Investigation (ISTRAGA)

The reasoning layer that turns security data into actionable intelligence.

Security teams are drowning in alerts. Scanners produce findings. SIEMs produce events. Threat feeds produce indicators. The challenge isn't getting data — it's synthesizing it into a coherent picture of what actually matters and why.

SPNT's investigation module (ISTRAGA) is an adversarial reasoning engine that reads the entire substrate and produces written analysis. Not dashboards. Not alert counts. Structured reasoning that explains what's happening, why it matters, and what to do about it — with citations to the substrate evidence it's based on.

Five structured reasoning outputs

ISTRAGA produces five types of analysis, each designed for a specific decision context:

• Operational Digest. A daily summary of security state changes. New findings, resolved findings, control drift, emerging patterns. Written for the security operations team.
• Prioritization Output. Which findings matter most right now, and why. Factors in exploitability (from NAPAD), threat intelligence enrichment, asset criticality, and exposure state.
• Consequence Analysis. For critical findings, a written analysis of likely attack paths and business impact. What could an attacker do with this? What systems are downstream?
• Remediation Sequence. Given your current finding set and resource constraints, what order should you fix things? Accounts for dependencies, blast radius, and effort.
• Confidence Assessment. For each major claim, a calibrated confidence level. What evidence supports this? What could change the assessment?

Autonomous research engine

Beyond structured outputs, ISTRAGA runs an autonomous research loop. It continuously scans the substrate for concerning patterns — unusual combinations of findings, drift in critical controls, correlations that suggest emerging attack paths — and investigates them without waiting for an analyst to notice.

When the research engine identifies something worth attention, it produces a research brief: what it found, why it matters, what substrate records led to the conclusion, and what questions remain open.

Evidence grounding

Every claim ISTRAGA makes cites the substrate records it's based on. Click a claim, see the evidence. If the underlying findings change, the analysis updates.

This is not a chatbot bolted onto a dashboard. ISTRAGA has read access to the same canonical data model that every other module writes to. Its reasoning is grounded in the same evidence chains that power detection, governance, and offense verification.