Scaling Trust: How Salesforce’s Security Team Uses Agentforce to Triage Security Reports at Speed

By Kelly McCracken and Raaghavv Devgon.

In our Engineering Energizers Q&A series, we highlight the engineering minds driving innovation across Salesforce. Today, we spotlight Kelly McCracken, Senior Vice President of Information Security, whose Cyber Security Operations Center team built an AI-driven security system using Agentforce to triage and respond to customer-reported vulnerability findings at scale, successfully managing a 30% increase in report volume year over year without expanding their team.

Explore how Kelly’s team addressed the challenge of ingesting highly unstructured vulnerability reports across diverse formats while correctly identifying the relevant product across a large portfolio, and managing rapidly increasing report volume without expanding the team and meeting strict response time requirements.

What is your team’s mission as it relates to building the product vulnerability response agent?

The team operates a security model designed to detect and analyze threats across all environments with speed and consistency. To support this mission, the team built a product vulnerability response agent to handle security findings reported by third-party researchers and assessments.

This agent functions as an AI-assisted triage system that analyzes incoming reports to determine if a finding represents a real issue or expected behavior. It then generates recommended responses for security engineers, moving the team away from a fully manual model toward an accelerated workflow.

By embedding this agent into the process, engineers retain final decision-making authority while scaling their ability to respond to increasing report volumes. This approach ensures the team maintains response requirements and addresses customer concerns accurately.

What challenges shaped how the product vulnerability response agent ingests unstructured vulnerability reports and correctly identifies the relevant product across a large and diverse portfolio?

The variability and density of incoming vulnerability reports can pose many challenges. Customers submit findings in multiple formats, such as PDFs, spreadsheets, and security tool outputs. These reports often contain complex diagrams and machine-generated data, which often requires significant time to parse manually.

To address this, the team built a format-agnostic approach that extracts meaningful signals across these different structures. However, the system also needed to identify the correct product within a large portfolio of SaaS and on-premises offerings. Early versions lacked this specific context, which limited the accuracy of their recommendations.

The team solved these issues by using Agentforce to process diverse inputs and by introducing parsing logic. This logic infers product context, allowing the system to align reports with the correct product knowledge and generate accurate triage recommendations.

Workflow of a product vulnerability report being processed by the Product Vulnerability Response Agent.

What scalability constraints emerged as vulnerability report volume increased alongside Salesforce’s growing customer base?

Salesforce growth led to a direct increase in potential vulnerability report submissions as more customers conducted third-party assessments. This surge created a scaling challenge where the workload grew significantly without a corresponding increase in team size, placing pressure on response times.

The team designed the system to absorb this growth by automating key parts of the triage workflow. This allowed the team to handle a 30% increase in reports over one year without adding headcount while still meeting response commitments.

A critical improvement came from eliminating delays in routing and initial analysis. The system completes routing and initial triage in seconds, allowing analysis to start immediately and reducing end-to-end response times.

What challenges did the team face ensuring vulnerability reports contained the structured data required for accurate triage?

Inconsistent and incomplete reports submitted via email created a significant bottleneck for the team. Many submissions lacked reproducible steps or sufficient context, forcing analysts to spend time following up with reporters before triage could begin.

In response, we replaced unstructured emails with a web-based interface and structured reporting workflows. This new form enforces the inclusion of required data fields to ensure every report contains the information needed for immediate analysis.

Standardizing inputs at the point of submission improved data quality and processing efficiency. The system now begins analysis without waiting for additional clarification, which reduces back-and-forth communication and accelerates the triage lifecycle.

What architectural decisions shaped how the product vulnerability response agent generates triage recommendations and integrates into analyst workflows?

The team integrated the system directly into Slack to ensure recommendations and analysis occur within existing workflows. This approach avoids the need for a separate interface and reduces friction for security engineers. By functioning as a collaborative participant, the system improves adoption across the organization.

The architecture emphasizes a human-in-the-loop model where the system generates triage recommendations while security engineers retain final decision authority. This structure accelerates workflows and maintains high standards for accuracy.

This integration also enables continuous learning. Analysts provide feedback directly within the workflow, which allows the system to improve over time based on real usage patterns.

What challenges did the team face ensuring the product vulnerability response agent can accurately distinguish real vulnerabilities from expected product behavior?

Distinguishing between true vulnerabilities and expected behavior remains a complex challenge for security systems. Many reports describe scenarios that appear to be security issues but actually function as designed. In response, the team built a comprehensive knowledge foundation that goes beyond surface-level analysis.

The system achieved over 90% accuracy in initial triage. It also identifies cases where confidence is low to signal the need for human review. By combining a structured knowledge base with human validation, the team created a system that produces reliable recommendations and maintains trust in security decisions.