Morpheus Adaptive Tasking | docs.d3security

Last Updated: April 16, 2026

Overview

Morpheus Adaptive Tasking provides a unified, AI-driven investigation interface that combines structured planning, institutional knowledge, and ready-to-run tasks into a streamlined workflow. This article introduces supported slash commands, their roles in driving investigations, supported conversation types, human-in-the-loop safety guardrails, operational boundaries, and common scenario walkthroughs.

Adaptive Tasking and Traditional Playbooks

Adaptive Tasking complements traditional pre-authored SOAR playbooks. The former generates investigation plans from the current incident context for novel or variable cases, where no matching playbook exists. The latter is well-suited for high-volume, regulated incident types where consistency matters most.

Quick Actions

Type / in the chat input to bring up the Quick Actions menu:

Command	Functionality
/Investigate	Generates a 3–8 step SOC investigation plan based on the incident and resolves each step into executable tasks.
/Summarize	Produces an analysis report of the incident and completed actions.
/SOPs	Browses and applies standard operating procedures.
/New-Session	Clears chat history and reset the session.

/Investigate

When triggered:

Gather context: Fetch IOCs, alert sources, entities, MITRE ATT&CK mappings, raw event data, and relevant memory from past incidents.
Match SOPs: Search for applicable SOPs.
Generate plan: Create a 3–8 step plan mapped to integrations.
Resolve tasks: Map steps to concrete integration commands.

After generation:

Execute tasks step by step.
Regenerate the plan based on updated context.

/Summarize

Generates an analysis report including:

Key findings and evidence.
Threat verdict.
Recommended next steps.

The summary is saved as memory and reused in future investigations.

/SOPs

What is an SOP?

An SOP (standard operating procedure) defines a predefined investigation template that outlines the steps and the order in which they are performed, for a specific incident type.

Example phishing sop

Check sender domain reputation
Extract URLs and hashes
Query VirusTotal
Search SIEM for affected users
Check user interaction
Block sender if malicious

Adaptive Tasking uses an SOP as a template and combines it with the incident’s IOCs and context to generate a customized investigation plan.

SOP Types

Type	Created By	Visible To	Description
Personal	Any user	Creator only	User-specific investigation templates customized to individual workflows
Shared	Admins only	All users	Team-wide standard procedures for consistency

How to Create SOPs

Method 1: Manual Creation
1. Enter / in that chat, then click on the /SOPs option to open the SOP management panel.
2. Click the + New button to open up the Create New SOP popover.
3. Fill in the required and optional fields:
  1. Title (required)
  2. Content (required)
  3. Description (optional)
  4. Category (optional)
  5. Scope (required)
  6. Incident Types (optional)
  7. Sites (optional)
4. Click on the Create button.
Method 2: Auto-Create from Investigation Results
1. Complete the investigation.
2. Instruct Adaptive Tasking to create an SOP from the investigation.

How to Apply SOPs

Locate the desired SOP in the SOP management panel.
Click the toggle switch on the right.

With Method 2, Adaptive Tasking automatically applies an SOP when the incident type matches the SOP’s Incident Types field.

SOP Auto-Matching Logic

When a user runs /Investigate, Adaptive Tasking searches for SOPs in this priority order:

Exact match: Incident Type ID matches exactly
Keyword match: Incident Type name keyword search
Semantic search: RAG vector similarity match (fallback)
No match: No SOP used, plan generated purely from incident data

SOP Management Operations

Operation	Description
Edit	Modifies SOP content, title, category, associated incident types
Enable/Disable	Toggles SOP active state (disabled SOPs are not auto-matched)
Delete	Permanently removes the SOP

/New-Session

Clears the current chat and resets the session. Use to start a new investigation or change direction.

Conversation Types and Recommended Phrasings

Adaptive Tasking supports seven operation types, each handled by a dedicated pipeline. The system automatically selects the appropriate pipeline based on user input.

Type 1 - Ad-hoc Command Execution

Used to execute actions via integrations.

Example Use Cases

Checking IP, domain, or hash reputation
Searching for SIEM alerts
Block hosts

What Adaptive Tasking Does

Searches available integrations and commands.
Asks the user to confirm the command and parameters.
Executes after user confirmation.
Returns the results.

