Cortex

· #181 most-used

Run every security analyzer. Fire every responder. From one agent.

SecurityAnalyticsDeveloperAutomationAI

Cortex is a security analytics engine built for SOCs, CSIRTs, and threat hunters — it lets you submit any observable (IP, domain, URL, file hash) to dozens of analyzers simultaneously and respond to confirmed threats with a single API call. Connect Cortex to Actionist and your agents can execute analyzers against live IoCs, retrieve structured verdict reports, fire responders to block IPs or quarantine endpoints, and chain the results into TheHive cases, Slack alerts, and SIEM enrichment — all without an analyst touching a browser.

Try Cortex with Actionist Visit Cortex

Average time saved

10 hours

per person · per month

≈ 1 workdays back

Eliminates manual work. Cortex automation eliminates the manual copy-paste cycle of submitting observables to individual tools, waiting for results, and transcribing verdicts into incident tickets.

Schedule

What your Cortex agent runs on autopilot

A week of scheduled jobs your Actionist agent will execute on your behalf.

28Scheduled jobs

7Agents at work

24/7Always on

Agents

Tue–Thu

Tue

Wed

Thu

10a

11a

12p

Multi-app workflows

Cortex × every other app you use

End-to-end automations that span multiple apps — each one a real business outcome.

6Workflows

9Apps spanned

~34 hrsSaved / week

6Personas served

For customer success

Featured4 apps

Phishing alert triage, start to block

When a suspicious email lands in the security inbox, your agent pulls the embedded URLs and sender domain into Cortex, fires Execute Analyzer against VirusTotal and URLScan, reads the verdict reports, then posts a ranked risk summary to the #soc Slack channel and blocks the top-scoring domains—mean-time-to-containment under three minutes, zero analyst clicks.

~13 hrs / week

Time saved for your team — every week, on autopilot

The flow

Trigger·When a security alert email arrives in the monitored inbox

trigger

Step 1

Gmail

Receive security alert email

read

Step 2

Cortex

Execute Analyzer on extracted URLs and sender domain

write

Step 3

Cortex

Execute Responder to block confirmed malicious domains

write

Step 4

Slack

Post risk summary and block confirmation to #soc

write

Step 5

Google Calendar

Schedule 30-min post-incident debrief if severity is High

Result

Execute Responder to block confirmed malicious domainsPost risk summary and block confirmation to #socSchedule 30-min post-incident debrief if severity is High

The win

Saved per run

55 min

Runs / week

~14×

Three-minute triage-to-block, no analyst toil

Driven byCustomer Support Agent

ROI

Savings

What your team gets back — two angles: what you stop doing manually, and what that's worth.

Without Actionist

What you do manually today

With Actionist

What your agent runs for you

Sales
18 min / week
Vendor domain reputation check
Sales engineers manually look up prospect domains in VirusTotal before demos, spending 15–20 minutes per account.
Sales Agent
0 min
Agent pre-screens every new prospect
The agent submits the domain to Cortex on deal creation and logs the verdict in the CRM before the first call is scheduled.
Marketing
13 min / week
Lookalike domain scan before campaign
Marketing manually searches brand-lookalike domains before major campaign launches to check for typosquatting.
Marketing Agent
0 min
Agent monitors lookalikes at launch
The agent submits campaign domains to Cortex analyzers on HubSpot campaign activation and flags any hijack risk instantly.
Customer Support
18 min / week
Phishing link triage in support inbox
Support agents manually submit suspicious URLs from customer emails to VirusTotal one by one before responding.
Customer Support Agent
0 min
Agent triages and blocks in minutes
The agent extracts URLs from flagged emails, runs Cortex analyzers, and posts a verdict to the ticket before the support rep opens it.
Human Resources
7 min / week
New contractor background domain check
HR manually verifies contractor company domains and email infrastructure before provisioning system access.
Human Resources Agent
0 min
Agent clears contractors on onboarding
The agent runs Cortex reputation checks on contractor domains as part of the automated onboarding workflow before access is granted.
Finance
13 min / week
Payee domain check before wire transfer
Finance teams manually verify high-value payee domains against threat databases to catch BEC fraud before approving wires.
Finance Agent
0 min
Agent screens every large payment
The agent submits the payee domain to Cortex fraud analyzers automatically on payment approval requests above threshold.
Operations
25 min / week
New vendor security vetting
Operations spends two days manually running vendor domains through multiple security tools during supplier onboarding.
Operations Agent
0 min
Agent vets vendors in ten minutes
The agent submits vendor domains to Cortex on procurement-sheet entry, retrieves the risk verdict, and logs it to the vendor register.
Legal
6 min / week
Third-party compliance domain audit
Legal manually checks partner domains for certificate anomalies and known malware infrastructure during due diligence.
Legal Agent
0 min
Agent runs due-diligence scans automatically
The agent submits partner domains to Cortex on contract initiation and attaches the verdict report to the legal review task.

+ 100s of other Cortex automations

Average monthly

10 hrs / person / month

Average monthly

10 hrs / person / month

Calculator

Calculate what your team saves

Team size

10 people

Hourly rate

$20 / hr

Hours saved / week

Hours saved / year

1,250

Annual ROI

$25,000

Based on Cortex's typical team usage — the visible tasks plus a few other automations the agent runs: ~2.5 hrs / person / week of admin work automated.

