In DevelopmentPhase 2AI Investigation Agent

The AI
Operations Engineer

Detect. Investigate. Resolve. Learn.

AIRP continuously monitors operational systems, investigates root causes, recommends corrective actions, executes approved runbooks, verifies recovery, and learns from every event — keeping humans in control of impactful actions.

35%Platform

Phase 2 in active development

AI Investigation Agent

4

Phases

16

Workflow Steps

9

Core Engines

The Problem

Too Many Tools, Too Little Time

Modern IT operations teams rely on disconnected tools — ServiceNow, Grafana, Prometheus, PagerDuty, Datadog, cloud providers, and internal dashboards. Engineers spend valuable time correlating alerts, searching historical incidents, gathering evidence, and executing repetitive runbooks.

High MTTR

Mean time to resolution suffers from manual correlation

Alert Fatigue

Unrelated events flood engineers without deduplication

Lost Knowledge

Institutional expertise walks out the door with every incident

AIRP becomes the orchestration layer across these systems — reducing MTTR, improving operational consistency, and preserving organizational knowledge.

Development Roadmap

Building in Phases

Four deliberate phases from core incident infrastructure to continuous learning — each mapped to platform components and workflow steps.

01

Core Incident API

Incident lifecycle, event ingestion, and correlation across monitoring sources.

Complete
Incident ServiceMonitoring GatewayCorrelation Engine
02

AI Investigation Agent

Domain-specialized agents that gather evidence and perform root cause analysis.

In Progress
Investigation EngineKnowledge Service
03

Approval & Execution Engine

Policy evaluation, human-in-the-loop approvals, and safe runbook execution.

Planned
Policy EngineExecution Engine
04

Continuous Learning & Knowledge Base

Verification, outcome tracking, embeddings, and operational knowledge reuse.

Planned
Verification EngineLearning Engine

End-to-End Workflow

16 Steps to Resolution

From first alert to organizational learning — every step is auditable, evidence-driven, and human-gated where it matters.

01

Monitor & Detect

Receive alerts from monitoring and ticketing systems.

Phase 1

02

Normalize Events

Transform heterogeneous alerts into a unified schema.

Phase 1

03

Deduplicate & Correlate

Group related events into a single incident.

Phase 1

04

Create Incident

Open or link incidents with full lifecycle tracking.

Phase 1

05

Enrich Context

Attach assets, ownership, dependencies, and runbooks.

Phase 2

06

AI Understanding

Assess severity, impact, and confidence scores.

Phase 2

07

Retrieve Memory

Search historical incidents and runbooks via Qdrant.

Phase 2

08

Assign Investigation

Route to specialized domain agents.

Phase 2

09

Gather Evidence

Collect logs, metrics, and configuration data.

Phase 2

10

Root Cause Analysis

Reason over evidence to identify the root cause.

Phase 2

11

Remediation Plan

Generate corrective actions with rollback strategy.

Phase 3

12

Human Approval

Present evidence and await engineer approval.

Phase 3

13

Execute Runbooks

Run approved MCP tools and remediation scripts.

Phase 3

14

Verify Recovery

Confirm resolution via logs, metrics, and synthetics.

Phase 4

15

Update & Notify

Close tickets and notify stakeholders.

Phase 4

16

Learn & Improve

Store outcomes and embeddings for future incidents.

Phase 4

Complete In Progress Planned

Platform Architecture

Core Engines

Nine vendor-neutral services orchestrate monitoring, investigation, policy, execution, verification, and learning.

Monitoring Gateway

Complete

Ingests alerts from ServiceNow, PagerDuty, Grafana, and more.

Phase 1

Correlation Engine

Complete

Groups related events into unified incidents.

Phase 1

Incident Service

Complete

Owns incident lifecycle and persistence.

Phase 1

Knowledge Service

In Progress

Retrieves historical incidents via PostgreSQL and Qdrant.

Phase 2

Investigation Engine

In Progress

Coordinates specialized domain agents.

Phase 2

Policy Engine

Planned

Evaluates risk, maintenance windows, and safety policies.

Phase 3

Execution Engine

Planned

Runs approved MCP tools and runbooks.

Phase 3

Verification Engine

Planned

Confirms remediation using logs, metrics, and synthetics.

Phase 4

Learning Engine

Planned

Stores outcomes, embeddings, and operational knowledge.

Phase 4

Domain Agent Architecture

Specialized Investigators

AIRP organizes investigation by technical domain — not traditional support tiers. Each agent operates under a defined permission profile.

Phase 2+
WindowsLinuxNetworkDatabaseKubernetesCloudSecurity

Permission Profiles

Read-onlySafe remediationPrivileged remediationHuman-approved only

Guiding Principles

Built for Trust

Every architectural decision answers one question: does this make AIRP a better AI Operations Engineer?

01

Evidence before action

02

Human approval before impactful remediation

03

Every action is auditable

04

Vendor-neutral integrations

05

Security by default

06

Every incident improves future investigations