Tines · Solution Architect Technical Exercise01 / 16
Security Automation · Financial Services
Automating
Cryptojacking
Investigation
with Tines
From alert to containment to executive brief in under 60 seconds — without writing code.
PresenterAnthony G. Tellez
ClientLeading Financial Services Co.
AudienceCISO · Director of Security · Analyst
PlatformTines · No-Code Security Automation
Agenda02 / 16
30-minute narrative. Three audiences. One solution.
Core narrative runs 30 minutes — deep-dive appendix slides available on request.
Time
Topic
Primarily for
0–3 min
The Problem — three drains on SOC capacity
All attendees
3–7 min
Why automation for security operations
All attendees
7–11 min
Why Tines is the right fit for this use case
Director of Security
11–23 min
Live demonstration on the Tines canvas
All attendees
23–27 min
AI augmentation and the insider-threat differentiator
Security Analyst
27–30 min
Stakeholder outcomes · Q&A · closing
CISO · Director
CISO
Reporting visibility, automated threat mitigation, board-ready outputs
Director of Security
MTTR reduction, playbook consistency, scalability, integrations
Security Analyst
Speed of automation creation, no-code authorship, time freed for investigation
Q&A held throughout · 15–30 min after
The Problem03 / 16
Three drains on SOC capacity
Every financial services SOC carries the same compounding burden before a single threat is investigated.
Enrichment Sprawl
Pivoting manually across VirusTotal, AbuseIPDB, CMDB, SIEM, and blockchain explorers for every alert.

15–30 minutes before investigation begins.
Response Drift
No playbook means every analyst improvises. No two incidents handled identically.

Audit trails incomplete. Compliance suffers.
Reporting Overhead
Same data rewritten three times — analyst, director, CISO. Hours of duplicated work every week.
"The team spends a significant amount of time on manual tasks — gathering data from multiple sources, executing repetitive response actions, and generating detailed reports for various stakeholders."
Why Automation04 / 16
The cost of doing it manually
Every alert handled by hand compounds four costs. Automation eliminates all of them simultaneously.
Before vs after automation comparison BEFORE WITH TINES GuardDuty Alert Enrichment — 15–30 min Response actions — 5–10 min Analyst report — 15–25 min Exec brief — 10–15 min Total per incident 48 – 80 min GuardDuty Alert AUTOMATED STORY Enrich · Classify · Contain AI analyst report · CISO brief VT · AbuseIPDB · Alchemy · AWS · Slack grok-4-1-fast-reasoning Total per incident < 30 seconds ✓ Analyst time freed ✓ Consistent every time ✓ Dwell time compressed ✓ Reports auto-generated
Why Tines05 / 16
Purpose-built for security teams
Five capabilities that directly address the priorities in this brief.
Tines capability spoke diagram Tines FOR SECURITY No-Code 32 of 33 actions need zero code AI-Native 4 LLM calls per incident grok-4-1-fast-reasoning Integrations Native connectors + HTTP Request fallback Audit by Default Every event logged — Tines log + SIEM Vendor-Agnostic Core AWS today — 3 actions to swap for Azure
Appendix · Solution Overview11 / 16
One Story. Fully automated. End to end.
A single Tines Story receives an AWS GuardDuty cryptomining alert and — without human intervention — enriches, classifies, contains, and reports in under 60 seconds.
33
Automated actions in the Story
7
Canvas sections (colour-coded lanes)
5
Threat intelligence sources queried
4
Distinct AI invocations per incident
4
Automated response actions
2
Stakeholder reports per incident
20
Lines of code (one Python step)
<60s
End-to-end runtime per incident
Appendix · Workflow Architecture12 / 16
Seven sections. One canvas.
Core pipeline runs left to right. Three supporting lanes operate in parallel above.
Tines Story seven-section workflow architecture SUPPORTING LANES TEST HARNESS 22 synthetic findings → live webhook WRITE-UP On-demand Grok-4 exec summary email WEEKLY TREND Mon 08:00 UTC CISO + Director CORE PIPELINE 01 · INGEST Alert Ingestion GuardDuty webhook Extract IOCs + wallet + insider flag 02 · ENRICH Threat Enrichment VirusTotal live AbuseIPDB live Alchemy ETH live GreyNoise stub Shodan + CMDB stub 03 · ANALYSE Analysis & Report grok-4-1-fast-reasoning 8-section analyst report Python → styled HTML CISO brief (own prompt) → 2 emails dispatched Analyst Email 8-section technical report CISO Email <120 words · no IOCs 04 · RESPOND stop EC2 · block IP · Slack insider → HR/Legal ticket SIEM Audit Sink Splunk / ES live integration stub → prod swap
AI Augmentation07 / 16
Four prompts. Four audiences.
Zero duplicated human work.
All invocations use grok-4-1-fast-reasoning — each with a distinct system prompt tuned for a different reader.
InvocationAudienceOutputConstraints
Impact AssessmentSecurity Analyst 8-section markdown report — Classification · Attribution · Timeline · Financial Impact · Severity · Containment Steps Full detail · all IOCs
CISO Executive BriefCISO 3 paragraphs: what happened + risk · automated response · next steps for leadership No IOCs · <120 words
Weekly Trend ReportCISO + Director 3-section narrative: Volume · MTTR Trends · Recommendations — with stat-card dashboard 3–5 bullets/section
Project Write-upPresentation author 8-section executive summary — source document for this presentation On-demand · full reasoning
Key principle: Same enrichment data. No human rewriting. The AI adapts tone, depth, and vocabulary per audience — the analyst receives every IOC; the CISO receives a board-ready brief with no technical jargon.
The Differentiator08 / 16
Context-awareness, not rule-matching
The Scenario
Insider Threat — Severity 7
A c5.9xlarge in ap-southeast-1 — a region with zero active team workloads — begins mining on port 2020.

