- The SOAR platform has to be told what playbook to codify. An AI analyst should be able to generate the playbook.
- In a SOAR platform, you must automate the playbook - using code and a point-and-click UI. An AI analyst should be able to automate the playbook itself.
- SOAR playbooks cannot handle the unknown types of alerts. AI analysts should be able to figure out what to do when they see a new situation or alert.
- Interacting with SOAR requires code or UI. An AI Analyst should be able to converse with its users in Natural Language, as if they were talking to another analyst, not a piece of software.
- SOAR cannot reason. AI Analysts must be able to reason with given facts and come up with accurate conclusions and the appropriate next set of actions.
- SOAR does not explain what it did and why it did it. You cannot interactively probe it like you can ask a human analyst on a Zoom call or over Slack. AI analysts must be able to respond to questions and explain themselves - just like a human analyst can - at least over Slack or a similar chat interface.
- SOAR does not learn from past behavior. Its learning capabilities may not be exactly zero, but they are minuscule compared to those of a human analyst. An AI analyst should be vastly superior in its ability to learn with human feedback.
On all of these capabilities - there can be bad implementations and there can be really good implementations. The metric to measure how good an AI Analyst is to compare it against other human analysts at these capabilities. Just like some human analysts are much more capable than others - an AI analyst will be more or less capable at these compared to some of the analysts.
On each of these dimensions - you can compare a virtual AI Analyst's performance on these capabilities with the performance of human analysts - and measure what %age of human analysts it was able to outperform at those tasks - as judged by another capable human analyst/expert.
PMA’s Top 50 Product Marketing Influencers. GTM & PMM expertise that jumpstarts projects, getting them moving and obtaining the results you need. What could you achieve with PMM expertise and an extra set of hands?
6moGreat read!
CISO, VP of IT Sisense (Former PayPal, Square, SVB, CDK Global, KPMG). CISSP, CISM, CDPSE, UCLA MBA.
6moGlad to see your vision coming to reality in such a short time. 👏👏👏
Co-Founder, Stealth AI | Founder, Save Groundwater Foundation | Enterprise AI, Autonomous Mobility, IoT, Security, Digital & Data Businesses, Non-Profit
6mo#5 and #6 are crucial elements in this... Explanations will be the foundation on which agents and especially multi-agent workflows will be built. I think it is not enough to explain to a human analyst - an agent will have to explain to another agent as well, that will have to take independent decisions and actions based on the previous agents output.
Strategic Leadership, $300M+ Deals | 11 Patents | AI & Innovation Catalyst | Keynote Speaker | Session Chair | Advisory Board | Author | Client Partner | Sales-Solutions Engineering | ex- IBM, Nextlabs, Arista
6moKumar, this is a crucial distinction you're highlighting between AI Analysts and traditional automation or SOAR in the SOC environment. Your insights into the agentic future of SOC operations are spot-on. The capabilities you've outlined for AI Analysts - from contextual understanding to adaptive learning and explainable actions - truly set them apart from rule-based automation. This shift towards intelligent, autonomous agents in cybersecurity is not just an incremental improvement; it's a paradigm shift in how we approach threat detection and response. One additional capability I'd suggest considering is "Proactive Threat Hunting." An advanced AI Analyst should not only respond to alerts but also actively search for hidden threats using its understanding of evolving attack patterns and anomaly detection. Your work at AirMDR sounds fascinating, and I'm eager to see how these AI capabilities are being implemented in real-world SOC environments. This kind of innovation is exactly what's needed to stay ahead in the ever-evolving cybersecurity landscape.