AI-SOC Market
Actionable Summary & Key Insights
- Definition of AI SOC
- The ultimate framework for the report
- We partnered with 13 companies to analyze their solutions
- ‘Is this one of the rare moments when defenders might finally gain the upper hand over attackers? Or is the use of generative AI in cybersecurity just another overhyped trend? Read on to find out.’ – sentence missing from the introduction
Authors:
- Francis
- Rafal K is a SOC and Incident Response leader at ConnectWise with extensive experience working as a Security Analyst, Engineer, Architect, Incident Responder and recently a Director from his time at Microsoft. He brings considerable experience in Security Operations and frequently shares his takes on his linkedin profile: https://www.linkedin.com/in/rafa%C5%82-k-b6881baa/
Actionable Summary & Key Insights
Introduction
- Security operations have reached a breaking point. The average enterprise now faces over 960 alerts per day, with large organizations seeing more than 3,000. Nearly half of those alerts go uninvestigated, and more than 60 percent of security teams admit to missing incidents that later turned critical. The reasons are familiar: too many tools, too few people, and no time to connect the dots. In this context, AI has moved from speculative promise to operational necessity.
- This report examines how AI is being applied inside the SOC, not as a theoretical capability but as a working system. We partnered with 13 vendors ranging from well-funded startups to established security platforms to understand how each is using AI to improve triage, accelerate investigations, and reduce manual load. The findings are grounded in real deployments, analyst interviews, and technical assessments across seven core benchmarks.
- Before diving into the vendors, it is important to understand what AI in the SOC actually means. We do not define it by whether a platform uses a large language model or neural network. We define it by outcomes: Does it handle the noise? Does it learn from feedback? Can it scale without adding headcount? And does it perform under pressure, both in terms of load and accuracy?
- There are four emerging design patterns. First, the overlay model, which sits on top of the existing stack and delivers fast results with limited disruption. Second, the integrated platform model, which stores and analyzes raw telemetry, enabling deeper behavioral analysis but at higher operational cost. Third, the co-pilot model, where AI assists analysts during investigation with contextual guidance. And fourth, a newer category based on workflow replication, where analyst behavior is recorded and replayed across future incidents.
- These architectures are not interchangeable. Overlays are ideal for teams that need speed but already have reliable upstream detections. Integrated platforms offer visibility and anomaly detection but raise questions around data control. Workflow emulation platforms are promising, especially for MSSPs and teams looking to scale institutional knowledge, but require upfront investment and strong analyst baselines to succeed.
- Market adoption is already underway. In our survey of more than 300 CISOs, 88 percent of organizations not currently running an AI SOC plan to evaluate one within the next 12 months. Over half of all enterprises are already experimenting with GenAI-based tooling, with common use cases including rule tuning, phishing detection, and compliance support. Security leaders believe AI will carry 60 percent of SOC workloads by 2028, with most focused on MTTR, MTTI, and 24/7 consistency as their key metrics.
- Still, the hype is high. And not every vendor is built to deliver under real-world conditions. That is why this report focuses less on feature checklists and more on operational maturity. We looked at how platforms explain their decisions, how they integrate with the tools analysts already use, whether they can operate in headless mode, ingest context from threat intel, or handle high alert volumes without dropping coverage.
- The vendor analysis is based on a structured evaluation across areas like scalability, context enrichment, verdict accuracy, and explainability. Each platform was assessed against real-world operational benchmarks, not ideal-case demos or speculative feature sets.
- This is not a ranked report. The market is too early and the needs too varied for simple scoring to be useful. Instead, we offer a map, organized by architecture, maturity, and deployment model, to help you find the best fit for your environment. If 2023 was the year of proving that AI belongs in the SOC, 2025 is the year of asking how to deploy it responsibly, scalably, and with measurable benefit. This report is a field guide for security teams navigating that decision.
There are plenty of articles out there that talk about the “evolving threat landscape,” mostly as a way to segue into pitching a security product or service, meant to meet the modern needs of organizations. But anyone who has spent time in Incident Response at any meaningful scale knows that the techniques used by threat actors are rarely cutting-edge. We are not seeing a wave of AI-powered malware that dynamically adapts to its environment to slip past detections.If anything, the same old attack vectors and familiar tactics remain dominant.
Mandiant’s 2025 trend report confirms this: the most common attack vectors were exploits in network appliances (33%), stolen credentials (16%), and phishing (14%).
Even though the techniques are relatively the same, what is evolving rapidly, is how threat actors orchestrate their attacks. AI allows for a dramatic capability and throughput uplift for cyber-attacks. Research articles point out how generative AI simplifies social engineering, phishing, reconnaissance, and overall information gathering.
What we are likely to see in coming years are not novel, AI-powered attacks. Rather it is likely that we are going to see the same attacks we are very familiar with orchestrated at a larger scale and often more sophisticated.
