AI agents built on the Security Data Mesh — reaching every source, including the data that never made it into your SIEM.
Every AI security agent announced at RSAC last week operates within a single vendor’s data perimeter — purpose-built to reason across their platform and bounded by it. Query Workers are built on a different foundation.
The industry spent two years bolting AI onto SIEMs. We spent that time building a foundation that reaches the full environment. Workers are the payoff: AI that operates where the data actually is.”
— Matt Eberhart, CEO – Query
Query today announced Query Workers, AI-powered security agents built on the Query Security Data Mesh — the company’s patented federated architecture that reaches security data wherever it lives, without copying, moving, or centralizing it.
In one early deployment, a Worker identified a C2 beacon that had been actively communicating with an external attacker for 30 days. It correlated endpoint detections, identity anomalies, cloud storage malware, and data loss prevention alerts across four separate tools in a single automated session, surfacing a persistent threat that had gone undetected and delivering a prioritized containment plan before an analyst opened the queue.
“The industry spent two years bolting AI onto SIEMs and calling it progress. We spent that time building a foundation that reaches the full environment. Workers are the payoff: AI that operates where the data actually is, not where a vendor put it,” said Matt Eberhart, CEO of Query.
Also Read: CIO Influence Interview with Gihan Munasinghe, CTO of One Identity
Query Workers launches with three workflows:
– The Investigation Worker runs structured multi-stage alert triage and investigation across the full mesh, producing evidence-backed findings with recommended disposition.
– The Threat Hunting Worker executes hypothesis-driven hunts, systematically searching across every connected source and classifying what it finds.
– The Identity Threat Assessment Worker sweeps eight identity attack patterns, from credential stuffing to privilege escalation, across every connected identity provider.
Each Worker is composed from specialized skills called as needed based on what the investigation uncovers: classification, scoring, enrichment, identity analysis, network analysis, and more. Each Worker runs a structured workflow where the right skill fires at the right stage, and every step is logged.
“Every alert that goes uninvestigated is an exposure you can’t account for,” said Mike Bousquet, Chief Product Officer at Query. “Query Workers close that gap and produce a complete evidence chain: every query logged, every IOC documented, every disposition and recommendation backed by data. Your analysts inherit answers, not assembly work.”
Every Worker run produces a complete, auditable evidence package:
– Investigation Report — findings, recommended disposition, mapped attack techniques, timeline, and response-ready next steps
– Query Log — every search executed, every data source queried, every result count, replayable and auditable
– IOC Ledger — every indicator discovered, typed, sourced, and enriched through threat intelligence
– Senior Analyst Review — on high-severity findings, an automated nine-check quality review runs before results are presented, covering evidence completeness, logic verification, missed indicators, severity calibration, and blind spots
Workers do not take actions, they produce findings and recommendations and your analysts make the call.
“Query’s mesh gave us federated access to all the security-relevant data in our stack without forcing us to centralize it first,” said Rudy Ristich, CISO & Chief Privacy Officer at Avant. “Workers running on that mesh changes what my team can actually do — issues that used to take hours to investigate are pre-packaged in minutes and my analysts are making decisions instead of assembling data.”
Query Workers also supports BYO Agent access, allowing teams running custom-built workflows or third-party AI agents to connect to the Security Data Mesh and query across the full environment with normalized data underneath. Teams that have already invested in AI capabilities don’t have to choose between what they’ve built and the data foundation that makes it more effective.
Catch more CIO Insights: CIO as Orchestrator of Cross-Functional Digital Strategy
[To share your insights with us, please write to psen@itechseries.com ]
