Filigran has launched XTM One, an agentic orchestration layer designed to automate Continuous Threat Exposure Management (CTEM) workflows across its existing XTM platform. By linking OpenCTI and OpenAEV through a centralized, on-premises orchestration layer, the tool enables automated coordination between threat intelligence and defensive actions, according to the company. The system supports “Bring Your Own LLM” (BYOLLM) configurations and includes an open-source Model Context Protocol (MCP) server.
How Agentic Orchestration Changes SOC Workflows
Security Operations Center (SOC) teams are increasingly overwhelmed by the manual relay required between threat intelligence, attack scenario modeling, and remediation tracking. Julien Richard, co-founder of Filigran, states that the volume of CVEs and malicious campaigns has surpassed the capacity of human-only analysis. XTM One addresses this by deploying pre-configured AI agents that handle time-consuming tasks like threat enrichment, reporting, and remediation recommendations. According to Filigran, organizations using the XTM platform have reported up to 70% faster detection and response cycles, alongside an 80% reduction in time spent preparing offensive security tests.
The “agentic” approach differs from standard AI assistants by allowing models to proactively coordinate transitions between separate security tools, rather than just providing passive suggestions within a single interface.
Why Machine-Speed Defense is Now Mandatory
Cybersecurity is shifting toward “machine-speed” operations as attackers leverage automation to shorten the time between initial access and exploitation. Melinda Marks, Cybersecurity Practice Director at Omdia, notes that transitioning to agentic orchestration is a requirement for modern CTEM to keep pace with adversaries. While major U.S.-based security platforms are also deploying proprietary remediation agents, Filigran is positioning itself through open-source transparency. By offering an open-source MCP server, the company allows users to integrate threat data into third-party AI architectures, provided they maintain strict governance over how these agents are supervised.
Addressing Sovereignty and Data Control
For organizations in regulated sectors, the ability to deploy on-premises is a primary requirement for maintaining data control. XTM One’s “Bring Your Own LLM” feature allows agencies and critical infrastructure operators to run models within their own infrastructure. However, security experts warn that the efficacy of this sovereignty depends on the model’s origin. If a BYOLLM configuration points to an external, U.S.-based API, it may inadvertently reintroduce the legal and privacy exposures that an on-premises deployment was intended to solve. Users must ensure their chosen LLM endpoints align with their specific jurisdictional compliance requirements.
Comparison: Proprietary vs. Open Orchestration
| Feature | Proprietary Platforms | Filigran XTM One |
|---|---|---|
| Orchestration | Closed, vendor-locked | Open-source, MCP-based |
| Deployment | Cloud-centric | On-premises supported |
When implementing agentic workflows, treat your AI agents like privileged users. Always ensure that every action taken by an agent—especially those involving offensive security tests—is journaled and bounded by strict access controls.
Frequently Asked Questions
- What is the main advantage of XTM One? It automates the “relay” between different security tools, allowing for a continuous CTEM loop without manual intervention.
- Does XTM One require a specific LLM? No, it supports a “Bring Your Own LLM” model, allowing organizations to select their own providers.
- Is the software open source? The underlying products and the MCP server are open source, though some advanced orchestration features require a specific XTM One license.
- How does this impact SOC analysts? It shifts the analyst’s role from manual data entry and task-switching to supervising automated workflows and validating high-level security decisions.
Are you managing your threat exposure manually or exploring agentic automation? Share your experiences in the comments below or subscribe to our newsletter for more updates on security orchestration trends.
