M18: Multi-agent orchestration (Part D, Agentic Systems · flagship)
One agent juggling everything gets sloppy. Real systems do what a good team does: a coordinator hands pieces to specialists. Today you build the course's flagship: a deployed orchestrator agent that takes a security alert, spins up a team of specialist sub-agents (triage → intel enrichment → log correlation → incident report), each reaching real systems through connectors: and you ship it behind an API. This is "an agentic deploy that initiates connectors and coordinates security sub-agents," for real.
Today's win: a deployed multi-agent system, an orchestrator coordinating four security sub-agents through connectors, that turns a raw alert into a finished incident report.
Today you will
- Build an orchestrator that coordinates specialist sub-agents (a SOC team), passing each one's output to the next
- Give the sub-agents connectors (threat-intel + log tools, the kind you'd expose as MCP servers, M16)
- Deploy the whole system behind a FastAPI
/investigateendpoint (M11), the "agentic deploy" - Know when multi-agent beats one agent, and the risks (cost, loops, oversight)
Run of show (~70 min)
| Time | What we do |
|---|---|
| 0:00 | Hook + the win we're chasing |
| 0:05 | The one idea: a coordinator + specialists + connectors (full read in notes.md) |
| 0:10 | Lab Part A: run the orchestrated SOC team; watch the sub-agents hand off |
| 0:35 | Lab Part B: add your own sub-agent; deploy the system behind an API |
| 0:55 | Show: post an incident report your agent team produced |
| 1:00 | Wrap |
If you get stuck
- Builds on M9 (agents/tools), M16 (connectors/MCP), M11 (deploy). Reuse your
.envkey; new install for deploy is justfastapi+uvicorn. - Synthetic security data only, educational, authorized use. The system investigates and recommends, it never takes action (human-in-the-loop, M10/M14). Nothing here can harm your computer.
- A sub-agent misbehaving is usually a role/prompt problem, sharpen its system prompt. Re-read the You should now see line.
Optional challenge
Make the orchestrator conditional: only run the log-correlation sub-agent if the enrichment sub-agent flagged a malicious indicator (don't waste a step on a clean alert). That routing logic, the coordinator deciding which specialist to call, is the heart of agentic orchestration.