Recommended Phrasings

Goal	Recommend Phrasing	Format
Checking IP Reputation	"Check reputation for 8.8.8.8 using AbuseIPDB"	`Specifies action` + `target` + `integration`
Searching SIEM Alerts	"Search MS Sentinel for alerts related to lab1-pc1 in last 7 days"	`Specifies integration` + `target` + `time range`
Blocking a Domain	"Block domain evil.com using Palo Alto"	`Clear action` + `target` + `integration`
Isolating an Endpoint	"Quarantine endpoint DESKTOP-01 via CrowdStrike"	`Clear action` + `target` + `integration`
Performing a WHOIS Lookup	"WHOIS lookup for suspicious-domain.com"	…`WHOIS`…
Executing Multi-Step Operations	"First check IP 1.2.3.4 on VirusTotal, if malicious then block it on Fortinet"	`First`...`if`...`then`

Trigger Keywords

Integration names: VirusTotal, AbuseIPDB, CrowdStrike, Sentinel, Shodan, Splunk, Palo Alto, Fortinet, etc.
Action verbs: check, scan, lookup, enrich, block, quarantine, isolate, disable

Common Pitfalls

Avoid phrases such as "show me the incident details" because they are treated as data queries and routed to chat.
Avoid using "search for" without specifying an integration because it may be interpreted as a platform data query.
Use action verbs such as check, scan, or block instead of question-based phrasing when execution is required.

Type 2 - Investigation Plan

Used when a structured and systematic investigation plan is required.

How to Trigger

Use the /Investigate quick action
Use natural language

Recommended Phrasings

Goal	Recommend Phrasing
Generating a new plan	"Investigate this incident"
Regenerating a plan	"Regenerate the investigation plan"

Type 3 - Summary and Analysis

Used to analyze an incident and produce a summary report.

How to Trigger

Use the /Summarize quick action
Use natural language

Recommended Phrasings

Goal	Recommend Phrasing
Summarizing	"Summarize" or "Summarize this incident"
Analyzing	"Analyze" or "Analyze the investigation results"

Trigger Keywords: analyze, analyse, summarize, summary

READER NOTE

The use of "analyze" always routes to the summary pipeline.

Type 4 - Web Search

Used to search the internet for security-related information.

Example Use Cases

Looking up CVE details
Retrieving malware analysis reports
Retrieving attack technique descriptions
Accessing other relevant public information

Recommended Phrasings

Goal	Recommend Phrasing
Looking up CVE details	"Search the web for CVE-2024-1234"
Retrieving malware information	"Search for information about QakBot malware"
Retrieving attack technique details	"Look up MITRE T1059 on the web"

Trigger Keywords: "search the web", "web search", "look up ... online"

READER NOTE

A query such as "Search for alerts in Sentinel" triggers an ad-hoc command, while "Search the web for CVE information" triggers a web search.

Type 5 - SOP Management

Used to create or apply SOPs.

How to Trigger

Use the /SOPs quick action to browse and apply
Use natural language

Examples and Recommended Phrasings

Goal	Recommend Phrasing
Applying an SOP	Use /SOPs, select an SOP, then apply it.
Creating SOPs from investigations	"Create an SOP from this investigation"
Searching for SOPs	"Do we have an SOP for ransomware incidents?"

Type 6 - Task Execution

Used to execute a task from the investigation plan.

How to Trigger

Click on the Run button in the Plan panel.
Use natural language.

Recommended Phrasings

Goal	Recommend Phrasing
Running the next task	"Run the next task"
Continuing execution	"Continue" or "Go ahead"
Confirming execution	"Yes, run it"

READER NOTE

Tasks with unmet dependencies will not execute until prerequisite tasks complete.
The Plan panel displays task parameters and status, reflecting the current execution state.

Type 7 - Security Knowledge Q&A

Used to interact with Adaptive Tasking on security topics without triggering action execution.

Example Use Cases

Asking about security concepts
Asking about attack techniques
Asking about SOC best practices
Asking about how to use the D3 platform

Recommended Phrasings

Goal	Recommend Phrasing
Accessing ATT&CK knowledge	"What is MITRE T1059?"
Exploring ATT&CK techniques	"How does PsExec lateral movement work?"
Reviewing best practices	"What's the best practice for investigating phishing?"
Understanding platform usage	"What integrations do we have available?"

During chat, Adaptive Tasking leverages past incident summaries, IOC history, SOPs, and built-in SOC intelligence, to retrieve relevant information without requiring explicit requests.

Routing and Intent Guidance

Decision Priority

Quick actions (/Investigate, /Summarize)
Heuristic keyword matching
Semantic search
LLM scoring
Fallback (routes to chat when no clear action is identified)

Intent Optimization

ExAMPLES

What Was Said	Recommended Fix
"Show me the incident"	No fix needed
"Search for alerts"	"Search <integration> for alerts"
"Check this IP"	No fix needed
"What about this IP?"	"Check reputation for this IP"
"Block it"	Append "using…"
"Can you analyze?"	Rephrase into "What do you think about..."

