SecOps programs have been failing to keep up with attackers for decades. In fact, according to the Verizon DBIR reports from 2012 to 2023 security breaches have increased 739%. This is because the middle of the SecOps workflow (alert triage and investigation) is manual and reliant on scarce, hard to hire staff. This creates a manual bottleneck that leads to:

• Unfinished work – Capacity shortages mean only around 10% of alerts are actually reviewed. Each alert that is not adequately triaged or is filtered out to reduce workloads, represents a potential blindspot where an attack could slip through the cracks.
• Missing Attacks – Every potentially malicious alert must be deeply investigated so that attacks are not partially or entirely missed. Resource constraints make this impossible to do manually, at scale.
• Slow, Incomplete response – Complex and lengthy triage and investigation processes yield slow response times. According to SANS, the average incident remediation is 5 days—far too slow to reliably prevent incidents from developing into breaches.

This problem hasn’t been solved yet because triage and investigation work is too dependent on complex, hard-to-replicate attributes of analysts like security domain expertise, familiarity with protected environments, an understanding of the threat landscape, and even experience with security tooling. This is too difficult to reliably automate with traditional approaches like SOAR.

AI SOC analysts solve this problem by using Gen AI to emulate the experience, processes, and decision-making of top-tier security analysts. Security alerts are sent from a SIEM or directly from security products to the AI analysts for autonomous investigation before they go to the SOC. Each alert is subjected to dozens of dynamically selected tests used to determine maliciousness. Within 3 minutes decision-ready results are available that include a detailed incident summary, root cause analysis, and an incident specific response plan. This means, by the time a human analyst sees an incident they know if it was real, what happened, what caused it, and have a plan to fix it. After reviewing the report, analysts can respond manually using AI generated, step-by-step instructions on how to respond to this incident, using single-click responses which run over API connections to take corrective actions, or with fully automated response that runs without human intervention.