TL;DR: As agents return full investigations through MCP tools, the real bottleneck shifts from finding answers to reading and acting on them, so richer interfaces become necessary for security workflows, according to Orca Security. That assumption matters because chat-first outputs break down once investigation depth exceeds what analysts can reliably scan and use.
NHIMG editorial — based on content published by Orca Security: LLM-style outputs are outgrowing chat for security workflows
By the numbers:
- 33% of organisations report their AI agents have accessed inappropriate or sensitive data beyond their intended scope.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope.
Questions worth separating out
Q: How should security teams handle agent outputs that are too long for chat?
A: Security teams should route long agent outputs into formats that make prioritisation and action easier, such as visuals, structured cards, or exportable reports.
Q: Why do rich interfaces matter for security investigations?
A: Rich interfaces matter because they reduce the time analysts spend parsing text and increase the time they can spend validating impact and choosing next actions.
Q: When should teams move from chat output to interactive workflows?
A: Teams should move to interactive workflows when the result requires repeated follow-up, shared review, or direct operational action.
Practitioner guidance
- Design for triage, not transcription Define which agent outputs must be visually ranked, which must be exported as shareable artifacts, and which can remain in plain chat.
- Preserve the investigation thread across tools Keep the same context visible from detection to validation to remediation so analysts do not rebuild the story in each system.
- Use interactive cards only where action is controlled Limit in-chat actions to response steps that are already governed, logged, and reversible.
What's in the full article
Orca Security's full article covers the operational detail this post intentionally leaves for the source:
- A closer look at how Claude renders in-chat visuals from pulled security data and what that changes for analyst workflow.
- Examples of HTML outputs that turn attack-path findings into shareable remediation artifacts for engineering leads.
- A walkthrough of MCP Apps interactive cards, including how actions, status updates, and follow-up buttons behave inside the conversation.
- The specific Orca workflow patterns that tie alert review, asset context, and response actions into one interface.
👉 Read Orca Security's analysis of MCP-driven security workflows and interface design →
MCP tools and agent outputs: when does text stop working?
Explore further