# What is Radiant Security? Radiant is an AI-powered SOC platform that delivers deep, automated triage and response across your entire security stack — including the complex, multi-stage attacks that span multiple alerts and tools and that other solutions cannot handle. Radiant ingests alerts from your existing security tooling, runs them through an automated triage pipeline, and produces a verdict with full investigative context for analyst review. Radiant sits as an intelligent layer between your security tooling and your analysts. Alerts flow in from your SIEM, EDR, identity, cloud, and network sources. Radiant extracts the artifacts inside each alert, executes a structured triage plan, and assigns one of three verdicts: Recommended Benign, Likely Benign, or Recommended Malicious. Analysts review the verdict, accept or reject it, and create cases for the alerts that warrant further investigation and response. This article covers the [core architecture](#core-architecture), [how Radiant fits into your security stack](#how-radiant-fits-into-your-stack), the [integrations](#integrations) that connect Radiant to your existing tools, and [who uses Radiant](#who-uses-radiant). ### Core architecture Radiant is built around three integrated components: {% stepper %} {% step %} #### Agentic AI triage Radiant's AI triage and research agents investigate every incoming alert, with the depth and reasoning of a seasoned analyst. Every alert receives a complete investigation that produces a transparent, reviewable verdict, not just a score, and not a sampled subset of the queue. For a complete walkthrough of how alerts move through the pipeline, see [The Radiant Data Pipeline](https://help.radiantsecurity.ai/radiant-connectors/section-overview/the-radiant-data-pipeline). {% endstep %} {% step %} #### Integrated response Radiant includes a built-in case management layer where analysts review verdicts, group related alerts into cases, and execute response actions on the artifacts surfaced during triage — all without leaving the platform. Available response actions are determined by the tenant's active connectors and the artifact types involved. {% endstep %} {% step %} #### Log management Radiant includes a built-in security data lake that stores, indexes, and queries all your security logs in one place. Log Management is fully integrated with the triage pipeline — queries executed during Enrichment and Execution can pull from your indexed log data alongside data retrieved from connected tools — and remains available to analysts as a standalone search interface for investigation, threat hunting, and historical analysis. {% endstep %} {% endstepper %} ### How Radiant fits into your stack Radiant operates alongside your existing tools. The typical data flow: 1. Your SIEM, EDR, identity, network, and other security tools generate alerts as they normally would. 2. Radiant ingests those alerts in real time through connectors that support API pull, query APIs, webhooks, syslog, S3, and the [Radiant Security Agent](/radiant-connectors/data-connectors/install-the-radiant-security-agent.md). 3. Each alert enters the triage pipeline, where Radiant extracts artifacts, executes a plan against your connected tools and external threat intelligence sources, and assigns a verdict. 4. Verdicts are surfaced to analysts with the full triage record attached, including every task, question, and query that informed the verdict. 5. Analysts accept or reject the verdict, group related alerts into cases where appropriate, and trigger response actions. 6. Alerts assigned a benign verdict are documented with the reasoning that produced the verdict, preserving a complete audit trail. ### Integrations Radiant connects to your security stack through a broad library of connectors. Connectors support multiple ingestion methods, so Radiant can adapt to whatever your source systems already emit. See [Integrations](https://radiantsecurity.ai/integrations/) for the full catalog, or contact your customer success manager to request a new connector. ### Who uses Radiant Radiant is deployed by in-house SOC teams and MSSPs that need to scale their triage and response capacity without scaling headcount in proportion to alert volume. Common environments include: * SOC teams where alert volume exceeds the team's capacity to investigate manually. * Security organizations operating multiple point tools that fragment investigation and response work across separate consoles. * Teams whose SIEM ingestion costs are limiting the data they can collect or the retention windows they can maintain. * SOCs where analyst capacity is consumed by triaging benign alerts rather than responding to confirmed threats. * SOC teams that want a triage system that adapts and improves based on analyst feedback over time. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.radiantsecurity.ai/welcome-to-radiant/what-is-radiant-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.