Click Overview, then click Refresh data if the timestamp looks stale.

Read the top metrics first: active runs, blockers, in-review work, and security-review count.

Use recent events and recent runs to spot failed automation, stuck reviews, or unexpected spikes.

If a metric is concerning, jump to Tasks, Findings, or Triage Ops instead of acting from memory.

Click Tasks and scan each column: Inbox, Planned, In Progress, Review, Blocked, and Done.

Open a task card to edit owner, reviewer, priority, due date, security-review flag, and description.

Use Open work brief when you need a copyable implementation or investigation brief.

Use Save and queue only when the task is ready to become a run request. Otherwise use Save task.

Click Findings, then filter or select a finding from the backlog.

Read the evidence, source, severity, status, and any linked task or run context.

Click Create task when the finding needs remediation, research, or review ownership.

For supply-chain SCM-* findings, switch to Triage Ops for advisory checks, evidence verdicts, mitigation, closure, and blog draft handoff.

Run secopsai supply-chain ai-dependency-guard --path . --json from the repo you want to review.

Add --include-agent-logs --agent-source auto when OpenClaw, Hermes, or local session logs might contain AI-suggested dependencies.

Review missing_or_hallucinated, newly_registered, name_similarity_risk, source_mismatch, and advisory_matched classifications. Treat local_only_or_private as expected only when it matches your policy allowlist.

Use --persist-findings only for high-confidence risks that should enter the SOC queue. Those findings remain reviewable in Findings; the dashboard does not run package installs or dependency code.

For CI, use the GitHub Action mode ai-dependency-guard. Keep it warning-only for early rollout, then opt into fail-on: high once private package allowlists are tuned.

Click Native Triage and check helper readiness before relying on dashboard actions.

Review pending actions. Apply or close only when the evidence and analyst note are ready.

Use recent orchestrator summaries to see what was queued, completed, failed, or needs human review.

If helper health is degraded, use the copyable CLI fallback from the relevant section and restart/update the helper before retrying buttons.

Click Triage Ops, then click Refresh evidence.

Select an alert in Supply Chain Alerts. The default Actionability filter shows only operator-actionable alerts; switch to All alerts when you need to audit no-local-impact or review-only scanner evidence.

Run Run Evidence Verdict first. It summarizes package verdict, confidence, advisory evidence, scanner rules, local impact, mitigation, and operator commands.

Click Explain verdict and Check advisory matches when you need source-backed evidence beyond the scanner rationale.

Click Check local repo usage. If local usage is none, record that as environment impact only. Do not downgrade a malicious package because this repo does not use it.

Click Read raw report when you need the exact diff/rule evidence before writing an analyst note.

Update the Close / escalation note with a source-backed summary before any protected response action.

Use Generate mitigation for block, audit, hunt, cache cleanup, and secret-rotation guidance. Use Create blog draft only for review-only external communication.

Open the Campaign Research & Autonomous Discovery dock inside Triage Ops.

Either quick-load a fixture, paste campaign JSON, or manually add campaign ID, title, source URLs, actors, publishers, IOCs, behavior indicators, and package rows.

Click Run Campaign Research. This single read-only action returns campaign verdict, package verdicts, correlations, local impact, mitigation, and references.

Click Correlate Campaign when the campaign includes shared publishers, C2s, source reports, or overlapping strings.

Click Check Local Usage before persistence so SOC findings distinguish malicious package evidence from local exposure.

Click Persist Findings only after reviewing the campaign JSON, confirming the Orchestrator Review has no route blockers, and removing false package extractions. This action is token-gated.

Click Create Campaign Blog Draft only when the campaign has references, affected package table, IOCs or an explicit none-found statement, mitigation, and SecOpsAI detection logic.

Set Since, Source, Limit, and Min score. Start with 24h, all, 10, and 35 for daily review.

Click Run Discovery to fetch candidates without writing SOC findings or blog drafts.

Review candidate titles, scores, behavior signals, the package-noise summary, and Orchestrator Review. Treat high score as "worth checking", not proof. The orchestrator classifies the report, validates real packages/extensions, separates source references from attacker IOCs, and shows rejected noise.

Click Use in Campaign Research only when the recommended route is Campaign Research and there are no route blockers. Malware/APT, CVE-only, GitHub-token breach, or general threat-intel leads should stay in the routed review lane unless package evidence exists.

After promotion, inspect highlighted package rows. Use Clean Obvious Package Noise before research. It removes common junk such as byline CSS classes, ordinary websites, image filenames, random numbers, repository issue paths, long encoded image slugs, placeholders, or generic article words misread as package IDs.

Use Run Autopilot Dry Run to preview the end-to-end campaign path without persistence. Discovery write actions are intentionally not shown here; persist findings or create a blog draft only from reviewed Campaign Research output.

Use generated watchlist suggestions only for validated packages, publishers, actors, malware names, extension IDs, GitHub repos, campaign IDs, or attacker IOCs. Source domains such as news sites are references, not attacker IOCs. Click a suggestion to fill the form, verify it is real, then click Add to Watchlist to save it with the admin token.

Click Blog Ops, then click Refresh Blog Ops to load workflow status, sources, and draft queue.

Use Fetch news to ingest sources, Create drafts to generate review-only drafts, or Run fetch + draft for both.

Select a draft in the review queue. Check title, summary, severity, body, references, IOCs, affected artifacts, and recommended actions.

Use edit/save if the article needs cleanup. In local helper mode, use Images & source screenshots to attach an approved source image candidate or source image URL, then re-review because media resets the draft to Needs review. Approve only when claims and images are source-backed, licensed/safe, and no internal checklist, local path, secret, or copied external article text appears.

Click Publish approved to blog only after approval. This writes approved drafts into the blog posts directory and rebuilds feeds, but drafts remain under Approved. Use Rebuild feeds only as a repair/regeneration action. Click Deploy blog to Cloudflare when ready; after a successful deploy, those staged approved drafts move to Deployed.