Digital Workers

Autonomous security operations framework for reactive alert investigation and proactive threat hunting.

Claude Code Query.ai v1.0.3 Made by Query.ai

Install in Claude Code

Configure your Query MCP server
Create a .mcp.json in your working directory with your Query MCP endpoint and API token.
Register the plugin marketplace
claude plugin marketplace add https://plugins.query.ai/query-ai/marketplace.json
Install the plugin
claude plugin install digital-workers@query-ai
Verify installation
claude plugin list

Digital Workers is a Claude Code plugin that provides two workflows powered by FSQL queries against federated security data on the Query Data Mesh.

A tiered Incident Discovery workflow that scales from a 5-minute triage to a 30-minute deep investigation with specialist analysis and senior review.

Sqrrl-inspired hunting loop with hypothesis-driven investigation, confidence-based completion, and detection automation with gap remediation.

Phase 0: Hypothesis Build or receive testable hypothesis, determine hunt tier
Phase 1: Planning Data availability mapping, connector discovery, query strategy
Phase 2: Investigation Execute hunt queries, pivot, enrich (confidence-based)
Phase 3: Patterns Classify findings, detect kill chains, escalate active threats
Phase 4: Automate FSQL detections, Sigma rules, Query recipes, gap remediation

Your prompt controls how deep the investigation goes. The orchestrator selects a tier based on how you phrase your request.

Tier	What It Does	Time	Queries
Triage	Pull alerts, classify, scan IOCs across the mesh. Inline summary, no files.	~5 min	3-6
Standard	Full 6-gate investigation with enrichment, telemetry pivots, severity scoring, disposition, report.	~15 min	10-15
Deep	Everything in Standard + specialist investigators + senior analyst review + prior investigation cross-reference.	~30 min	20-30

Any suspicious PowerShell in the last 12 hours?

Investigate the unfamiliar sign-in alerts from the past 24 hours

Full investigation on the PowerShell fileless execution findings

Hunt for lateral movement via RDP from service accounts

I just read a CISA advisory about Volt Typhoon — test our environment

Test our visibility against T1059.001 PowerShell fileless execution

What should I hunt next?

Skill	Purpose
alert-investigation	Master orchestrator — runs the 6-gate Discovery workflow
fsql-expert	Authors, validates, and executes FSQL queries against the mesh
alert-classifier	Maps alerts to OCSF category + MITRE ATT&CK technique
severity-scorer	Multi-factor risk scoring for depth routing
identity-investigator	User behavior, auth patterns, privilege analysis
network-investigator	Lateral movement, C2 beaconing, traffic analysis
threat-intel-enricher	IOC reputation and campaign correlation
report-writer	Response-ready reports (technical + business summary)
evidence-quality-checker	Data completeness and analytical reasoning validation
senior-analyst-review	Quality review of completed investigations
Hunting Skills
threat-hunt	Master orchestrator — runs the 4-phase Sqrrl hunting loop
hypothesis-builder	Transforms raw intel into testable hypotheses
hunt-pattern-analyzer	Classifies hunt findings and maps to ATT&CK
detection-engineer	Generates FSQL detections, Sigma rules, Query recipes, and gap remediation

Claude Code Installed and configured

Query Data Mesh Access to a deployment with MCP enabled

API Token For your Query MCP server