Coordination-Free Incident Response
Nordvik Financial Group ยท
The Challenge
Nordvik Financial Group operated a security operations center built on conventional SOAR playbooks. Each incident type required a hand-authored runbook that encoded every decision, escalation path, and remediation step. When a phishing campaign morphed or a novel lateral-movement technique appeared, the rigid playbooks stalled and analysts fell back to manual triage. Twelve runbooks covered the most common scenarios; everything else landed in a general queue with an average 38-minute time-to-contain.
The core problem was coordination overhead. The SOAR platform assumed a central orchestrator that dispatched tasks to tools in a fixed sequence. Adding a new detection source meant rewiring the orchestrator. Agents could not share partial findings with one another without explicit integrations, so insights discovered by one tool stayed invisible to the rest of the pipeline.
The Solution
Nordvik deployed five autonomous security agents, each responsible for a single concern: log enrichment, identity correlation, network segmentation, threat-intel lookup, and remediation execution. No agent knows about the others. Instead, each agent publishes its artifacts into Semantik.
Semantic Routing Replaces Point-to-Point Wiring
When the log-enrichment agent emits an enriched alert, it does not address the message to a specific consumer. Semantik's semantic routing evaluates the artifact's meaning and delivers it to every agent whose subscription matches. The identity-correlation agent receives alerts involving credential anomalies; the network-segmentation agent receives alerts with lateral-movement indicators. If a new agent joins later, it declares its interest and immediately begins receiving relevant artifacts without any change to existing agents.
Subscriber-Governed Routing
Each agent controls its own subscription semantics. The threat-intel agent subscribes broadly to any artifact mentioning external IP addresses or domain indicators. The remediation agent subscribes narrowly to artifacts explicitly tagged with a containment recommendation. Subscriber-governed routing means producers never need to know who is listening or how fine-grained the filtering should be.
Results
Mean time to contain dropped from 38 minutes to under 4 minutes for incidents that previously required manual triage. The number of supported incident patterns grew from 12 static runbooks to continuous adaptation, since new agents or updated subscriptions take effect without redeploying the existing fleet. The operations team eliminated all point-to-point integrations between security tools, reducing the integration surface from 20 maintained connectors to zero.