Research Agent Overview

Research Agent is SpyCloud's natural language investigation interface. Instead of manually deciding which asset to use to start your investigation, you describe what you're trying to investigate, provide as many starting assets as you have, and Research Agent plans the investigation, queries SpyCloud's entire database, correlates findings, and explains what it discovers.

This guide explains how Research Agent works, when to use it, and best practices.

Before You Begin

Requirements

A SpyCloud Cybercrime Investigations Pro license is required to use Research Agent within the SpyCloud console.

What is Research Agent?

Research Agent is an AI-powered investigation assistant built into SpyCloud Cybercrime Investigations.

Rather than executing a single search, it understands your investigative objective and develops a plan to answer it. As it works, it automatically:

Plans the searches needed to answer your question
Queries SpyCloud's complete investigative dataset
Correlates identities across related records
Pivots between connected assets
Generates investigative analysis
Organizes findings around the objective you provided

You can ask follow-up questions throughout an investigation, allowing the conversation to evolve naturally as new information is discovered.

How Research Agent Works

Research Agent focuses on intent of your investigation. Instead of telling it exactly which searches to run, describe what you're trying to learn or uncover.

For example:

Investigate whether these identities are connected.
Determine whether this employee's credentials have been exposed.
Identify privileged accounts associated with this organization.
Build a timeline of activity involving this identity.

The agent determines the best investigative approach and explains its reasoning as it works.

If you'd like more insight into its process, simply ask:

Why did you search that?
Explain your reasoning.
What evidence supports this conclusion?
Why is this finding important?

Starter Prompts

Research Agent includes six starter prompts—pre-built investigation templates that help you begin common investigations in seconds.

Starter prompts are especially useful if you're new to Research Agent or want to quickly structure a common investigative workflow.

How to use a starter prompt

Hover over a starter prompt to preview it.
Select the prompt to populate the query field.
Replace the bracketed placeholders (such as [EMAIL] or [DOMAIN]).
Submit the prompt or edit it further before running.

Think of these prompts like Mad Libs—the investigative framework is already written, and you simply provide the assets you're investigating.

Starter Prompt	Purpose
From Scratch Investigation	Perform a comprehensive investigation on a single entity.
Chase the Thread	Expand outward from an email address or artifact to discover connected identities and infrastructure.
What Access Do They Have	Identify privileged accounts and understand exposure risk.
Analyze the Cluster	Investigate multiple entities together to uncover shared patterns and relationships.
Reconstruct the Timeline	Build a chronological investigation around a defined timeframe.
Blast Radius on Domain	Assess recent high-severity exposure across an organization.

Starter prompts are only a starting point. Feel free to edit, combine, or expand them before submitting.

Investigation Best Practices

Describe your objective; not just your search terms

Research Agent performs best when it understands what you're trying to accomplish. Instead of entering:

[email protected]

Try:

Determine whether this email has been exposed, identify connected identities, and explain any potential risk.

Start broad, then narrow

Begin with your primary question. Once the agent identifies meaningful findings, narrow the investigation using follow-up questions. This produces more focused results while conserving investigation context.

Ask follow-up questions

Research Agent is conversational.

Examples:

Explain this finding.
Why does this matter?
Show only privileged accounts.
Focus on activity from the past seven days.
Investigate this newly discovered email address.

Understanding the Context Window

Every investigation runs within a context window, which is a finite amount of information the agent can actively use throughout a session. As records accumulate, available context gradually fills.

As a general guideline, investigations begin approaching the context limit at approximately 2,000 records, although the exact limit depends on record complexity and the depth of analysis. When the limit is reached, the agent will notify you.

At that point you can:

Export your findings
Start a new investigation
Continue from a previous summary

Continuing an Investigation

Reaching the context limit doesn't mean starting over. Instead:

Ask the agent to summarize its findings.
Copy the summary.
Start a new investigation.
Paste the summary into the new session.
Re-run only the most relevant queries.

