How Trellix Cut Log Parsing Time from Days to Minutes with LangGraph
Trellix, a global cybersecurity firm serving 40,000+ enterprise customers, built Sidekick — an internal agentic platform powered by LangGraph and LangSmith — to automate log parsing and security integration development. What previously took engineers 2–3 days per request now takes minutes, and plugin development that spanned multiple days now completes in a single afternoon.
Impact
Days → minutes
Log parsing time
Multiple days → ~1 afternoon
Plugin development time
Challenge
Trellix engineers spent 2–3 days per customer request manually parsing unfamiliar log formats and developing cybersecurity integrations, creating significant backlogs and slowing resolution times across the support organization.
Solution
Trellix built Sidekick, an internal agentic platform using LangGraph for modular workflow orchestration with human-in-the-loop controls, and LangSmith for observability and systematic agent performance evaluation before production deployment.
Tools & Technologies
Sign up to read complete case studies, access detailed metrics, and unlock all use cases.
Full Story
Trellix protects more than 40,000 organizations worldwide with AI-native threat detection and extended detection and response (XDR) capabilities. Behind those customer-facing capabilities, Trellix's own engineering teams faced a growing operational burden: thousands of incoming customer requests for cybersecurity integrations and log parsing services, each requiring an engineer to manually interpret log formats, write parsing code, and manage back-and-forth communications. Each request consumed 2–3 days of engineering time and built a backlog that frustrated both customers and internal teams.
The company's response was Sidekick, an internal agentic platform designed to automate the most repetitive parts of this workflow. The challenge in building agentic systems, however, is not just getting them to work — it's getting them to work reliably enough to deploy, explain to stakeholders, and iterate on with confidence. Trellix needed a framework that supported modular design, human oversight during development and testing, and structured observability once in production.
LangGraph provided the orchestration layer. Its map-reduce patterns and Send API enabled Sidekick to be composed as a set of discrete, reusable modules rather than a fragile monolithic agent. Crucially, LangGraph's human-in-the-loop features allowed engineers to pause agent execution, review decisions, approve or modify actions, and restart workflows — a capability that proved essential for building trust in the system before full deployment. LangGraph Studio's visual graph interface made the agent's internal logic transparent to non-technical stakeholders, helping executives understand that Sidekick operated as a carefully engineered program rather than an opaque black box.
LangSmith served as the observability backbone. The team used its dataset management and experiment tracking features to compare different agent architectures systematically, monitoring metrics like recursion rates and document retrieval frequency. Structured trace data replaced raw AWS CloudWatch logs as the primary debugging interface, dramatically reducing time-to-insight when investigating failures.
The results were immediate and measurable. Log parsing that previously required 2–3 days of manual engineering work now completes in minutes. Cybersecurity plugin development that spanned multiple days now takes approximately one afternoon. The reduction in backlog pressure has improved customer response times and freed the engineering team to focus on higher-complexity work. Trellix plans to expand Sidekick's capabilities to external partners and extend automation across additional engineering workflows in the near term.