Home
>
Blog
>
Cyberhaven Analyst Plugin: AI-Assisted Security Investigation in Claude Code and Codex

Cyberhaven Analyst Plugin: AI-Assisted Security Investigation in Claude Code and Codex

Headshot of Cole Padula
Cole Padula
Sales Engineer
Dave Stuart
Director of Product Management

May 8, 2026

1 min

Cyberhaven Analyst Plugin hero image
In This Article
Example H2

Security teams have a data problem. Not a shortage of data, but instead there is a growing data surfacing problem. The signals are there, the incidents are logged, and the classifications exist. But, getting from raw data to a prioritized action plan still requires close to an hour of manual querying, tab-switching, and context reconstruction, every single time.

The Cyberhaven Analyst Plugin changes that. It brings Cyberhaven's security signals directly into Claude Code and Codex, turning an analyst's existing AI environment into a working security interface. One conversation replaces the queue.

What the Cyberhaven Analyst Plugin Does

The Cyberhaven Analyst Plugin is an MCP-compatible plugin that connects Cyberhaven's data lineage, classifications, and incident findings to Claude Code, Codex, and any MCP-compatible client. Analysts ask questions in plain language; the plugin fetches the right data, reasons across it, and returns a prioritized action plan.

It ships with 40+ ready-to-use security workflows and 20+ specialized analysis agents covering incident triage, alert deduplication, classification review, and executive reporting. Connect once, and the AI assistant has full access to Cyberhaven's environment data: no separate login, no context switch, no additional infrastructure.

From Dashboards to Decisions: What Changes for Analysts

The gap between a security dashboard and a security decision is where analyst time disappears. An L1 analyst facing a queue of 50 incidents does not have a data problem. They have a prioritization problem: Which incidents are real, which are noise, and which require immediate escalation?

The plugin attacks that gap at the workflow level. Instead of pulling reports across multiple interfaces and assembling context manually, the analyst asks a question and receives a prioritized, reasoned output. The same work that took 30 to 45 minutes of manual querying compresses into a single conversation turn.

But speed is only part of the shift. The deeper change is in who gets to ask the questions. Traditional security workflows are constrained by the interfaces someone else designed, such as fixed dashboards, predefined queries, rigid report templates. The Analyst Plugin removes that constraint. Analysts interact with Cyberhaven's data conversationally, asking follow-up questions, adjusting scope, and iterating in real time. The investigation follows the analyst's thinking, not a predetermined workflow.

For L2 and L3 analysts, the shift is different. Less time spent on queue management means more time on actual investigation. The plugin handles the triage layer, applying consistent, policy-aware criteria to open incidents, so senior analysts engage the cases that warrant their attention.

How the Plugin Addresses Alert Noise and False Positives

Alert fatigue is a consistency problem. Analyst-by-analyst judgment drifts over time, and repeated alerts for the same file-destination pair fill queues with noise that never resolves cleanly.

The Analyst Plugin addresses this issue alongside false positives at multiple layers.

1. Batch resolution for repeated alerts

Repeated alerts for the same file and destination are identified and resolved in batch, with a dry-run preview so the analyst stays in control before any changes are committed. This targets one of the largest sources of queue bloat directly.

2. Triage with institutional memory

The triage agent makes close, assign, and skip decisions using the same criteria a senior analyst would apply, cross-referencing context, policy data, and accumulated institutional decisions. Each run builds a feedback memory, so future triage gets faster as the organization's historical decisions accumulate. Criteria are applied consistently, not analyst-by-analyst.

3. Classification-layer noise reduction

Before an alert reaches the queue, the plugin detects when multiple data categories are watching the same flows against the same policy and producing redundant firing. Cleaning up overlapping classifications means analysts work from a signal that has already been filtered at the source, not after the fact.

