Skip to content

Agent Construction Best Practices

If one step analyzes, prioritizes, formats, and ticket-files all at once, split it. Steps should each have one primary responsibility.

Use explicit names such as Fetch Open Vulnerabilities, Map Evidence to Controls, or Format Manager Summary.

  • LLM Step: reasoning, categorization, summarization
  • Action Step: deterministic reads/writes in integrations
  • API Action Step: direct external HTTP interaction

Build one step, run it, validate output, then add the next step.

A reliable 2-step workflow is more valuable than an unstable 10-step workflow.

Use a single-step runbook with tool calling when the next action depends on what is discovered mid-run (for example, incident triage across multiple systems).

PatternBest ForTradeoff
Procedural multi-stepRepeatable, fixed workflowsLess adaptive to unexpected findings
Agentic single-stepDynamic investigations and branching decisionsRequires stronger prompt guardrails
  • Add explicit output schema and severity/confidence scales
  • Require evidence attribution for every major claim
  • Define escalation criteria (for example, CRITICAL implies immediate notification)
  • Add failure handling paths (missing data, integration timeout)
  • Log and review representative runs before full rollout
Failure ModeWhy It HappensPractical Fix
Overly broad or generic outputsPrompt lacks structure and constraintsAdd strict output schema and decision criteria
Inconsistent decisions across runsAmbiguous thresholdsEncode explicit thresholds and tie-break rules
Missed evidence from integrated toolsTool usage expectations are unclearRequire per-source evidence lines in final output
Unmaintainable workflowsStep intent is unclearRename and scope each step to one job