Co-author: Immanuel Edward Henrik (@iedwardhenr)
In the world of cloud-based cybersecurity products, operational teams are constantly fighting a battle with one hand tied behind their back. Despite having countless tools at their disposal — incident management platforms, log aggregators, deployment pipelines, data warehouses, documentation wikis, and communication channels — the workflows that connect them remain clunky and manual. Security professionals spend their days context-switching between disparate systems, copying data from one tool to paste into another, and mentally stitching together information scattered across a dozen interfaces.
The result? A critical bottleneck that leaves teams one step behind the threats they're trying to stop.
But what if the system could think for itself?
This is the core idea behind Agentic AI. It's a leap beyond simple automation or basic chatbots. Agentic AI enables a new class of intelligent systems composed of multiple specialised agents that can understand complex commands, reason about multi-step problems, and work together autonomously to solve them. It's not just about doing tasks faster — it's about having a system that can reason and respond with the strategic precision of a human expert.
We've built the WildFire Droid — an Agentic AI assistant that is redefining the operational efficiency of our WildFire cloud security teams. Built on the Google Agent Development Kit (ADK) and powered by a sophisticated multi-agent architecture, the WildFire Droid transforms multi-stage security workflows into seamless, conversational experiences.
This blog post offers a detailed exploration of its architecture, its growing arsenal of specialised agents, the key technical innovations that power it, and the profound impact it is having on our daily operations.
To truly grasp the innovation behind the WildFire Droid, it's important to understand the foundational concept of an Agentic AI. Unlike a traditional chatbot that follows a rigid script, an Agentic AI is a system composed of multiple specialised agents. Think of it as having a team of domain experts at your disposal, all managed by a single, brilliant team lead.
In the case of WildFire Droid, this team is led by a central Root Agent (the "Droid Manager"). When you make a request, the Root Agent's first job is to understand your intent — your true goal. It then plans an orchestration strategy: should it deploy multiple agents in parallel, chain them sequentially, or use a hybrid approach? Once it determines the optimal path, it seamlessly delegates the task to the most appropriate sub-agent (or agents). After receiving their outputs, it synthesizes the results into a coherent, actionable response.
This architecture ensures that every request is handled by a true specialist, leading to greater accuracy, efficiency, and depth of response.
What makes the Root Agent more than a simple router is its structured orchestration intelligence:
This means the Droid doesn't just forward your question — it thinks about the best way to answer it.
The WildFire Droid is designed to transform how teams work by turning complex, multi-system tasks into simple, conversational requests.
Total Workflow Automation: The Droid acts as a single point of contact for a wide range of services — from sample analysis and verdict management to deployment operations and incident investigation. It eliminates the constant cycle of context-switching and manual tasks.
Intelligent Data Analysis: With its BigQuery and BigTable Agent (codenamed "Chronos"), the Droid turns complex databases into conversational tools. You can ask for detailed data analysis in plain language and get results that are easy to understand, complete with interactive visualisations.
Autonomous Root Cause Analysis: When incidents occur, the Droid doesn't just fetch data — it orchestrates a full forensic investigation across logs, metrics, alerts, and documentation to trace failures from symptom to source.
Secure & Compliant Operations: For sensitive tasks like managing API keys, the Droid enforces security through a sequential pipeline that requires JIRA ticket validation, explicit user confirmation, and managerial approval before any changes are made. Every action is audited.
Knowledge Synthesis: The Droid fuses information from internal documentation (Confluence), operational records (JIRA), team communications (Slack), and vector-based knowledge bases to provide comprehensive, cross-validated answers.
Interactive Visualisations: Query results and data analysis can be rendered as interactive line charts, bar charts, and pie charts directly in the chat interface, making insights immediately actionable.
GitOps Deployment Management: Full ArgoCD deployment operations — health monitoring, failure diagnosis, resource inspection, sync management — all from a single conversational interface.
