Expel’s newest Ruxie AI power-up, the blocked malware triage agent, automatically enriches and triages blocked malware alerts, so our analysts spend their time on the threats that need a human.
TL;DR
- Ruxie’s new blocked malware triage agent automatically enriches and triages blocked malware alerts end to end, so our analysts can spend their attention on the threats that actually need it.
- It checks the file across external intelligence sources, prior Expel Workbench™ history, and process and host data from EDR tools, then runs a deterministic 7-rule decision engine and recommends Approve or Escalate with the full reasoning attached.
- Every recommendation goes to an Expel analyst for approval before anything closes. Ruxie™ does the digging. The human owns the call.
A blocked commodity malware looks like the safest alert there is. The EDR caught the file, killed it, and logged it. Done.
Except it isn’t. You don’t close a potential malware alert on faith, so every block still gets worked by hand: pull the hash, check reputation, run the sandbox, cross-reference prior history, write up the call. We see 20 or 30 a day, every day.
None of it is hard. All of it is necessary. Time your analysts spend confirming alerts your EDR already stopped means the attacker behind the alert three rows down gets more time to do damage.
The goal of our new Ruxie AI power-up changes that attention dynamic. Our new blocked malware triage agent automates the manual triage workflow on blocked commodity malware alerts for analysts and runs as an investigative action within Workbench.
The job it takes off our plate
Every blocked malware alert lands the same way. An analyst has to confirm what the EDR already flagged: look up the file’s reputation, detonate it in a sandbox if it’s new, check whether it’s known-good software, and dig through whether we’ve seen it before in your environment. Then write up the reasoning and close it.
One alert is a few minutes of routine. Twenty or thirty of them, every shift, around the clock, is a real chunk of senior analyst time spent on alerts that were most likely already handled by the time they were opened.
With the blocked malware triage agent, Ruxie does the digging and our analysts make the calls. You get faster attention on the threats that matter, and a human signing off on every alert that closes.
What makes this different
Plenty of security AI gets sold on how many alerts it closes without a human. We believe that’s the wrong scoreboard. An AI that auto-closes a misread alert didn’t save time, it automated a miss. Being fast and wrong is still wrong.
So we created this agent to recommend decisions, not make them. Here’s what it does when a blocked malware alert fires:
- Enrich: The agent grabs the file hash and runs every check at once: file reputation on VirusTotal, behavior in the VMRay sandbox for files we haven’t seen before, prior Workbench history in your environment, and process and host data from EDR tools like Microsoft Defender.
- Decide: It runs those results through a deterministic 7-rule decision engine. Clear, consistent signal across the sources is the only path to a close recommendation. If the sources disagree, if something looks off, or if a check comes back empty, it escalates.
- Recommend: The agent hands our analyst a recommendation: Approve or Escalate, with the full reasoning chain, and every piece of evidence it leaned on. The analyst makes the call.
The agent’s defaults are paranoid on purpose. Its instinct is to escalate. The only way it recommends closing an alert is a clear signal pointing the same direction across every source.
And if the file actually ran, even for a second, the agent doesn’t touch it. That one escalates straight to an analyst for a full investigation. We drew that line deliberately.
Ruxie proposes. Our analyst approves. Nothing closes on the agent’s say-so.
What this means for you
- Faster eyes on real threats. Our analysts aren’t buried under alerts your EDR already stopped, so they reach the ones that need judgment sooner.
- Consistent triage, every shift. The decision engine is deterministic, so the same evidence produces the same call at 3am on a holiday as it does at 10am on a Tuesday.
- Speed and accuracy. You get the speed of automation on the lookup work, with a seasoned analyst accountable for every disposition.
This is one of several new Ruxie AI power-ups and agents rolling out this year. More are on the way, so keep an eye on the blog for updates.