This allows the investigation to continue while preserving important context.

Best practice: Before approaching the context limit, ask the agent to summarize the investigation. That summary becomes your handoff document for the next session.

Working with Domain Queries

Domain investigations can generate very large result sets. For best performance:

Always filter by date range first.
Use the narrowest practical timeframe.
Prefer days rather than months whenever possible.

Large enterprise domains may consume a significant portion of the investigation context before meaningful analysis begins. If you need to investigate an extremely large domain, consider using the traditional SpyCloud Investigations Search and Graph experience, which is optimized for high-volume exploration.

Pivoting Effectively

Pivoting is one of Research Agent's most powerful capabilities. A pivot uses one discovery as the starting point for the next step of an investigation.

Avoid broad pivots

If a query returns many assets, for example, dozens of email addresses, don't immediately pivot from every result. Instead:

Review the returned assets.
Identify the most relevant two or three.
Continue the investigation from those assets.

This produces higher-quality investigations while conserving context.

Understanding Supernodes

A supernode is an asset that appears in an exceptionally large number of records. Examples include:

Common usernames
Very short passwords
Generic credentials

Searching these assets usually returns enormous record volumes with very little investigative value. Research Agent automatically recognizes likely supernodes and recommends more productive investigation paths, while still allowing you to continue if you choose.

Additional Tips

Research Agent understands intent, not just keywords.
You can ask the agent to explain every step of its reasoning.
Investigations are automatically saved and can be resumed later.
Export records before closing completed investigations.
Research Agent and Search are designed to work together—use the agent to discover investigative paths, then use Search and Graph to inspect records and determine your next move.

Frequently Asked Questions

What data does Research Agent search?

Research Agent queries SpyCloud's complete investigative dataset on your behalf and determines the most appropriate searches based on your request.

Can I search multiple assets at once?

Yes. Research Agent supports batch investigations involving multiple assets in a single request. Examples include:

Multiple email addresses
Email addresses and IP addresses
Domains and usernames
Other combinations of supported asset types

Why did the agent perform searches I didn't ask for?

Research Agent plans investigations based on your objective rather than executing only literal keyword searches. It may perform additional searches, pivots, or identity correlation to answer your question more completely.

Can I ask why the agent reached a conclusion?

Yes. Ask follow-up questions such as:

Explain your reasoning.
Why did you search that?
What evidence supports this finding?

The agent will explain how it arrived at its conclusions.

Should I use Research Agent or Search?

Use Research Agent to understand an investigation, identify relationships, and discover where to go next.

Use Search and Graph to inspect records, validate findings, perform detailed manual analysis, and continue your investigation from specific evidence.

Research Agent vs. Search

Research Agent and the traditional Search experience are designed to complement one another.

Use Research Agent when you:

Need to investigate rather than perform a simple lookup
Have multiple starting assets (for example, several email addresses, domains, usernames, phone numbers, or IP addresses)
Want to search multiple assets in a single request
Need help determining where to pivot next
Want the agent to correlate identities automatically
Need analysis in addition to raw records
Have investigative context you'd like the agent to consider

Because Research Agent accepts natural language, you can explain your investigation instead of constructing individual searches.

Example:

Investigate these three email addresses and identify any shared infrastructure, credentials, or identities.

Or:

Analyze this domain for recent credential exposures during the past seven days.

Use Search and Graph when you:

Research Agent is often the fastest way to begin an investigation, but Search and Graph remain the best tools for exploring records in detail.

After the agent identifies important findings, switch to Search or Graph to:

Review the underlying records
Examine identity relationships visually
Perform manual pivots
Validate findings
Decide where to investigate next

Most investigations naturally move back and forth between both experiences.

Use IDLink deliberately

IDLink pivots perform deep identity expansion.

Standard searches perform targeted lookups.

If you're investigating only a few high-confidence assets, IDLink is extremely valuable.

If you're evaluating a larger list of assets, standard searches generally produce a better signal-to-noise ratio and consume less context.