A technique includes accessing data representing a state of a given investigation of a potential security threat to a computer system by a security analyst. The state includes a result of a current investigative step of the investigation, and the analyst conducting the investigation uses an investigation graphical user interface (GUI). The technique includes applying machine learning that is trained on observed investigations to determine a recommendation to guide the analyst in a next investigative step for the given investigation. The technique includes communicating the recommendation through an output provided to the investigation GUI.