Stop me if you’ve heard this one before: security alerts can be noisy. Mostly, these noisy alerts are communicating information that is, on average, important information. But the reality of your specific organization isn’t described by an average. The noisy alert just doesn’t “get” your established controls and accepted risks. For many organizations, alerts in their queue represent an overwhelming number of “authorized, expected in the environment” activity—noise that burns time, drains confidence, and obscures what truly matters.
Staying in tune
At Red Canary, we’ve honed our analytics to filter out an incredible amount of that noise while ensuring we don’t miss threats. If there’s something important buried in all those alerts, we have to catch it. That means Red Canary must cast an extremely wide detection net; we turn the sensitivity up to 11 so that nothing slips past.
It’s kind of like listening to a hundred different songs at once while making sure you don’t miss one, very important, drum beat.
So we apply multiple layers of tuning at different points in the detection and investigation lifecycle—both global tuning that applies to everyone and per-customer tuning that’s specific to your organization. That gets us to our stunning, industry-leading low rate of false positives.
But what about the rare things that resist tuning? The behavior that is normal and expected in your environment but has every hallmark of suspicious activity? Behavior that, in any other organization, would definitely be an indicator of something concerning? To keep you safe, Red Canary has to look into it to keep you covered. Even this small subset of false positives means work for your security team.
Now, with Agentic Tuning, you can filter out highly specific and difficult-to-tune alerts with a few plain-language sentences typed into Red Canary. We’ve created a system combining AI agents, human expertise, and our extensive experience in detection analytics. It’s the last puzzle piece for achieving next-level tuning.
Why this matters
False positives are costly
They consume analyst capacity, slow response, and erode trust in your detections.
Every customer is unique
Risk tolerance, security architecture, access policies, device management, and compensating controls vary widely.
Tuning shouldn’t be a black box
You deserve transparent, auditable logic that aligns with your policies—and you should be able to change it quickly.
The last puzzle piece: Plain language suppression enabled by AI agents
Agentic Tuning is driven by two different systems: Customizations and the Threat Review Agent in Red Canary. Customizations is a new portal experience that lets you provide explicit, auditable guidance Red Canary uses during threat investigations. Those instructions are evaluated by our Threat Review Agent—an AI system that consults your active customization items and the full investigation context to recommend whether a threat should be suppressed or published.
This is agentic AI built for security operations: a purpose-built agent that reasons over telemetry and your explicit guidance, explains its decisions, and acts consistently at scale.
How it works
- Point us in the right direction with a few sentences, and we’ll take it from there.
- Every customization item flows through a review process to ensure appropriateness and actionability.
- All changes are audited so you know who is adding or changing your customizations. Because our number one priority is securing your environment, Red Canary may override customizations to alert you to suspected threats when necessary.
What does that look like? Here’s an example:
What happens next
What happens next- After evaluation by the Threat Review Agent, threats that match the customization criteria are suppressed and don’t alert your team, letting you focus on other work.
- Suppressed threats are still available for you to audit and review, including an explanation which references the customization item used.
What you’ll get
Fewer false positives
You’ll have more time to focus on the real threats. Early access customers have seen up to an 80 percent reduction in false positives in identity-related detections.
Policy-aligned detections
Your expectations drive outcomes. As your environment evolves, your customizations evolve with it.
Get started
- Visit the new Customizations section in your Red Canary Portal.
- Add instructions to reflect suppressive policies you want enforced.
Security teams shouldn’t have to choose between complete coverage and a manageable signal. With Customizations and Agentic Tuning, you get both—an AI-driven, agentic layer that adapts to your environment and delivers the right detections at the right time.
