WildFire Droid: The Agentic AI Framework to simplify Cloud Security Product Operations

Co-author: @iedwardhenr 

Introduction: The Unseen Battle in Cloud Security product operations

In the world of cloud based cybersecurity products, we’re constantly fighting a battle with one hand tied behind our back. Despite having countless tools at our disposal, our workflows remain clunky and manual, forcing security professionals to spend their days connecting dots between disparate systems. The result? A critical bottleneck that leaves us one step behind the threats.

But what if the system could think for itself?

This is the core idea behind Agentic AI. It’s a leap beyond simple automation, enabling a new class of intelligent security agents that can understand complex commands and work together to solve problems autonomously. It’s not just about doing tasks faster — it’s about having a system that can reason and respond with the strategic precision of a human expert.

We’ve developed the WildFire Droid, an Agentic AI assistant that is now poised to redefine the operational efficiency of our WildFire teams. Leveraging the Google Agent Development Kit (ADK), the WildFire Droid is a powerful, intent-driven system that transforms multi-stage security workflows into seamless, conversational experiences. This blog post offers a detailed exploration of its revolutionary architecture and the profound impact it is having on our daily operations.

WildFire Droid’s Core Capabilities & Potential

The WildFire Droid is designed to transform how we work by turning complex tasks into simple, conversational requests.

• Total Workflow Automation: The Droid acts as a single point of contact for multiple services. It can submit samples, fetch data, and manage API keys across different platforms, saving you from a constant cycle of context switching and manual tasks.
• Intelligent Data Analysis: With its BigQuery Agent, the Droid turns a complex database into a conversational tool. You can ask for detailed data analysis in plain language and get results that are easy to understand and even export.
• Secure & Compliant Operations: For sensitive tasks like managing API keys, the Droid doesn’t just automate — it enforces security. It requires specific confirmations and approvals, ensuring that every automated action is both fast and fully compliant.

The true potential of the Droid lies in its Agentic AI framework. This is a system that can continuously learn and expand, meaning we can add new agents and capabilities over time to solve even more challenges. It’s a foundational step toward a future where our tools don’t just assist us, but intelligently empower us.

The Impact: From Manual Grind to AI-Powered Productivity

The initial deployment and performance of WildFire Droid have been nothing short of phenomenal. We’ve seen a clear shift from fragmented, manual workflows to a streamlined, conversational approach. This is more than just a tech demonstration — it’s a fundamental change in how we work. By turning multi-step processes into simple chats, WildFire Droid is empowering our teams to:

• Focus on What Matters: Analysts can dedicate more time to critical threat analysis rather than mundane administrative tasks.
• Move with Speed and Accuracy: On-call engineers can respond to incidents and perform maintenance faster and more reliably.
• Foster Innovation: This Agentic AI framework serves as a blueprint for how we can build more intelligent, collaborative tools across Palo Alto Networks.

The “Agentic” Revolution: A Team of Specialists, Not a Single Bot

To truly grasp the innovation behind the WildFire Droid, we must first understand the foundational concept of an Agentic AI. Unlike a traditional chatbot that follows a rigid script, an Agentic AI is a system composed of multiple specialized agents. It’s like having a team of experts at your disposal, all managed by a single, brilliant team lead.

In the case of WildFire Droid, this team is led by a central Root Agent (or “manager”). When you make a request, the Root Agent’s first job is to understand your intent — your true goal. Once it figures out if you want to submit a sample, fetch a report, or analyze data, it seamlessly delegates the task to the most appropriate sub-agent. This architecture ensures that every request is handled by a true specialist, leading to greater accuracy and efficiency.

Design of WildFire Droid

A Deep Dive into WildFire Droid’s Agent Arsenal

Let’s explore the individual agents that give WildFire Droid its power, and how they solve real-world problems for our teams.

1. The Sample Submission Agent: Automation at Scale:
   
   The Problem: Submitting files for analysis is a foundational task. But doing it at scale — with multiple files, various file types, and across different cloud environments — is a tedious, time-consuming process. It requires manual configuration and verification.
   
   The WildFire Droid Solution: The Sample Submission Agent automates this entirely. With a simple, conversational command like “Submit these 10 files to WildFire for analysis,” this agent takes over. It engages in a clarifying dialogue with you, asking for details like file types or specific cloud regions. Once it has all the necessary information and you confirm, it performs the action and provides a detailed summary of the submission results. It’s the difference between navigating a complex form and simply having a conversation with an expert assistant.
   