IAM role jsmith-iam-role assumed 76 min prior. No MFA. Cost center IT-OPS-447. 21-day window.

Wallet returns zero hits across all five threat-intel sources.
What the Workflow Does
AI detects absence of evidence
grok-4-1-fast-reasoning interprets zero threat-intel hits as a signal. Reclassifies from external attack to potential insider misuse.

Containment shifts to evidence preservation and IAM credential suspension.

Is Insider Threat? TriggerAgent fires → HR & Legal ticket → CISO brief rewritten in HR language.
Why This Matters
Rules engines can't do this
A rules engine matches patterns that exist. It cannot reason about the absence of a pattern.

AI inside a Tines Story can — in 15 seconds, every time, with a full audit trail.

No playbook was written for this outcome. The model reasoned its way to it from context alone.
Live Demonstration06 / 16
What you're about to see
~12 min on the Tines canvas
1
The workflow canvas
A single Tines Story — seven colour-coded sections, thirty-three actions, one Python step. The entire cryptojacking investigation, built without a developer and without leaving the browser.
Alert Ingestion → Enrichment → Analysis → Response → Reporting
~1 min
2
External attack — end to end
A high-severity TeamTNT cryptomining alert flows through parallel enrichment from five threat-intel sources, then AI classification, automated containment, and two audience-tailored emails — one for the analyst, one for the CISO.
Parallel API enrichment · two reports from the same source data
~3 min
3
Insider threat — AI reclassification ★
Same workflow, same actions. But when threat intelligence comes back empty, the AI reasons about the absence of evidence and pivots the response from technical containment to HR/Legal coordination — without a rule being pre-written.
Context-aware reclassification · automatic HR/Legal ticket · CISO brief rewritten in non-technical language
~4 min
4
Weekly trend report
A stat-card dashboard emailed to leadership every Monday at 08:00 UTC — volume, MTTR, high-severity count, and insider-threat metrics — followed by an AI-generated trend narrative with recommendations.
Reporting and visibility that requires zero analyst effort
~2 min
5
Write-up, generated on demand
An eight-section executive summary authored by Grok-4 — the exact source document used to build this presentation. The tool, quite literally, demonstrates itself.
AI producing board-ready narrative from a button click
~2 min
Appendix · Scenario Demonstrations13 / 16
Four scenarios. One workflow.
The test harness fires each finding through the live webhook — no live AWS dependency needed.
Four scenario demonstration matrix SCENARIO SEV KEY SIGNAL OUTCOME TeamTNT External t3.xlarge · us-east-1 7-day window 8/10 100% AbuseIPDB conf. 15 VirusTotal hits 194.165.16.11:3333 ✓ EC2 stopped ✓ IP blocked in SG ✓ Slack + emails LemonDuck Botnet t2.micro · eu-west-1 DNS detection 6.5/10 xmr.2miners.com Below threshold of 7 Enriched + reported ⚠ No quarantine By design, not a gap Novel · 52-Day Dwell c5.4xlarge · us-west-2 Ethermine pool 9/10 65.21.253.40:4444 52-day undetected ✓ Containment ✓ Dwell flagged Insider Threat DIFFERENTIATOR c5.9xlarge · ap-southeast-1 jsmith-iam-role · no MFA 21-day window 7/10 Zero threat-intel hits AI detects absence IAM 76 min before ✓ HR/Legal ticket ✓ CISO in HR lang No rules pre-written
Stakeholder Value09 / 16
Different roles. Different outcomes.
CISO
Board-ready <120-word brief per incident — no IOCs, plain language
Weekly trend report — volume, MTTR, insider metrics — Monday 08:00 UTC
Risk framed by asset criticality and data classification from CMDB
Two independent audit trails: Tines log + SIEM
AI summary cuts board prep cycle time
Director of Security
MTTR on high-severity incidents: hours → under one minute
Identical playbook every incident — no analyst variation
Severity threshold is one value in one TriggerAgent — no eng ticket
Weekly metrics to brief up and tune team focus
Stories composable — this playbook becomes a reusable template
