Slack’s Security Engineering team is transforming its security investigation process using AI agents. They handle billions of security events daily and rely on a detection system to manage alerts during on-call shifts. The initial prototype of their service, launched in May 2025, was a basic prompt framework guiding security analysts through investigations. However, this early version produced inconsistent results, sometimes leading to inaccurate conclusions. To improve performance, the team shifted from a single prompt to a series of structured tasks, each focused on a specific aspect of the investigation. The refined approach divides the investigation into distinct tasks managed by specialized personas: the Director, Expert, and Critic agents. The Director oversees the investigation, asking targeted questions to the Expert agents, who each specialize in different domains like access management or threat analysis. The Critic evaluates the findings from the Experts, providing credibility scores and insights to ensure the investigation maintains accuracy. This structured output method enhances control over the investigation process and reduces variances in findings. Using a "knowledge pyramid," the system optimally allocates resources, utilizing different model versions for each persona based on the task's complexity. The investigation is organized into phases, starting with the Discovery phase, where all data sources are examined. The Director makes strategic decisions about whether to continue in the current phase or advance, ensuring a thorough and methodical approach to security investigations. This system aims to streamline operations and enhance the overall security posture of Slack's infrastructure.