How Linea AI Surfaces Inside Analyst Workflows

For customers with Linea AI enabled, the Analyst Plugin builds on a foundation of data that has already been deeply analyzed by AI before the analyst ever asks a question. Linea AI isn't just summarizing incidents. It's investigating them in real time, analyzing content, behavior history, and usage patterns to assess severity, understand user intent, and surface risks that policies alone would miss. Trained on each customer's unique data flows, it detects anomalous behavior that no predefined rule could catch.

This matters because the enrichment Linea provides isn't something the plugin could recreate after the fact. The content that informed a severity assessment may no longer be available, and anomaly detection requires continuous analysis across the full data stream rather than a retrospective search through historical records.

The result is that when an analyst queries through the plugin, they're working with incidents that already carry deep AI-generated context: severity assessments, investigation summaries, and Linea-originated detections alongside policy-triggered alerts. The plugin then reasons across all of it, Linea-enriched and policy-generated signals together, in a single conversation, with no separate interface and no context switch.

Why a Plugin Rather Than a Proprietary Agent

Security vendors have built proprietary AI agents that promise to automate investigation. The tradeoff is control. A proprietary agent is a black box that runs inside a vendor-defined interface on a vendor-defined timeline.

The Analyst Plugin takes the opposite approach, for three reasons.

  1. It runs where analysts already work: The plugin operates inside Claude Code or Codex, with no new tool to adopt, no separate login, and no onboarding required. Adoption friction is near zero because the environment does not change.
  2. It is fully transparent: Customers can read, audit, and modify exactly what the agent is doing and why. Every workflow and agent is inspectable. There is no black box between the analyst and the decision logic.
  3. It is composable: Analysts can chain capabilities together, extend them, and integrate the plugin into existing workflows. The plugin follows how the analyst works; it does not force analysts into a new process.

The architecture is local-first, running directly on the analyst's machine with no additional infrastructure required.

The broader shift here goes beyond security tooling. For years, the bottleneck in data-driven work has been the gap between what a platform can do and what a user can access without specialized technical skills. Natural language interfaces built on tools like Claude Code and Codex are closing that gap in ways that weren't possible even a year ago. The Analyst Plugin is what that looks like applied to security operations.

Get Started With the Analyst Plugin

The Analyst Plugin is available now for Claude Code and Codex. If your team is spending analyst hours on queue management rather than investigation, this is the fastest path to changing that ratio.

Unlock your security team’s full potential. Watch the Spring 2026 launch keynote and see how Cyberhaven secures every AI action, app, and environment in the Agentic AI Era.

Cyberhaven Unlocked: Using MCP & AI Skills to Optimize Your Cyberhaven Environment

Cyberhaven Unlocked: learn to use MCP & AI skills to automate repetitive work, drive faster insights, and make your Cyberhaven deployment smarter in this hands-on customer webinar.

Watch now

Cyberhaven Unlocked: Fast Tracking Your Success with Cyberhaven DSPM

Cyberhaven DSPM for discovering, classifying & protecting data. Design effective data types, use built-in & custom options, and follow best practices for fast, compliant deployment.

Watch now
Illustration of data folder and email envelopes representing data exfiltration channels

Most Common Forms of Data Exfiltration

A breakdown of the 9 most common data exfiltration channels, from AI tools and USB drives to webmail and insider threats, and why legacy DLP misses them.

Read article
Portraits of three professionals with company logos AWS, Upwind, and WIZ below each respectively, against a blue background.

Watch the 2025 Data Defense Forum

AI-era DLP strategies from
Joe Sullivan & Fortune 500 security leaders
Watch now
Text reading 'The DLP Disconnect' with 'The DLP' in bold blue and 'Disconnect' in italic blue on a white background.

Why Decades of DLP Investment still Aren't Paying Off

77% of security leaders say data sprawl makes breaches inevitable
Get report
Blue wireframe illustration of a downward arrow integrated with a cube shape on a white background.

Why Legacy DLP fails

The fundamental flaws in traditional DLP approaches
Learn more

See

Watch on-demand demos

Learn

Explore resources

Meet

Talk to an expert

Connect with Cyberhaven