Emerging
Jun 18, 20261
66%
Agentra: Multi-Agent Framework Improves Enterprise Cybersecurity Response
Researchers introduced Agentra, a multi-agent framework that automates enterprise intrusion response by converting security alerts into structured incident response plans grounded in MITRE and NIST standards. Testing on 120 security events showed the system improved response F1 scores from 0.61 to 0.84 while maintaining analyst control and eliminating harmful automated overreactions.
Quick Facts
Who
Agentra researchers
What
Framework submitted to arXiv for peer review
When
Submitted on 16 June 2026
Where
arXiv Computer Science > Cryptography and Security
- Framework submitted to arXiv for peer review
- Converts IDS, EDR, and XDR alerts to structured incident response plans
- Implements multi-agent response reasoning with role-scoped agents
- Validates plans through Planner-Validator review loop
- Screens threat intelligence through Moderator security gateway
Researchers have submitted a new paper to arXiv describing Agentra, a supervisable multi-agent framework designed to automate and improve enterprise intrusion response. Traditional enterprise intrusion response has relied on static playbooks and manual analyst-driven triage, creating significant delays between alert generation and threat containment. Agentra addresses this limitation by converting security alerts from intrusion detection systems (IDS), endpoint detection and response (EDR), and extended detection and response (XDR) platforms into structured incident response plans aligned with industry standards including MITRE ATT&CK, MITRE D3FEND, and NIST CSF 2.0.
The framework decomposes response reasoning across multiple specialized agents assigned to different roles. Proposed response plans are validated through a bounded Planner-Validator review loop, while retrieved threat intelligence is screened through a Moderator security gateway. Actions are gated through an Action Catalog and risk scoring mechanism, with all decisions recorded in an append-only audit log to maintain auditability and analyst control over automated responses.
The researchers evaluated Agentra against a static OASIS CACAO v2.0 cyber-playbook baseline using a corpus of 120 events from ThreatHunter-Playbook, Splunk BOTSv3, and DARPA OpTC datasets. The strongest configuration achieved significant improvements, raising the false-positive-aware Intrusion Response System F1 score from 0.61 to 0.84. Critically, the system restored the harmful-action rate to 0.0% following iterations where Planner-only configurations introduced unsafe overreaction, demonstrating the value of the validation and moderation mechanisms.
The results indicate that multi-agent response planning can expand intrusion response coverage while maintaining essential safeguards for analyst approval and auditability. By automating routine response decisions and structuring them around established cybersecurity frameworks, Agentra aims to reduce the time between alert and containment while preserving human oversight of critical security decisions.
Why This Matters
Agentra addresses a critical gap in enterprise cybersecurity: the delay between security alert generation and effective threat containment. By automating routine incident response decisions while maintaining human oversight through validation gates and audit logs, the framework can reduce mean time to containment (MTTC) without sacrificing safety. The 38% improvement in F1 scores and elimination of harmful automated actions demonstrates this system's potential to help resource-constrained security teams scale their response capabilities against evolving threats.
Timeline & Sources
Jun 16, 2026
WireAgentra paper submitted to arXiv
Jun 18, 2026
WireAgentra paper published on arXiv