The Problem: Managing the WildFire malware analysis pipeline involves a wide range of operational tasks — submitting samples for analysis, checking and updating verdicts, fetching detailed threat reports, scheduling production maintenance windows, and triggering test automation suites. Each of these tasks traditionally requires navigating different systems, APIs, and interfaces.
The Solution: The WildFire Operational Agent is a unified operations specialist that handles the entire sample analysis lifecycle through a single conversational interface. It integrates with multiple backend services via a dedicated MCP server, providing:
The Problem: Cybersecurity products generate massive amounts of data stored across BigQuery and BigTable in multiple cloud projects. Extracting meaningful insights traditionally requires proficiency in writing complex SQL queries and understanding the schema of dozens of tables. This creates a barrier for non-data analysts and slows down critical investigations.
The Solution: Chronos is a data intelligence analyst that transforms natural language questions into optimized database queries. You can ask questions like "Show me all malware submissions from the last 30 days that originated from Europe" and the agent will automatically write and execute the correct query, interpret the results, and suggest visualizations for complex datasets.
Chronos understands the WildFire data topology — it knows which tables contain sample analysis data, submission logs, service endpoint configurations, and API usage metrics. It enforces mandatory partition filters for performance, protects sensitive data fields, and warns about long-running queries before executing them.
The Problem: When a production alert fires at 3 AM, the on-call engineer faces a daunting task: understand the alert, recall the system architecture, find the right logs, trace the failure upstream through service dependencies, and identify the root cause — all while under pressure. This process typically involves opening the incident management platform, consulting documentation, querying multiple log systems, checking cloud platform metrics, and mentally tracing the error chain. Each step requires a different tool, different query syntax, and different mental models.
The Solution: The Root Cause Analysis (RCA) Agent is an autonomous investigation orchestrator that coordinates a team of sub-agents to perform deep forensic analysis, following a methodology inspired by how senior SREs actually debug production issues:
Phase 1: Parallel Context Gathering — The agent simultaneously fetches alert details from PagerDuty and system architecture documentation from the knowledge base. These are independent information sources, so they can be queried in parallel — saving valuable time.
Phase 2: Iterative Log Investigation — Rather than making a single log query and hoping for the best, the agent performs iterative investigation:
Phase 3: Upstream Chain Tracing — This is where the real intelligence shines. When Component A's logs show "error calling Component B," the agent automatically queries Component B's logs. If B's logs show "error calling Component C," it traces further upstream. It continues until it finds a component failing internally with no upstream cause — the true root cause.
Phase 4: Synthesis — The agent constructs a complete causal chain with timestamps, log evidence, and a confidence level (High/Medium/Low) based on evidence quality.
The RCA Agent coordinates three specialized sub-agents:
The result? An investigation that might take an engineer 30+ minutes can be completed in a single conversation.
The Problem: Teams need two types of information: specific, documented knowledge about internal operations, and contextual information scattered across communication channels and project management tools. Finding the right answer often requires searching multiple sources and synthesizing the results.
The Solution: The Hybrid RAG (Retrieval-Augmented Generation) Agent is a multi-modal knowledge engine that strategically fuses content from multiple sources:
What makes this agent truly powerful is its multi-source synthesis capability:
The Problem: Managing API keys for a global cloud security platform is a sensitive, multi-step process that requires strict validation, authorization, and audit trails. Manual processes are error-prone and difficult to audit.
The Solution: The API Key Agent transforms this complex workflow into a secure, conversational process using a Sequential Pipeline architecture — a chain of specialized sub-agents that must complete in strict order:
For read operations (fetching API key details), the agent provides instant clarity — highlighting issues like invalid keys, expired dates, or misconfigured fields. Every write operation requires a valid JIRA ticket, explicit user confirmation, and managerial approval. Safety is structural, not just suggested.
The Problem: Critical information is scattered across communication channels. On-call incidents, deployment updates, and product launches are buried under a constant stream of messages, making it nearly impossible to get a quick, accurate summary.
The Solution: The Slack Agent transforms communication channels into a source of structured operational intelligence:
The agent also supports user identity resolution, threaded replies, and keyword-based message search across authorized channels.
