Dock for security operations is a workspace where a triage agent, an incident-response drafter, and a control-evidence collector all write into one audit-ready surface. Splunk holds events. CrowdStrike holds detections. Vanta holds the control catalog. Dock holds the interpreted alert queue, the runbook draft, the analyst who approved containment, and the SOC2 evidence timestamp. SecOps fails not when the alert fires but when the response cannot be reconstructed six months later.
Splunk, CrowdStrike Falcon, Datadog Security, Vanta, and Drata stay the system of record for raw security data: events, detections, posture findings, control definitions. Dock is the system of record for what the agent interprets: the prioritized triage queue, the containment decision, the analyst sign-off, the audit log. Each Dock row carries a pointer back to the platform record (splunk_event_id, crowdstrike_detection_id), agent identity, decision, reviewer, and timestamp. The agent re-fetches Splunk and Falcon via fresh API reads when it needs current state. Dock holds the persistent interpretive layer that survives shift handoffs, analyst rotations, and external audits.
The triage queue surface
A Dock table named soc_triage_queue is where the agent writes every interpreted alert:
| row_id | splunk_event_id | crowdstrike_detection_id | severity | agent_rationale | recommended_action | analyst_reviewer | decision | decided_at |
|---|---|---|---|---|---|---|---|---|
| 4812 | spl-91a4 | cs-det-7733 | High | Lateral movement pattern from finance-dept host; matches MITRE T1021.002 | Isolate host, open IR | mei.t | Approved isolation | 2026-05-30T09:14Z |
| 4813 | spl-91b0 | null | Medium | Anomalous OAuth grant to unknown app; user is exec assistant | Revoke grant, notify user | (pending) | (pending) | (pending) |
| 4814 | spl-91c1 | cs-det-7741 | Low | Known-good admin tool flagged; whitelisted in prior incident #4602 | Close as benign | mei.t | Closed benign | 2026-05-30T09:21Z |
Every column is queryable. Every decision attributes.
A worked workflow
A Falcon detection fires at 09:13 on a finance host. The triage agent reads the detection, cross-references the Splunk event stream for the same host, and writes row 4812 with rationale and a recommended containment. The recommendation crosses the dangerous-ops contract because host isolation is irreversible. A two-key handshake routes it to an on-call analyst. Mei approves; the agent calls Falcon's containment API; the row updates with decided_at, decision, and the API response hash. The IR runbook is appended in the same workspace, and the Vanta control CC7.2 evidence row is auto-attached. The auditor reads one Dock surface, not three.
Why it matters
SOC teams already use agents for first-pass triage. The risk was never the recommendation. The risk is that recommendation, analyst review, and action live in three systems with no shared identity. Dock collapses them into one row, one agent identity, one named reviewer.
Compliance is the second beneficiary. SOC2 CC7.x and ISO 27001 A.16 both require evidence that incidents were detected, triaged, and responded to with documented review. A Dock workspace shared with the compliance team produces that evidence as a byproduct, not a quarterly scramble. The pattern carries to the adjacent IT operations workspace, where change tickets follow the same attribution discipline.
Auditors want a queryable log of who decided what, when, against which platform record. That is agent audit and compliance in practice, and it is what Dock writes by default.
Start a security-operations workspace on Dock.
FAQ
Q: Does Dock replace Splunk or CrowdStrike? No. Splunk, Falcon, and Datadog Security remain the source of truth for raw events and detections. Dock holds interpretation, decision, and audit trail. The agent re-fetches platform data when it needs current state.
Q: How does Dock handle containment and other irreversible actions? Through the dangerous-ops contract. The agent writes the recommendation into a Dock row; a two-key handshake routes the action to a named analyst; only after explicit approval does the agent call the containment API.
Q: Is the audit trail sufficient for SOC2 and ISO 27001?
Each row carries agent_identity, analyst_reviewer, decided_at, splunk_event_id, and crowdstrike_detection_id. That maps to SOC2 CC7.2 and ISO 27001 A.16 incident-management controls.
Q: What frameworks does the agent reason against? The rationale field cites MITRE ATT&CK IDs and follows the phases from NIST SP 800-61. See also the SANS Incident Handler's Handbook.
