MSSP / CISO
Health and status
Evaluate data-source freshness, stale resources, ingress flow, platform ingestion, and broken telemetry across one tenant or a fleet.
AI clients for security operations
Give AI clients security jobs they can run safely.
Claude Co-Work, Claude Code, Codex, ChatGPT, and custom agents should run repeatable work: health reviews, case investigations, monthly SOC reports, replay tests, onboarding checks, and detection reviews. Fluency provides the modes, functions, evidence, and guardrails underneath.
Job catalog
What the agent can do
Health review
Find stale telemetry, broken integrations, blind spots, and the next customer or tenant that needs attention.
Case investigation
Expand a case, preserve source records, explain what happened, and produce an analyst-ready brief.
Monthly SOC report
Turn live evidence into CISO and customer-ready narratives without rebuilding the story by hand.
Replay test
Capture, sanitize, and test scenarios so detection work is provable instead of theoretical.
Modes of operation
Mode-first routing keeps agents from guessing.
The best agent products sell jobs, but enterprise buyers still need control. Fluency routes each request into the right operating mode before a function runs: health, investigation, behavioral activity, signature lifecycle, replay, posture, onboarding, billing, and reporting.
Investigator
Case investigation
Expand cases, retain source records, explain timelines, inspect Proofpoint/OAuth context, and identify missing evidence.
Investigator
Replay and signatures
Capture scenarios, sanitize records, test detections, draft rules, validate signatures, and prepare release evidence.
CISO
Resource posture
Run approved posture reports for Office365, endpoint coverage, asset overlap, OS currency, vulnerabilities, and customer posture.
MSSP
Onboarding
Discover products, compare configured sources, install templates, collect secrets safely, and verify data flow.
MSSP / CISO
Billing
Summarize periods, compare drivers, count licensed users, and separate management accounting from security evidence.
CISO
Executive reporting
Generate monthly SOC, vCISO, board, and customer-ready reports from live evidence and approved report queries.
All packages
Instruction freshness
Version checks, skill sync, instruction hashes, and routing cheatsheets keep clients from acting on stale guidance.
Permission-aware functions
Functions are how Fluency packages security expertise.
A function is more than a tool call. It carries scope, lineage, arguments, output shape, evidence rules, and mutation class so an AI client can complete work without receiving arbitrary SIEM access.
evaluate_data_sources
healthTurns configured integrations, stale resources, and ingress signals into an actionable telemetry-health verdict.
expand_case
investigateRetrieves a case and captures bounded underlying event records so conclusions can be audited.
investigate_proofpoint
investigateInterprets retained email-security records for sender, recipients, delivery, threats, clicks, routing contradictions, and gaps.
evaluate_scenario_against_signatures
replayChecks whether expected detections fire against scenario records and exposes missed-operation samples for rule work.
find_fpl_reports
postureMaps an operator question to approved report candidates and run guidance without dumping raw report source.
summarize_billing_period
billingBuilds a period-specific billing summary with lineage and explicit audience context.
describe_application_template
onboardingSeparates chat-safe values, secure secret intake, generated outputs, and review-required fields for datasource setup.
validate_instruction_freshness
routingChecks whether cached mode guidance is still current before the client continues a workflow.
Skills and packages
Skills package the work by buyer and workflow.
A skill is not a tool. It is reusable operational guidance that tells Co-Work, Codex, and agent clients how to combine functions, instruction groups, evidence, and report structure for a repeatable security job.
MSSP
Multi-tenant operations for fleets, grids, datasource health, onboarding, billing, and service delivery.
data-source-onboarding
health-status-report
mssp-coverage-map
mssp-ops-sitrep
CISO
Single-tenant posture, executive reporting, vCISO planning, Office365 review, coverage, and board narratives.
msoc-monthly-report
office365-posture-review
tenant-coverage-review
vciso-120-day-onboarding
Investigator
Case evidence, fingerprints, replay scenarios, record-trigger review, Proofpoint analysis, and signature lifecycle.
case-sync-local-db
fluency-case-investigation
record-trigger-review
fluency-signature-lifecycle
Client surfaces
Different clients, same operating layer.
Operator workspace
Claude Co-Work
Runs packaged security jobs from a workspace analysts and managers already understand.
Security engineering
Claude Code
Maintains skills, packages, report artifacts, signatures, scenarios, and deterministic function surfaces.
Implementation agent
Codex
Updates workflows, verifies function contracts, builds reports, and keeps client manifests aligned.
Custom operations
ChatGPT and agents
Connect through the same boundary while preserving Fluency rules for scope, freshness, evidence, and permissioned writes.
Boundary that matters
MCP is transport. Headless is the operating model behind it.
A model context protocol connection can expose anything. Fluency exposes only the security work surface: mode guidance, stable functions, package metadata, bounded evidence, and audited write tiers.
No raw endpoint passthrough
Tools answer operator questions. The client does not receive arbitrary Fluency API access, database access, or free-form query power.
Scope before action
Tenant, grid, connector, case, scenario, and report scope are explicit before a function runs.
Read, local, and write tiers
Mutation classes separate pure reads, local artifacts, Fluency configuration writes, operational-state writes, and destructive actions.
Evidence over vibes
Case records, posture-report handles, replay artifacts, fingerprints, health verdicts, and report lineage make AI output inspectable.
Build from real security work
Start with one job your team already repeats.
Bring one health review, investigation, report, replay test, onboarding check, or coverage review. Fluency turns it into repeatable work that people and AI clients can run with evidence.