The Problem: Managing deployments across multiple environments and ArgoCD projects requires navigating complex Kubernetes resource hierarchies, understanding sync states, and diagnosing deployment failures — all through separate interfaces for each environment.
The Solution: The ArgoCD Agent is a deployment operations specialist that autonomously manages and monitors GitOps application deployments. It connects to multiple ArgoCD environments, navigates project hierarchies, and provides:
Safety is built in: sync previews use dry-run by default, auto-sync changes default to safe settings, and all modifications require explicit user confirmation.
The Problem: Teams constantly need to interact with JIRA — viewing ticket details, creating issues, adding comments, and validating tickets for approval workflows.
The Solution: The JIRA Agent provides comprehensive JIRA lifecycle management through natural language. It can fetch detailed ticket information, create new issues (with project-specific field validation), add formatted comments, and validate tickets for approval workflows. All agent-created tickets are automatically labeled for traceability, and every write operation requires explicit user confirmation.
The Problem: Raw data and query results are difficult to interpret quickly. Teams need visual representations to spot trends, compare metrics, and communicate findings effectively.
The Solution: The Visualization Agent is a data storytelling specialist that analyzes data semantics and selects the optimal chart type to communicate insights. It generates interactive charts — line charts for trends, pie charts for composition, and bar charts for comparisons — that render directly in the chat interface. The agent reasons about which visualization type best communicates the insight, considering data semantics, the primary insight hierarchy, and cognitive load. Multi-series support allows overlaying multiple data series on a single chart for richer analysis.
A key architectural innovation is the use of MCP (Model Context Protocol) servers — lightweight, purpose-built tool servers that expose domain-specific capabilities to agents. The Droid runs four custom MCP servers:
Additionally, the Droid integrates with Google's official GCP Observability MCP and gcloud MCP servers, demonstrating how the MCP ecosystem enables rapid capability expansion.
The MCP architecture provides strong typing, process isolation, standardized request/response patterns, and extensibility — new tools can be added without modifying any existing agent code.
When agents retrieve large volumes of data — thousands of log lines, extensive ArgoCD resource trees, or lengthy Confluence documents — the raw content can easily exceed what an LLM can effectively reason about. Simply truncating the data loses critical information. Sending it all wastes tokens and degrades reasoning quality.
The Droid solves this with an in-memory RAG pipeline that acts as an intelligent filter between tool responses and the LLM:
This pipeline is used across multiple agents — each with tuned thresholds appropriate to their data volumes. The result: agents always work with the most relevant information, regardless of how much raw data their tools return.
The WildFire Droid is built with enterprise security as a first-class concern:
The frontend is a Next.js application with a modern, responsive chat interface featuring:
The deployment and performance of WildFire Droid have demonstrated a clear shift from fragmented, manual workflows to a streamlined, conversational approach. This is more than a technology demonstration — it's a fundamental change in how teams work. By turning multi-step processes into simple conversations, WildFire Droid empowers teams to:
The WildFire Droid, in its current form, is a powerful leap forward. But it's also a foundational step in a much larger journey. Our roadmap is focused on transforming the Droid from a responsive assistant into a proactive partner:
The WildFire Droid represents a significant paradigm shift in how we approach cybersecurity operations. By leveraging an Agentic AI framework built on the Google Agent Development Kit, we are fundamentally redefining the relationship between our teams and their tools.
With its growing arsenal of specialized agents — from autonomous root cause analysis to secure API key management, from natural language data analytics to GitOps deployment operations — the WildFire Droid is not just a tool. It's a strategic advantage that allows security professionals to focus on the complex, cognitive challenges of threat intelligence and response.
The evolution from a responsive assistant to an autonomous operations partner demonstrates something important about Agentic AI: the real value isn't in any single agent or tool. It's in the orchestration — the ability to coordinate multiple specialized agents, each with deep domain expertise, to solve problems that no single agent could handle alone.
The WildFire Droid is a testament to the future — a future where intelligent automation empowers us to stay ahead of the evolving threat landscape with unprecedented speed and precision.
