Back to top
Secure60 maintains eight standard agent templates covering the most common security operations roles. Each role is designed to handle a specific set of tasks using the data, rules and context already in the platform.
Work with Secure60 to determine which roles make sense for your environment and to configure them for your specific needs.
Performs initial assessment of incoming threats. Reads the signal, gathers context from related events and entities, and produces a structured triage summary with a recommended priority.
What it does:
Best suited for: Organisations with high alert volumes who want consistent, fast initial triage across all incoming threats.
Deeper investigation of escalated threats. Correlates across data sources, builds a timeline of activity, identifies scope of impact, and produces detailed investigation notes.
What it does:
Best suited for: Teams that need deeper analysis after initial triage, or where L2/L3 analyst time is the bottleneck.
Proactive searching for indicators and attack patterns across historical data. Runs hunts based on threat intelligence, known TTPs, or hypotheses about attacker behaviour.
What it does:
Best suited for: Organisations that want proactive threat hunting capability without dedicating full-time analyst resources.
Reviews detection rule coverage, identifies gaps, and recommends improvements. Analyses false positive rates and suggests tuning adjustments.
What it does:
Best suited for: Teams that want to continuously improve detection quality without dedicating permanent detection engineering resource.
Monitors vulnerability scan results, prioritises based on environment context, and tracks remediation progress. Cross-references with threat intelligence to highlight actively exploited vulnerabilities.
What it does:
Best suited for: Organisations running Secure60 vulnerability management who need consistent prioritisation and tracking.
Monitors control review schedules, evidence collection status, and compliance posture. Produces regular compliance summaries and flags overdue items.
What it does:
Best suited for: Regulated organisations that need continuous visibility of their compliance posture across frameworks (PCI DSS, ISO 27001, NIST CSF, ASD Essential 8, AI governance frameworks).
Coordinates response activity during active incidents. Gathers relevant evidence, tracks containment actions, and maintains an incident timeline.
What it does:
Best suited for: Teams that need structured incident response coordination, particularly during after-hours or when response capacity is limited.
Produces executive-level risk and audit reports. Aggregates findings across pillars into structured summaries suitable for board reporting and audit evidence.
What it does:
Best suited for: CISOs and risk teams who need regular executive reporting without manual data aggregation.
The eight named roles cover the most common needs, but every organisation is different. Secure60 can scope and build custom workers tailored to your specific operational requirements. See Custom Workers for details on the process.