Cohere has integrated its enterprise AI agent platform, North, with the cloud security provider Wiz to automate incident response workflows. By connecting North to Wiz via a custom Model Context Protocol (MCP) server, the security team can now triage critical findings, draft incident reports, update ticket statuses, and generate security posture briefs through automated agent prompts. Previously, these manual security processes required 30 minutes to 2 hours per finding, causing bottlenecks as the organization's cloud footprint expanded.

The architecture relies on a lightweight Python-based MCP server that exposes eight atomic tools to North, including functions for listing issues, retrieving security finding details, identifying multi-factor attack paths, and querying asset inventories. North authenticates to the MCP server using a shared secret header, while the server communicates with the Wiz GraphQL API via OAuth2 client credentials. This setup allows North to analyze complex security scenarios—such as 'toxic combinations' where individual risks chain together—and provide prioritized risk tables based on real-world blast radius factors like internet exposure and data sensitivity.

In addition to on-demand triage and investigation, the team implemented a scheduled weekly posture brief that runs every Monday at 3:00 a.m. This automation leverages Wiz metrics and CISA KEV (Cybersecurity and Infrastructure Security Agency Known Exploited Vulnerabilities) data to deliver an executive summary and prioritized remediation lists directly to the security team's inbox. Cohere has released the implementation as an open-source project, allowing other organizations to replicate the pattern using the provided repository, Docker, or Cloud Run deployment methods. The technical implementation emphasizes prompt-based instructions to prevent hallucination, ensuring the agent uses exact field values from Wiz to maintain data fidelity during report generation.

Cohere has integrated its enterprise AI agent platform, North, with the cloud security provider Wiz to automate incident response workflows. By connecting North to Wiz via a custom Model Context Protocol (MCP) server, the security team can now triage critical findings, draft incident reports, update ticket statuses, and generate security posture briefs through automated agent prompts. Previously, these manual security processes required 30 minutes to 2 hours per finding, causing bottlenecks as the organization's cloud footprint expanded.

The architecture relies on a lightweight Python-based MCP server that exposes eight atomic tools to North, including functions for listing issues, retrieving security finding details, identifying multi-factor attack paths, and querying asset inventories. North authenticates to the MCP server using a shared secret header, while the server communicates with the Wiz GraphQL API via OAuth2 client credentials. This setup allows North to analyze complex security scenarios—such as 'toxic combinations' where individual risks chain together—and provide prioritized risk tables based on real-world blast radius factors like internet exposure and data sensitivity.

In addition to on-demand triage and investigation, the team implemented a scheduled weekly posture brief that runs every Monday at 3:00 a.m. This automation leverages Wiz metrics and CISA KEV (Cybersecurity and Infrastructure Security Agency Known Exploited Vulnerabilities) data to deliver an executive summary and prioritized remediation lists directly to the security team's inbox. Cohere has released the implementation as an open-source project, allowing other organizations to replicate the pattern using the provided repository, Docker, or Cloud Run deployment methods. The technical implementation emphasizes prompt-based instructions to prevent hallucination, ensuring the agent uses exact field values from Wiz to maintain data fidelity during report generation.