: classification, extraction, scoring, clustering. Keep outputs structured (labels, scores, fields) so correlation and playbooks can use them deterministically.
Use for synthesis: explain incident graphs, propose investigation steps, draft reports/comms, translate analyst intent into safe queries, and orchestrate multi-step workflows. Ground with RAG and gate actions via MCP + approvals.