   Successful Sample Submissions
   
   Successful Sample Submissions
   

2. The Verdict Agent: Instant Insights and Corrections:
   
   The Problem: After a sample is analyzed, a security professional needs to check the verdict. Sometimes, a verdict may be a false positive or negative, requiring a manual update. This is another manual, single-task operation that adds to the daily workload.
   
   The WildFire Droid Solution: The Verdict Agent makes this instant. You can ask for a verdict simply by providing the SHA256 hash of a file. The agent retrieves the information in seconds. For updating a verdict, you just provide the hash and the new verdict (e.g., “benign,” “malware,” etc.), and the agent handles the rest, ensuring the WildFire analysis data store is updated accurately and efficiently.
   
   Verdicts Retrieval 1
   
   Verdicts Retrieval 2
   

3. The BigQuery Agent: Data Analyser:
   
   The Problem: Cybersecurity products generate a massive amount of data, which is stored in BigQuery across various GCP projects. To extract meaningful insights, you traditionally need to be proficient in writing complex SQL queries. This creates a barrier for non-data analysts and slows down critical investigations.
   
   The WildFire Droid Solution: This is a true superpower. The BigQuery Agent allows you to perform sophisticated data analysis using only natural language. You can ask questions like, “Show me all malware submissions from the last 30 days that originated from Europe,” and the agent will automatically write and execute the correct BigQuery query. It can even perform data analysis on the results and, for ultimate convenience, export the data directly to a Google Sheet for real-time visualization and sharing. This feature democratizes data access and analysis for the entire team.
   
   BigQuery Agent’s analysis result
   
   BigQuery Agent’s analysis result
   

4. The Overwatch Agent: Detailed Threat Reports on Demand
   
   The Problem: For a deeper understanding of a threat, security analysts need to pull detailed analysis reports from services like Overwatch. This involves yet another separate system and a unique set of APIs.
   
   The WildFire Droid Solution: The Overwatch Agent integrates directly with the Overwatch API. By simply providing a SHA256 hash, this agent fetches the complete, detailed analysis report. It can then summarize key findings for you, highlighting critical details about the static and dynamic analysis and explaining why the sample was flagged as malicious. This saves time and provides a concise, actionable summary for rapid response.
   
   Report from OverWatch
   
   Report from OverWatch
   
   
5. The RAG & Google Search Agents: The Collaborative Brain
   
   The Problem: On-call engineers and analysts often need two types of information: specific, documented knowledge about internal WildFire operations, and general, publicly available information about threats or features. Switching between internal documentation and external search engines is clunky and inefficient.
   
   The WildFire Droid Solution: This is the most impressive collaboration in the system. The RAG (Retrieval-Augmented Generation) Agent is an expert on WildFire — it’s been trained on thousands of internal documents, providing accurate and structured answers to your operational questions. When you need a public perspective or external context, the RAG Agent hands the query to its partner, the Google Search Agent. This duo then works together, with the Google Search Agent fine-tuning search prompts, scraping multiple URLs for context, and retrieving data. Finally, these two agents combine their findings, using advanced reasoning and reinforcement learning to synthesize a single, comprehensive answer that is both internally informed and externally validated. It’s like having two of your smartest colleagues — one an internal subject matter expert and the other a world-class researcher — working together to answer your question.
   
   Assist during On-calls
   
   Identifying the problem statement clearly
   
   Providing step by step actions
   
   Providing step by step actions
   
   Recommending escalation if something went wrong
   
   
6. The Maintenance Agent: Simplifying Production Operations
   
   The Problem: During a production deployment, on-call engineers need to create status pages to inform stakeholders of planned maintenance or outages. This can be a complex, manual process that needs to be done meticulously and often concurrently across multiple cloud regions.
   
   The WildFire Droid Solution: The WildFire Maintenance Agent automates this process entirely. Integrated with the Status Page API, you can simply tell the Droid to “Create a maintenance page for the US-West cloud from 2 PM to 4 PM next Tuesday.” The agent will handle the rest, creating and managing status pages concurrently for any number of cloud regions you specify. This automation reduces human error and frees up engineers during critical deployment windows.
   
   Requesting Status Page creation during Production Deployment
   
   Requesting Status Page creation during Production Deployment
   
   
7. The API Key Agent: Streamlining Customer Support and Security:
   
   The API Key Agent transforms a complex workflow into a secure, conversational process. When a staff member receives a customer ticket, the agent provides instant clarity. By simply providing the API key, the agent fetches all relevant details and provides a clear summary, instantly pointing out issues like an invalid key, an expired date, or a misconfigured field.
   