IMPROVING ROUTING ACCURACY

Name integrations
Use action verbs
Avoid question phrasing
Provide specific targets

Action Approvals and Safety Guardrails

Pre-Execution Confirmation

All action requests require confirmation before execution.

Example flow

User: Check reputation for 8.8.8.8 using AbuseIPDB

Adaptive Tasking: I found the command "checkIPReputation" on AbuseIPDB. Parameters: IP = 8.8.8.8. Shall I proceed? [Yes] [No]

User: Yes

Adaptive Tasking: Executes and returns results

Transitioning from Chat to Action

During a discussion, the system can shift from analysis to execution when confirmation intent is detected.

Example flow

User: What can we do about this suspicious IP?

Adaptive Tasking: Based on the incident context, I'd recommend checking the IP reputation via AbuseIPDB and searching for related alerts in Sentinel.

User: Ok, do it

Adaptive Tasking: Routes the request to the appropriate execution pipeline

Operation Safety

High-impact operations (closing incidents, blocking, quarantining, etc.) run in manual mode and require explicit confirmation. Read-only operations (e.g., searches and reputation checks) execute after a single confirmation.

Common Scenario Walkthroughs

Scenario 1 - New Incident

User initiates a full incident investigation. The system generates a multi-step plan, executes tasks sequentially, and produces a summary report, with an option to save the workflow as an SOP.

Enter /Investigate in the chat.
Review the generated plan.
Execute each task using the Run button.
Enter /Summarize in the chat to generate a report.
(Optional) Request SOP creation from the investigation.

Scenario 2 - Quick IOC Check

User requests an IOC reputation check. The system confirms the command, executes it, and returns results.
Example flow

User: Check reputation for hash 44d88612fea8a8f36de82e1278abb02f using VirusTotal.

Adaptive Tasking: Confirms command → Executes → Returns VT analysis results

Scenario 3 - SIEM Alert Search

User requests alert search in MS Sentinel. The system confirms, executes the query, and returns matching alerts.

User: Search MS Sentinel for alerts related to 192.168.1.100 in the last 24 hours

Adaptive Tasking: Confirms command → Executes → Returns alert list

Scenario 4 - Security Knowledge Question

User asks about a MITRE ATT&CK technique. The system provides a direct answer without executing actions.

Example flow

User: What is MITRE ATT&CK technique T1059?

Adaptive Tasking: Provides a direct explanation without executing any actions

Scenario 5 - D3 Platform Operation

User requests an incident update. The system identifies the operation, confirms, and applies the change.

Example flow

User: Change the severity of this incident to Critical

Adaptive Tasking: Identifies as D3 incident operation → Confirms → Updates severity

Scenario 6 - New Incident Type Without SOP

An ad-hoc investigation plan generated from incident context.

Example

Situation: A PowerShell execution alert occurs on host FIN-WS-04 by user john.doe, with no matching SOP.

Execution:

User enters /Investigate.
The system detects no SOP and generates a plan using available integrations and context.
- Example plan:
  1. Enrich the user via Active Directory.
  2. Retrieve the PowerShell command from EDR.
  3. Extract IOCs from the command.
  4. Check IOC reputation.
  5. Search related SIEM activity.

TAKEAWAYS

No SOP required
Steps align with available integrations
Intermediate data processing is inserted automatically
Contextual fields are pre-populated

After execution, the investigation can be saved as an SOP for reuse.

Scenario 7 - Novel Incident Without a Playbook

An ad-hoc investigation plan generated for an unfamiliar technique.

Example

Situation: An alert mapped to MITRE T1528 (Steal Application Access Token) with no existing SOP or playbook.

Execution:

User enters /Investigate.
The system builds a plan using MITRE mapping and available incident data (user, application, scopes, source IP).
- Example plan:
  1. Retrieve OAuth app grants for the target user (last 30 days).
  
  2.Analyze granted scopes and identify high-privilege permissions.
  
  3. Enrich the source IP using a reputation service.
  
  4. Search for related sign-in activity from the IP across all users.
  
  5. Review mailbox rules and forwarding settings for persistence.

TAKEAWAYS

No existing SOP or playbook required
Steps align with available integrations
Data transformation steps are added automatically
Relevant context fields are auto-filled