In our Engineering Energizers Q&A series, we highlight the engineering minds driving innovation across Salesforce. Today, we spotlight Mor Levi, Vice President of Detection, Analysis and Response at Salesforce, who leads the teams responsible for enterprise cyber defense across 80,000 employees and an attack surface spanning infrastructure, platforms, and cloud environments.
Explore how the team enabled autonomous triage across multi-layered security platforms, helping to ensure analyst-grade precision across a distributed data landscape.
What is your team’s mission in protecting Salesforce through threat detection, incident response, and enterprise security operations?
Our team protects Salesforce from cybersecurity threats across our employees, infrastructure, and production systems. We detect suspicious activity early to contain threats before they expand.
Our operations evolve to protect an increasingly dynamic environment. We augment traditional controls with AI-driven insights to enable continuous visibility and stay ahead of rapidly shifting threat behaviors.
We focus on accelerating incident response and maintaining operational discipline. This combination of rapid containment and threat prioritization defines our approach to modern cyber defense.
When security operations were handling several hundred alerts per day and thousands per month, what pressures pushed the team to engineer SATA (Security Alerts Triage Agent) instead of simply adding more analysts?
Scale is our primary driver for innovation. While our analysts are world-class, the sheer velocity of cases in an increasingly complex environment requires a level of processing speed that transcends manual effort. This is why we built the SATA agent. It serves as a force multiplier for our team, serving as the first line of triage.
The environment also gains complexity every day. Constant cloud changes, new acquisitions, and AI tools create additional risk signals for evaluation. Traditional security operations cannot scale fast enough to match this expansion.
These pressures led the team to build SATA Agent. This autonomous system serves as the first line of triage. Instead of routing every alert to an analyst, the agent reviews signals, gathers context, and prioritizes cases that require expert attention.
SATA agent manages high-volume initial triage and analysis, allowing analysts to focus their energy on high-stakes investigations and the highest-priority threats.
What technical challenges did the team solve to build SATA Agent for autonomous security triage across fragmented alerts, logs, and case-management systems?
Fragmentation created the first challenge. Critical context lived across case systems, log platforms, and operational tools. While analysts move across these systems manually, an AI agent requires fast access to everything within a single workflow.
The team discovered that case-management data alone may not provide sufficient level of detail. Accurate triage decisions require querying logs and reviewing operational guidance from multiple sources. Without this broader context, the agent makes weaker decisions than experienced analysts.
Data volume presented the second challenge. Raw logs often grow too large for standard retrieval, causing latency or timeouts. Pulling every data point into memory fails at enterprise scale.
Internal security orchestration and automation capabilities solved these issues by acting as the hands of SATA Agent. The agent identifies the necessary data, and orchestration workflows retrieve targeted information. This architecture returns only the most relevant context for faster triage.
What makes distinguishing benign activity from malicious behavior difficult in large enterprise environments, and how does SATA Agent improve threat detection accuracy?
Enterprise environments can often generate constant noise and false positives. Employees install software and run scripts that often resemble malicious activity. Simultaneously, real unauthorized access attempts produce similar telemetry.
This overlap creates a difficult problem in threat detection. The same signal represents either normal business or a real attack depending entirely on context. Too many false positives bury urgent threats and waste analyst time.
SATA Agent improves detection accuracy by evaluating surrounding context and applying logic modeled after experienced analysts. Multiple agents review the same case from different perspectives to improve decision quality.
What trust, governance, and analyst-quality accuracy requirements had to be met before Salesforce relied on autonomous security triage in production?
Data underscores trust. Before production use, the team tested SATA Agent against historical security cases. Comparing these results with human analyst decisions helped measure agreement and identify gaps.
This process produced a key metric showing roughly 95% agreement with human analysts. We also introduced confidence scoring to assign a certainty level to every decision. Lower-confidence cases stay with humans, while higher-confidence cases move faster.
Governance extends beyond a single metric. Multiple agents review decisions, and spot checks validate automated outcomes. Prioritization logic routes the highest-risk items first. This layered model enables controlled autonomy in production.
What results has SATA Agent delivered so far, and what challenges must be solved next to reduce incident containment time by 20%?
Speed is an early and promising result. In initial testing, this agent ecosystem triaged and prioritized hundreds of security cases in a fraction of the time it would take manually. Based on early estimates of analyst effort per alert, this has the potential to redirect significant manual work to higher-value security operations.
Analysts now focus on confirmed threats, root cause analysis, and deeper investigations. This shift moves human judgment to where it matters most.
The next challenge involves deeper autonomous incident response. Future workflows include threat scoping, timeline reconstruction, and selective automation. These actions require strong safeguards to prevent disruption to users or systems.
The current target focuses on reducing incident containment time by 20%. This extends SATA Agent from triage acceleration into autonomous cyber defense.
Learn more
- Stay connected — join our Talent Community!
- Check out our Technology and Product teams to learn how you can get involved.