AI is increasingly being used to boost defense as well. A report from the Cloud Security Alliance found that 55 percent of organizations plan to implement GenAI-based security tools, targeting use cases like detection rule creation (21%), attack simulation (19%), and compliance violation detection (19%).
The AI Security Operations Center (AI SOC) market is growing fast as more companies look for better ways to protect themselves from rising cyber threats. Security teams are dealing with more alerts than ever before, while also struggling with a shortage of skilled staff. AI SOC platforms help by using artificial intelligence to monitor systems, investigate alerts, and respond to threats quickly and with less manual effort. These tools are helping teams cut down the time it takes to detect and respond to incidents, while also reducing alert fatigue.
To better understand this space, our team interviewed 13 well-known AI SOC vendors. We sent each of them a detailed questionnaire and asked them to explain how their platform works. We then used their answers to compare and map their capabilities using our own assessment framework. This report includes summaries of each vendor and highlights the differences in their approaches, features, and overall strengths.
The following AI SOC vendors participated in our research:
Radiant Security
2021
Radiant Security, founded in 2021 by former Exabeam executives, is a cybersecurity company focused on automating Security Operations Center (SOC) triage and response through artificial intelligence. Its core offering is an AI-driven SOC platform that seeks to address alert fatigue, reduce manual investigation workloads, and improve response time to security incidents. Radiant’s system is designed to integrate with existing enterprise environments and ingest telemetry from multiple sources, including alerts, endpoint logs, identity platforms, and any unstructured security telemetry and documentation.
The platform operates via a fleet of AI agents that perform automated triage and investigation across a wide array of security use cases. Its principal mechanism involves contextual enrichment of alerts, where extracted data artifacts are dynamically correlated with environmental signals such as user roles, behavioral baselines, and threat intelligence. Radiant employs just-in-time behavioral baselining rather than precomputed ML models, enabling investigations to adapt to context-specific activity patterns without continuous background processing. These baselines are generated from recent data, typically ranging from two weeks to 90 days, depending on the nature of the event.
Radiant distinguishes between known and unknown threats using a tiered model. For novel or previously unseen alerts, Radiant conducts ad hoc analysis and constructs new triage procedures, effectively augmenting the system’s capabilities over time. Once analyzed, alerts are categorized into one of four statuses: benign, recommended benign, recommended malicious, or malicious. Only alerts deemed malicious or confirmed by a user are escalated to case-level incidents, helping reduce operational noise.
A significant focus is placed on automation. Radiant supports full-cycle automated remediation workflows, which can be configured to include or exclude human approval steps. This hybrid model allows organizations to gradually shift toward increased automation as trust in the system grows. Radiant’s internal benchmarks suggest that full triage can occur within minutes, though mean time to respond (MTR) is often limited by user validation time. Customers reportedly reduce response cycles from industry-standard durations of several days to under eight hours, with automation-capable environments achieving even faster turnaround of as short as a few minutes.
Radiant’s deployment model supports customer-controlled log storage, typically through Amazon S3 buckets as well as query connectors that leverage existing SIEMs and APIs. This configuration allows for compliance-friendly, long-term retention without the cost burden of traditional SIEM licensing models. The platform includes a built-in log management interface with support for Lucene queries and Grafana integration. This approach enables visualization and correlation without proprietary query languages or infrastructure dependencies.
Licensing is decoupled from data volume and is instead based on the number of users or alert types under management. This model aims to provide predictable pricing while scaling with organizational complexity and coverage requirements. For managed security service providers (MSSPs), Radiant offers licensing aggregation across tenants, with multi-bucket support to preserve data isolation and ownership.
From a customization standpoint, Radiant offers three primary levers: static allow/deny lists, environment-specific unsupervised learning, and codified natural language policies. These options allow organizations to tailor alert disposition logic to their operational context and reduce false positives, particularly in environments where technical teams may generate anomalous but legitimate activity.
Radiant positions itself as a product-centric platform rather than a managed service. Customers are responsible for deployment and operation, with support limited to technical guidance. Initial implementation typically includes a four to six-week proof of concept, followed by a three-month “time to trust” period during which automation is incrementally enabled.
In summary, Radiant Security delivers an AI-based SOC automation platform focused on reducing alert volume, expediting investigation, and supporting scalable automation. Its emphasis on adaptive triage, just-in-time baselining, and customer-owned data infrastructure offers a distinct model within the AI SOC landscape.
Legion
2024
Legion is a cybersecurity platform that enables security teams to codify and automate investigative workflows by capturing how analysts work and transforming those behaviors into reusable agents. Rather than relying on predefined detection rules or generalized models, Legion focuses on recording real analyst decision-making processes and operationalizing them at scale.