   Beyond diagnostics, the agent empowers staff to securely update or create new API keys. It acts as an intelligent guide, ensuring all required fields are correctly set and enforcing a crucial layer of security. Before any update is made, the agent requires:
   
   
   • A clear explanation of the request within a JIRA ticket.
   • Explicit user confirmation of the changes.
   • Managerial approval to proceed.
     
     This ensures all actions are documented, verified, and secure. For staff unfamiliar with a customer’s current API key status, the agent can summarize the existing configuration, providing a clear picture before any changes are made. The API Key Agent turns a potentially lengthy, manual process into a swift, guided, and fully compliant action.
     
     
8. The Slack Agent: From Communication Chaos to Automated Intelligence:
   
   The Problem: In today’s fast-paced environment, critical information is often scattered across our communication channels. On-call incidents, key deployment updates, and product launches are buried under a constant stream of messages, making it nearly impossible to get a quick, accurate summary. This information overload forces team members to sift through chaos for actionable intelligence.
   
   The WildFire Droid Solution: We’ve introduced the Slack Agent to transform our communication channels from a simple stream of messages into a source of structured operational intelligence. This agent acts as a proactive, insightful analyst for the WildFire team, performing two critical functions:

1. Automated Communication: The agent can post information directly to a channel, ensuring key updates are delivered exactly when they are needed. For example, once the Maintenance Agent has created a status page for a new deployment, the Slack Agent can automatically post a message to the team channel with all the relevant details, providing immediate, seamless communication.

2. Intelligent Analysis: When tasked with summarising a specific period, the agent intelligently plans its operations. It autonomously calculates the required dates and executes a series of precise requests to gather all relevant message history. It then meticulously processes the raw message data to automatically identify and categorize key operational themes. The final output is a clean, well-structured report that provides a clear and concise overview of:

• Production Issues: Documenting reported outages, bugs, and their resolutions.
• On-Call Incidents: Highlighting incident details, team involvement, and outcomes.
• Deployment Updates: Detailing new feature releases and associated issues.
• New Feature Details: Summarising recently released product features and their impact.
• Team Achievements: Recognising successes and positive feedback.

The Slack Agent empowers our teams to quickly gain a complete picture of an event or a time period, turning a potential information overload into a valuable, easy-to-read operational summary.

Summarisation the complete deployment Information

Summarisation the complete deployment Information

Future Roadmap

The WildFire Droid, in its current form, is a powerful leap forward. But it’s also a foundational step in a much larger journey. Our roadmap for the future is focused on transforming the Droid from a responsive assistant into a proactive partner in our cybersecurity operations.

• Broader Ecosystem Integration: We plan to expand the Droid’s reach by integrating with a wider range of our organization's internal products and systems. This will allow the Droid to orchestrate even more complex, cross-platform workflows, creating a unified operational experience.
• Proactive & Predictive Intelligence: The next generation of the Droid will move beyond responding to requests. We are developing capabilities that will allow it to anticipate user needs, automate routine tasks without being asked, and proactively flag potential issues based on its analysis of real-time data.
  
• Continuous Learning & Optimization: We are building a feedback loop where the Droid learns from every user interaction. This will allow the system to continuously fine-tune its reasoning and tool use, ensuring its accuracy and efficiency evolve alongside our operational needs.
  
• Enhanced Customization: Future versions will include tools for deeper customization, allowing teams to build and personalize their own agent-driven workflows to address unique and highly specific challenges.

Conclusion:

The WildFire Droid is more than just a proof of concept; it represents a significant paradigm shift in how we approach cybersecurity operations. By leveraging an Agentic AI framework, we are fundamentally redefining the relationship between our teams and their tools. This project demonstrates that we can effectively eliminate operational friction, transforming fragmented, manual workflows into a seamless, conversational experience.

This work serves as a powerful blueprint for future innovation, showcasing how advanced AI can be strategically integrated to amplify human expertise. We are not just building more efficient tools; we are creating a strategic advantage that allows our security professionals to focus on the complex, cognitive challenges of threat intelligence and response. The WildFire Droid is a testament to the future — a future where intelligent automation empowers us to stay ahead of the evolving threat landscape with unprecedented speed and precision.