Connect

How to plug Cortex into Actionist

Pick the connection method that suits your environment.

The fastest path to Cortex — install the gbrigandi MCP server and your agent gains direct access to every analyzer and responder through a permissioned API handshake. No token rotation, no URL configuration; the MCP layer handles auth and surfaces all available actions automatically.

Open the Apps tab

Find Cortex in the Apps library and click Connect. MCP is selected by default — the gbrigandi/mcp-server-cortex integration connects to your self-hosted Cortex instance.

Enter your Cortex instance URL

Provide the base URL of your Cortex deployment (e.g. https://cortex.yourdomain.com). The MCP server uses this to route all API calls to the correct instance.

Test the connection

Actionist runs a read-only call — listing available analyzers — to verify the handshake. A green checkmark confirms the agent can reach your Cortex instance and is ready to run analyses.

Actions

15 actions your agent can call

Read and write operations available to your Actionist agent.

Triggers

7 events your agent can react to

Events your agent watches for, and the actions it kicks off in response.

Skills

Skills that pair with Cortex

Reusable agent skills that work well alongside this app.

No paired skills curated yet. Add this app to your agent to discover what fits.

MCP servers

MCP servers that work with Cortex

Connect Actionist to MCP servers built for or around this app.

Cortex

Official

A local-first persistent knowledge MCP server with OWL-RL reasoning that exposes 22 tools for structured knowledge graph management.

Temporal Cortex Calendar MCP

Official

Provides 12 deterministic calendar and scheduling tools for temporal context, availability queries, and booking operations.

cdeust/Cortex

Neuroscience-grounded persistent memory for Claude Code — thermodynamic decay, hippocampal consolidation, predictive-coding write gate, and 33 MCP tools backed by PostgreSQL and pgvector.

FAQs

Questions about Cortex + Actionist

How do I connect Cortex to Actionist?

Open the Apps tab, find Cortex, and click Connect. The MCP path (recommended) requires your Cortex instance URL; the API key path additionally requires a personal API key generated under your Cortex user profile → Settings → API Keys. Actionist validates the connection by calling the List Analyzers endpoint — a green checkmark means your agent can start submitting observables immediately.

What credentials does the Cortex integration need?

You need an API key generated from your Cortex user profile and the base URL of your self-hosted Cortex instance (e.g. https://cortex.example.com). The key must have at minimum 'read' and 'analyze' permissions. If your Cortex instance uses an organisational role model, confirm the key's role has access to the analyzers and responders you intend to automate — keys with read-only roles cannot fire responders.

Can Actionist agents combine Cortex with other security tools?

Yes — Cortex is designed as an enrichment and response hub, and Actionist workflows compose it naturally with other apps. You can chain Cortex analyzer results into TheHive case updates, Slack security alerts, Google Sheets threat matrices, or GitHub issues for brand-protection tracking. Every Cortex action and trigger in Actionist exposes structured JSON output, so downstream steps can filter by verdict, severity, or analyzer name.

What can Actionist agents do with Cortex once connected?

Your agents can submit any observable — IP, domain, URL, file hash, email address — to any configured Cortex analyzer; poll job status until results arrive; retrieve structured reports with taxonomy tags; fire responders to block IPs, quarantine hosts, or revoke credentials; and list available analyzers and responders dynamically so the right tool is always chosen for the observable type. All four Cortex API resources (Analyzer, Job, Responder, observable submission) are exposed as first-class Actionist actions.

How does the agent handle slow or long-running analyzer jobs?

Cortex analyzers like sandboxes can take several minutes. Actionist agents use the Get job status action in a polling loop — checking every 15–30 seconds — and only call Get job report once the status is Success. This keeps API payloads minimal during the wait and prevents premature report reads. You can configure a timeout threshold in the workflow; if a job exceeds it, the agent sends a failure alert and logs the job ID for manual review.

Can I avoid re-running expensive analyzers on the same observable?

Yes — use the Search jobs by observable action before submitting a new analysis. If a completed job exists for the same observable within your defined freshness window (e.g. 24 hours for VirusTotal, 7 days for passive DNS), the agent re-uses the existing report instead of consuming another API credit. This is especially useful for batch IoC sweeps where the same domain or IP appears in multiple alerts.

How do I prevent trigger loops when an agent action fires a Cortex trigger?

Two safeguards work together: first, tag every agent-submitted Cortex job with a source label (e.g. actionist-automated) and add a condition in your trigger workflow that skips jobs with that label. Second, use the Observable flagged as high-risk trigger rather than Analysis job completed for escalation workflows — this fires only when the risk threshold is crossed, not on every job completion, which cuts loop surface by 80–90%.

What happens if a Cortex responder fails during an automated incident response?

The Responder execution failed trigger fires immediately with the error reason and targeted entity. Your agent should handle this with an escalation branch — posting the failure to the #soc-alerts Slack channel with the responder name, error code, and the manual steps from your IR runbook so an analyst can take over within minutes. Never silently swallow a responder failure in a containment workflow; a missed block during an active incident is a materially different outcome than a reporting delay.