Concepts & Configuration

This page explains the core building blocks of Secure60 digital workers: templates, deployments, knowledge, learnings and LLM configuration.

Agent Templates

A template defines what a digital worker does. It includes a system prompt, a role identifier, available capabilities, and a default LLM model. Secure60 maintains a library of managed templates for common security roles. Organisations can also work with Secure60 to create custom templates for specific needs.

Templates are versioned. When Secure60 publishes a new version of a managed template, deployments that track the latest version roll forward automatically. You can also pin a deployment to a specific version if you need stability.

Key properties:

Slug — A unique identifier used to route work to the right agent code.
Role — The dispatcher role that determines which agent logic handles the work.
Version — Integer version number. Each update creates a new version.
Visibility — Controls who can see and deploy the template: public (all organisations), entitled (specific organisations granted access), or private.
Default model — The LLM model the agent uses unless overridden at deployment.

Deployments

A deployment is a running instance of a template inside a project. You configure it with:

Name — A human-readable label for this deployment.
Project scope — Which project the agent operates in (or org-wide).
Track latest — Whether to auto-roll to new template versions or pin to a specific version.
Threat group routing — Which threat groups this agent should process.
Knowledge collections — Which curated knowledge sets the agent has access to.
LLM override — Use the Secure60 default or a custom LLM configuration.

Deployments can be paused and resumed. When paused, the agent stops picking up new work but existing sessions complete normally.

Knowledge

Knowledge is the contextual information an agent retrieves during investigation to make better decisions. There are three types:

Knowledge Sources

Facts about your environment — network ranges, team conventions, internal systems, escalation procedures, playbooks. Each source is a piece of text the agent retrieves when relevant.

Sources can be scoped at three levels:

Organisation — Available to all agents in the organisation.
Project — Available to agents operating in a specific project.
Deployment — Available only to one specific deployed agent.

Learnings

Corrections and feedback that refine how an agent behaves. When you review a session and see a decision that should have gone differently, capture the correction as a learning. The agent applies it on future runs.

Learnings can be added:

Directly from the Knowledge tab.
In-context from an agent session (the surrounding context is pre-filled).
In-context from a threat detail page.

New learnings start in PROPOSED status and require approval before they take effect.

Collections

Named groupings of knowledge sources. Use collections to curate reference material (e.g. “PCI DSS 4.0.1”, “ISO 27001 controls”) and assign it to specific deployments. Most setups do not need collections — they are useful when you have structured compliance or reference content you want to scope carefully.

LLM Configuration

By default, deployed agents run on Secure60-managed LLMs. There is nothing for you to configure.

If you need to bring your own LLM credentials — for compliance, cost control, or model preference reasons — contact Secure60 support. The team will enable a custom LLM configuration for your organisation. Custom configs support multiple providers and models, and require Secure60 approval before they become active.

Agent Capabilities

Templates can define a model palette — a list of named capabilities the agent can use during a session. Each capability has:

Label — What the capability is called (e.g. “investigator”, “summariser”).
Default model — Which LLM model is used for this capability.
Description — What the capability does.
Override policy — Whether the deployment can change the model for this capability.

This lets a single agent use different models for different tasks — for example, a fast model for initial triage and a more capable model for deep investigation.

Triggers

Each deployment has a trigger configuration that determines when the agent runs:

Object type — What kind of object triggers the agent (e.g. Threat).
Type — How the trigger fires (e.g. monitor for continuous watching, or on-demand).

Trigger configuration is typically set by Secure60 during the deployment process.