WebsiteTest DriveStatus

Context Memory

Context Memory in Dropzone AI captures and distills institutional knowledge—details that aren’t directly observable in security telemetry, but that experienced analysts and documented processes consider essential to investigations. It augments the AI SOC Analyst’s understanding of alert entities with learned organizational facts, reducing manual research and accelerating decision-making.

Context Memory helps Dropzone’s AI apply organization-specific reasoning during investigations by proactively identifying facts that are not present in alert payloads or security systems, but are critical to assessing risk or ruling out benign behavior.

If you find yourself adding entries that describe workflows, decision trees, or if/then logic, it’s likely a sign you’re designing a Custom Strategy rather than a memory fact. Context Memory should be used to capture facts about entities—what something is, who owns it, or how it’s typically used—not prescriptive steps on how to interpret it.

How to Create Context Memory

Learning from Investigations

  • When an analyst changes a Conclusion, that outcome is remembered, and the Dropzone agent synthesizes the documented notes into additional Context Memory.

  • When providing feedback, reference specifics from the investigation:

    • ✅ “Application Foo is allowed in our environment”

    • ✅ “Emily Eaton is approved to run certutil.exe

      • These are high-value, specific facts.

    • ❌ “This is allowed”

      • This is not specific enough to be useful.

Manual Notes and Guidance

  • Just like senior analysts writing notes or runbooks, teams can manually add information to the Context Memory bank that is not tied to a specific investigation.

Automated Ingestion

  • Backfill institutional knowledge using exports from systems such as:

    • Confluence

    • Jira

    • ServiceNow

  • These sources can be programmatically ingested into the Dropzone platform.

Building Context Memory Over Time

Just as training and coaching are most impactful during a new hire’s first 30 days, early investment in Context Memory gives Dropzone a strong foundation for long-term reference.

During onboarding, we recommend reviewing a set number of investigations per day to ensure your Dropzone analyst aligns with your team’s policies and expectations.

Best Practices

  • Continually add to your Context Memory bank by adjusting conclusions or uploading new facts as your environment evolves.

  • Periodically review your Context Memory bank to ensure Dropzone has up-to-date information about your organization.

Want to learn more about Context Memory? Check out our Context Memory Best Practices Guide.

PreviousChatNextSettings

Last updated

Was this helpful?