1. Acquire
Pulls/accepts SARIF + lockfiles + SBOM, normalizes them, and indexes findings and dependency relationships.
The Why?
Why We Built Argonaut
Security teams typically juggle SARIF outputs from multiple scanners, dependency lockfiles, SBOMs, threat intelligence feeds, and manual ticket creation across Jira/Slack. That workflow is brittle: the same vulnerability appears in multiple tools, reachability is unclear, and urgency is often guessed. Argonaut automates the full loop from evidence → context → action.
Argonaut uses a purpose built triage engine, layers Agent Builder orchestration on top with Elasticsearch as the shared system-of-record and memory layer to make it an agent system that gets work done; with the right Human In The Loop intervention to ensure there is verifiability and provenance.
enrichment
Attaches threat intel context (KEV/EPSS/advisory flags) and reachability confidence.
3. Scoring
Joins findings + threat intel + reachability via Elasticsearch to compute Fix Priority Score and return the top set.
4. Action
Posts Slack alerts with ranked findings, generates fix bundles, and produces run report summaries with deep links.
Before Argonaut
Manual, Fragmented, Multi-System Triage
Trigger Event
CI pipeline completes. GitHub + SCA tool push new findings. Engineer receives SARIF alerts, Snyk notifications, emails, and Slack pings.
Process Steps
Step 1: Tool Hopping20-40m
Opening 8+ tools, downloading files, checking CVE pages manually. Cognitive overload.
Step 2: Manual Correlation30-60m
Grepping codebase, inspecting dependency tree, checking exploit reports. Heuristic guesswork.
Step 3: Prioritization Guesswork20m
Narrowing 800 findings down to 12. Subjective, not deterministic.
Step 4: Action Creation20-30m
Manually creating tickets, linking CVEs, posting to Slack.
Total Time:1.5 to 3 hours
Emotional State:Cognitive overload, fatigue
After Argonaut
Agent-Orchestrated, Context-Driven, Action-Complete
Trigger Event
Security scanning tool outputs scan results via upload, API call, or MCP server.
Process Steps
Step 1: Acquisition<10s
Ingests SARIF, lockfile, SBOM. Normalizes findings automatically.
Step 2: Enrichment<15s
Matches CVEs to intel (KEV/EPSS), runs reachability, adds blast radius metadata.
Step 3: Deterministic Scoring<5s
ES|QL joins findings + intel + reachability. Ranks 800 findings → 5 fix-first automatically.
Step 4: Action1 Click
Engineer clicks 'Generate Fix'. Argonaut generates fix bundles and posts Slack summary with ranked findings.
Total Time:< 2 minutes
Emotional State:Confidence, clarity, no guesswork
Side-by-Side Comparison
Direct metrics showing the Argonaut advantage.
| Stage | Before | After Argonaut |
|---|---|---|
| Tools opened | 5–8 | 1 |
| Manual joins | Yes | No (ES|QL) |
| Reachability check | Manual grep | Automated |
| Threat intel lookup | Manual | Automated |
| Ticket creation | Manual | Automated |
| Time | 1.5–3 hours | < 2 minutes |
| Confidence | Heuristic | Evidence-backed |
| Audit trail | Scattered | Centralized |
System-Level Impact
Before
- Triage knowledge lives in individuals.
- Prioritization varies between engineers.
- High cognitive load.
- Repeated manual steps every build.
After
- Triage becomes standardized.
- Prioritization is deterministic.
- Every decision is explainable.
- Action is integrated into workflow.
"Before Argonaut, triage required manually correlating SARIF, lockfiles, CVE feeds, and Slack threads. After Argonaut, one bundle triggers structured ingestion, deterministic scoring, and automated Slack actions — all in under a minute."