← Back to Lessons Context Management

Understanding Context Compaction

10 min read

Understanding context compaction in agentic security sessions

There's a moment in a long investigation session where things start to feel off.

The agent was sharp ten exchanges ago, referencing your exact field names, remembering the scope you set, building on previous findings. Now it's giving you generic rule templates instead of rules tailored to your Sysmon configuration. It's asking about your log sources again, even though you covered that a short while ago.

You're watching context degrade, but before you open a new tab or reach for /clear and start over, there's a middle option worth understanding: compaction.

Compaction lets Claude summarize older content in your session to free up space, without wiping the slate entirely. Think of it as the difference between shredding your investigation notes and condensing them into a briefing summary. You lose some detail, but you keep the thread of the work. Understanding when to use it, and when it's not enough, is part of working well with agentic tools.

What compaction actually does

How compaction summarizes older context while preserving recent exchanges

When compaction runs, Claude reviews everything currently in context, identifies the information that matters most, and compresses the rest into summaries.

Recent exchanges stay intact. Your last few queries, the agent's most recent analysis, whatever you're actively working on, that stays detailed. But earlier content gets distilled. The raw Zeek logs you loaded at the start of the session become a summary of what they contained. The three detection rule drafts you iterated through become a note about the final version. That exploratory tangent where you checked five different process trees? Compressed into a sentence about what you found.

The result is more breathing room without losing the essential thread of the investigation.

The tradeoff is real, though. Claude's summary of your earlier work might miss nuances that mattered to you. A specific phrasing you used to define the investigation scope might get paraphrased. A subtle constraint, "only look at lateral movement originating from this specific subnet," might get generalized into something broader. Compaction preserves the gist, not the precision.

This makes compaction useful for extending a productive session, but it's not as clean as a proper reset when you need the agent operating with full fidelity on a new task.

Automatic vs manual compaction

Claude Code has automatic compaction that kicks in when context reaches a threshold, around 80% of capacity by default.

When it triggers, you'll see something like:

⚡ Auto-compacting context...

Claude pauses briefly to summarize older content, then picks up where you left off.

For most routine work, this is fine. You're mid-investigation, the agent is performing well, and auto-compaction quietly keeps things running. You don't need to think about it.

But you can also trigger compaction manually whenever you want:

/compact

Manual compaction is useful when you've noticed the early warning signs. Responses losing specificity. The agent re-asking about things you already established. You want to restore sharpness on your terms rather than waiting for the automatic threshold. It's also useful when you know you've accumulated noise. Maybe you explored three different hypotheses before settling on one, and the context from those rejected paths is still lingering. A manual compact clears that dead weight while preserving the investigation thread you're actually pursuing.

The difference between auto and manual isn't about quality. Both do the same thing. It's about timing and control.

The autocompact buffer

When you check your context usage with /context, you'll see something like:

Context Usage
⛁ ⛁ ⛁ ⛁ ⛁ ⛁ ⛁ ⛁ ⛁ ⛁   39k/200k tokens (20%)

Estimated usage by category
⛁ System prompt: 17.7k tokens (8.9%)
⛁ System tools: 16.6k tokens (8.3%)
⛁ Messages: 8 tokens (0.0%)
⛶ Free space: 116k (57.9%)
⛝ Autocompact buffer: 45.0k tokens (22.5%)

That autocompact buffer is space Claude Code reserves so automatic compaction has room to work when it needs to. It's not available for your conversation content.

This matters more than it looks. Even in a brand-new session with almost no conversation history, you're already using roughly 40% of your context capacity. System prompts, tool definitions, and the autocompact buffer claim their space before you type a single message. Your effective working space is closer to 60% of the headline number.

For security work, where you're regularly loading log samples, detection rules, and enrichment data, that 60% fills up faster than you'd expect. One substantial Sysmon export can eat a real chunk of your available context. Understanding this overhead helps you plan your sessions better, deciding upfront what data to load and what to leave out rather than discovering the limit mid-investigation.

When to let auto-compaction handle it

When automatic compaction is the right choice

Auto-compaction works well when you're in flow. The investigation is progressing, the agent is performing, and you don't want to interrupt the work to manage context manually.

Let auto-compaction do its job when the work is continuous, same topic, same data sources, same investigative thread. If you don't have critical details from early in the session that need to be preserved with exact precision, auto-compaction's summarization is good enough. The agent compresses the old context, frees up space, and you keep moving.

This is the default for a reason. Most of the time, it's the right call.

When to manually compact

Manual compaction earns its place when you want to be intentional about what gets compressed and when.

The most obvious case: you spot degradation early. You're building a detection rule and the agent starts suggesting generic field names instead of the ones from your environment. It asks you to confirm a log source you already specified. These are yellow flags, and a manual /compact before things get worse can restore the agent's focus.

Then there's accumulated noise. You spent twenty exchanges exploring a hypothesis that turned out to be a dead end, and now you're pursuing a different lead. That dead-end context is still in the window, competing for attention with the thread that actually matters. Compacting clears the noise and gives the agent a cleaner view of the current investigation.

And sometimes it's just about timing. You're about to ask the agent to do something important, generate a complex detection rule, analyze a suspicious process chain, write a final assessment. You want context as clean as possible before it starts. A pre-task compact is like clearing your desk before focused work.

The goal isn't to avoid auto-compaction. It's to be deliberate about when summarization happens rather than always leaving it to the system.

Adjusting the threshold

You can control when automatic compaction kicks in:

claude config set autoCompactThreshold 0.7

This makes compaction more aggressive. It triggers at 70% instead of 80%, keeping your context leaner throughout the session.

Or if you want to let context grow larger before compacting:

claude config set autoCompactThreshold 0.9

The right threshold depends on the kind of work you're doing.

For investigation sessions where you want maximum context before any summarization, maybe you're correlating events across multiple data sources and need everything visible as long as possible, raise the threshold. Let context fill up further before compaction kicks in.

For routine work where you want to stay lean and responsive, writing detection rules, iterating on queries, general analysis tasks, lower the threshold. More frequent compaction keeps the agent sharp at the cost of losing some historical detail earlier.

Experiment and see what feels right for your workflow. There's no universally correct setting.

The key insight

The key insight about compaction vs clearing

You never manually summarize for compaction. That's Claude's job.

If you find yourself wanting to paste a summary of your conversation history back into the session before older content gets lost, you're solving a problem that compaction already handles. The agent knows how to summarize its own context. What you control is when that summarization happens and how aggressively the threshold is set.

For phase transitions, when you've finished the exploratory part of an investigation and you're ready to execute on what you found, a different tool is often more appropriate. /clear gives you a fresh start with full context fidelity, which is what you want when precision matters more than continuity. But that's a separate lesson.

Compaction extends sessions. Clearing resets them. Knowing which one you need in the moment is something you get a feel for with practice.

Want to Go Deeper?

This lesson is just the beginning. The full courses take you from foundations to building real agents for security operations.

Explore Courses