Security Analyst
Manual enrichment across 5+ tools eliminated entirely
Report writing eliminated — AI generates 8-section report in seconds
One email surfaces every data point needed to decide
Canvas is self-documenting — any analyst can own the Story
Time freed for hunting and higher-order investigative work
Appendix · Return on Investment14 / 16
Per-incident time comparison
TaskManualAutomatedSaved
IP enrichment — VirusTotal, AbuseIPDB, GreyNoise, Shodan10–15 min~8 sec~14 min
Blockchain wallet lookup (Alchemy ETH)5–10 min~3 sec~9 min
Asset & owner lookup (CMDB)3–5 min~1 sec~4 min
8-section analyst report (AI-generated)15–25 min~8 sec~22 min
CISO executive brief — <120 words (AI-generated)10–15 min~5 sec~14 min
Containment — EC2 stop, SG block, Slack alert5–10 min~2 sec~8 min
Total per incident48–80 min< 30 sec47–79 min
~85 hrs
returned per analyst per year
at 2 incidents / week on this use case
< $0.10
cost per automated incident
vs ~$50 analyst time at fully-loaded rates
500×
cost reduction per incident
ROI is immediate on day one of production
Appendix · Roadmap15 / 16
From demo to production
to SOC-wide adoption
Phase 1
Production Hardening
Weeks 1–4
Replace stubs: AWS EC2, ServiceNow CMDB, Splunk HEC, GreyNoise, Shodan, Jira
Configure credentials: aws · servicenow · splunk · greynoise · shodan · jira
Add monitoring: failure alerts, retry policies, MTTR dashboards
Phase 2
Playbook Expansion
Weeks 4–8
Clone for adjacent use cases: credential compromise, suspicious IAM, S3 exposure
Build shared Threat Enrichment sub-story callable from any parent Story
Wire Weekly Trend Report to live Tines Records query
Phase 3
SOC-Wide Adoption
Quarter 1
Analyst training — one Story per senior analyst per month
Weekly review cadence on Story performance and MTTR impact
Quarterly exec roll-up: hours saved, incidents handled, trends
Phase 4
AI-First Operations
Ongoing
Expand AI to triage suggestions, alert deduplication, hunting hypotheses
Pilot agentic workflows using Send-to-Story composition
Appendix · Assignment Coverage16 / 16
RequirementImplementationStatus
No-code, non-developer friendly33 actions, 1 Python styling step (20 lines), 7 visual canvas sections✓ Complete
Quick time to valueFull Story built and functional in hours✓ Complete
Threat intelligence enrichmentVirusTotal (live), AbuseIPDB (live), GreyNoise (stub→prod), Shodan (stub→prod)✓ Complete
Asset inventory enrichmentCMDB lookup — ServiceNow / AWS SSM stub, production-ready swap✓ Complete
Blockchain contextAlchemy ETH — last 20 transfers: external, internal, ERC20, ERC721, ERC1155 (live)✓ Differentiator
Isolate compromised devicesAWS StopInstances — stub with labelled production-ready replacement path✓ Complete
Block malicious IPsAWS RevokeSecurityGroupIngress — stub, production-ready replacement path✓ Complete
Escalate based on criteriaTwo TriggerAgents: severity ≥ 7 → containment; insider_context ≠ "" → HR/Legal✓ Complete
Predefined response playbooksThe Story itself is an executable, versioned, analyst-owned playbook✓ Complete
Flexibility for custom responsesInsider threat branch — no rules were pre-written for this outcome✓ Differentiator
Volume and trend reportingWeekly Trend Report with stat-card dashboard and AI 3-section narrative✓ Complete
AI augmentation4 × grok-4-1-fast-reasoning with 4 purpose-built system prompts✓ Complete
Stakeholder-specific visibilityAnalyst technical report · CISO <120-word brief · Director weekly metrics✓ Complete
Audit trailTines event log + SIEM sink (Splunk HEC / Elasticsearch _index)✓ Complete
Vendor agnosticismCloud-agnostic core — 3-action swap for Azure migration✓ Complete
Closing10 / 16
Thank You
Questions
are welcome.
Appendix slides follow — solution overview, architecture, scenario matrix, ROI math, and production roadmap. Use the arrow keys or nav dots to jump to anything the panel wants to explore.
Email[email protected]
LinkedIn/in/anthonygtellez
GitHub@anthonygtellez
Websiteanthonygtellez.com
anthonygtellez.com
Anthony G. Tellez