1:18 AM: Alert Fired. 1:42 AM: Case Closed. No Work Required From Infios Analysts.

How a global supply chain software leader operationalized GreyMatter to investigate and close routine alerts overnight, with no analyst in the loop.

Overview
At 1:18 AM, while the Infios security team was asleep, an alert fired: an anonymous login from a consumer VPN, geolocated in another country, medium severity. By 1:42 AM it had been investigated and closed, with no human involved. The verdict was that a colleague was calling in sick.
An employee had signed in from a personal phone over a consumer VPN, passed multi-factor authentication, opened a couple of internal apps, and messaged a teammate to say they were out sick. The kind of anomalous identity alert that floods a SOC queue every day—usually benign, but never safe to wave through, because the one time you ignore it is the time it wasn't.
"I am sharing this precisely because it is not a dramatic breach story. It's the opposite, and that is the point."
Chad HicksSVP & Chief Information Security Officer,
Infios US, Inc.
A Routine Alert with a Translation Step Bolted On
The case carried an extra wrinkle. The colleague spoke a different language than the on-shift analyst, the VPN exit was in another country, and the note they sent simply read "Krank"—out sick, in German. For a US analyst, that turns a routine investigation into one with a translation step bolted on, just to read the context and ask the basic follow-up questions.
Historically, that alert would sit in the queue until someone picked it up in the morning, taking four to six hours minimum before a human even looked at it.
How GreyMatter's IR Analyst Teammate Closed the Alert Overnight
With GreyMatter agentic AI, here's what happened instead during those 24 minutes:
1:18 AM—Detection. The alert fired. GreyMatter's Universal Translator had already normalized the identity telemetry from Infios's environment into a common schema, so correlation started at ingest — no manual mapping, no waiting for a SIEM to process.
1:19 AM—Investigation begins. The IR Analyst Teammate picked up the case autonomously through Agentic Orchestration, pulling identity signals, device details, geolocation, and post-login activity across the tools Infios already runs. No single-tool limitation. The Teammate gathered, verified, and correlated across the full stack.
1:20–1:38 AM—Contextual analysis. The Teammate identified the German-language message, contextualized "Krank" against the employee's communication patterns and prior behavior, and correlated it with the post-login activity. Two internal apps opened, a message sent to a colleague, then session idle. Agentic Memory retained context about this employee, their normal login patterns, and prior cases in this environment, so the Teammate evaluated the session against an established behavioral baseline rather than starting cold.
1:42 AM—Verdict and closure. Anomalous but safe. No escalation needed. Case closed.
What Changed for the Infios Security Team
Hicks often hears about the fear of an agent replacing an analyst. GreyMatter's Agentic AI multiplies what the team can do—working continuously across routine investigations while analysts focus on cases that require human judgment.
"It clears the high-volume, repetitive verification that burns people out, and gives them back the hard, ambiguous cases that actually need human judgment. My team is not doing less. They are spending their time where their expertise is worth something."
Chad HicksSVP & Chief Information Security Officer, Infios US, Inc.
Learn More About GreyMatter Agentic Teammates
As your business grows, so does your risk. GreyMatter’s Agentic Teammates act as the exponent of your security team, empowering your team to build a truly proactive defense that can anticipate the next threat.


