.png)
Security programs scale on artifacts. During an incident, escalation depends on what gets produced in the first minutes, and whether it can be reused across teams, shifts, and stakeholders.
That is the gap AI should close.
Cantina MDR now includes AI triage that produces structured output designed to function as an incident brief. The goal is simple: analysis that is consistent enough to route, act on, and review without reinterpreting it each time.
The Cost of Unstructured Incident Triage
Most incident response failures are not caused by missing alerts. They happen because analysis is hard to hand off. This "context debt" slows down the entire incident lifecycle
Free-form triage tends to create predictable issues:
- Subjective Interpretation: The same signal gets interpreted differently by different responders.
- Friction in Escalation: Escalation becomes subjective, especially when security, engineering, and governance need to align quickly.
- Reconstruction Work: Post-incident review turns into reconstruction work rather than strategic analysis, because the reasoning and evidence are scattered.
Institutions feel this more acutely. They do not only ask “did you detect it.” They ask how decisions were made, who had authority, what evidence supported action, and what can be audited later.
Standardizing incident response through Structured triage turns analysis into something an organization can operate on.
Automating Incident Response with AI-Driven Triage
AI triage in MDR now outputs a stable structure you can use as part of your incident response workflow. You can treat it as the default brief that gets routed to the decision owner, becoming part of the evidence trail and ensuring SOC efficiency.
Typical elements included in a standard Incident Brief:
- Observation: what was observed and where it surfaced
- Scope: what assets or systems appear implicated
- Impact: why it matters, including potential impact
- Evidence pointers: supporting evidence pointers (transactions, addresses, logs)
- Recommended next actions: specific paths tied to your response playbooks
The value is not verbosity. It is consistency. A brief that looks the same every time is easier to scan, easier to escalate, and easier to map to playbooks and approvals.
Supporting context inside the incident workflow
This release also tightens how responders pull transaction context during triage and investigation.
Transaction details now include a BlockSec dropdown item so additional analysis and reference can be accessed from within the incident flow. This reduces the number of tool pivots during investigation and keeps the working context in one place.
Reliability and platform foundation
Reliability is the foundation of security maturity. A response platform has to behave predictably, especially when incident data is messy.
To support this, alongside AI triage and transaction context updates, MDR now includes:
- More resilient incident log rendering, including tolerance for malformed event data, so timelines remain visible during investigations.
- Better error logging, supporting faster diagnosis when something unexpected happens in the workflow.
- An upgrade to Next.js 16, improving the foundation the MDR app is built on.
- A set of small quality-of-life updates across the app.
The Future of SecOps in 2026: From Anomaly Detection to Decision Discipline
Looking forward to 2026, Security maturity is moving past simple detection and toward decision discipline.
More teams can detect anomalies than can authorize and execute containment cleanly. For institutional operators, the difference is often the presence of a reusable incident artifact that supports governance, approvals, and audits without slowing down your MTTR.
AI triage becomes valuable when it produces that artifact by default.
Ready to see how structured triage fits into your MDR workflow? Talk to the Cantina team to learn about automated escalation and pause authorization.