At the core of Legion’s platform is a browser-based agent that records analyst sessions. As analysts investigate alerts, the system captures the full investigative process, including data reviewed, steps taken, and decisions made. This recording is not just for playback or training purposes. Instead, it becomes a living agent that can be reused in future investigations. This design allows teams to apply their best investigative logic to every new alert, effectively scaling the expertise of senior analysts across the entire SOC.
These recorded agents can be tested, refined, and re-executed. They are not static or one-time scripts but instead act as repeatable workflows that maintain context across investigations. Legion supports investigation reuse by allowing agents to automatically execute on new, relevant alerts—applying the same reasoning process that a human analyst previously followed. As a result, teams can gradually build a library of agents that reflect their institutional knowledge and investigative standards.
Legion integrates into security environments by operating as a system of record for investigations. It pulls in alerts from existing detection systems and provides a workspace where analysts can review, annotate, and act on these alerts. Over time, the system learns which investigation patterns lead to high-confidence outcomes and encourages reuse of those patterns.
Deployment flexibility is supported through cloud-hosted, customer-hosted, and hybrid options. This allows organizations with different infrastructure and compliance requirements to adopt the platform without sacrificing control or performance.
Customization is inherent to Legion’s design. Every agent begins as an analyst-driven investigation, meaning each workflow is tailored to the specific environment, threat landscape, and operational style of the customer. Rather than generalizing across organizations, Legion’s model emphasizes internal accuracy and context-specific decision-making.
In summary, Legion provides a framework for transforming analyst expertise into operational automation. By recording and replaying investigations through browser-based agents, it enables security teams to standardize, scale, and continuously improve how alerts are handled. The platform focuses on investigative quality, contextual fidelity, and repeatability, offering a unique approach to SOC automation rooted in real analyst behavior.
Command Zero
2022
Command Zero is a cybersecurity platform designed to accelerate and automate security investigations through natural language interaction and structured reasoning. The platform integrates a retrieval-augmented generation (RAG) architecture with security-specific reasoning tools, enabling analysts to perform end-to-end investigations using plain English prompts. Rather than focusing on alert triage or basic filtering, Command Zero is purpose-built for handling Tier 2 and above investigations. Its core use case is helping analysts understand the full scope, context, and impact of complex incidents that go beyond initial detection.
The platform operates as a reasoning layer that connects to existing security and IT infrastructure. It integrates with a wide range of enterprise systems, including SIEMs, EDRs, identity providers, ticketing tools, and asset inventories. Analysts initiate investigations by describing a question or incident in natural language. The system then retrieves and synthesizes relevant data from these connected tools. This enables investigation-level workflows such as tracing lateral movement, verifying persistence mechanisms, or confirming multi-stage compromise, without requiring manual queries across fragmented interfaces.
Command Zero’s investigation engine combines three core functions: retrieval, reasoning, and automation. It retrieves relevant information from underlying systems, applies structured logic to interpret that data in a security context, and automates investigative workflows. The system produces both natural language summaries and structured outputs that can be shared or escalated. This approach supports the depth and rigor required for high-fidelity investigations that would typically be performed by experienced analysts.
A key feature of the platform is its ability to generate complete investigation reports as a byproduct of the investigative process. These reports contain all relevant evidence, reasoning, and findings in a format suitable for documentation, collaboration, and escalation. By automating report generation, the platform reduces the time analysts spend compiling results and ensures consistency in investigative outputs across the team.
Command Zero does not serve as a detection or triage system. It is designed to activate once an alert has been generated or a security question has been raised. This distinction makes it suitable for Tier 2 and Tier 3 analysts who are tasked with answering what happened, how it happened, and what the potential impact is. The platform complements existing alerting systems by offering investigation depth rather than alert suppression or prioritization.
To support analysts across varying levels of experience, Command Zero abstracts away query languages and tool-specific logic. Analysts interact with the system using plain English, while the platform handles the complexity of retrieving and correlating data from diverse sources. This helps less experienced analysts operate at a higher level of sophistication while enabling senior analysts to scale their expertise across more cases.
Deployment options include customer-hosted and cloud-hosted configurations. Command Zero integrates via APIs with existing infrastructure, querying data in place rather than ingesting it. This minimizes duplication, reduces operational overhead, and ensures compatibility with existing security investments.
Customization is enabled through environment-specific connectors and structured action libraries. Organizations can define how the platform interacts with their systems and tailor its behavior to match internal workflows and terminology. This allows teams to align the platform with their investigation procedures and response protocols.
In summary, Command Zero provides a retrieval-augmented investigation platform purpose-built for Tier 2 and Tier 3 analysts. Its focus on natural language reasoning, automated report generation, and cross-system data retrieval enables security teams to accelerate complex investigations while maintaining consistency, depth, and operational efficiency.
Intezer
2017
Intezer is a cybersecurity platform that provides end-to-end support for threat detection, investigation, and response, positioning itself as a complete AI SOC system. While the platform includes broad capabilities for automated alert triage, threat enrichment, and case management, its standout strength lies in its advanced sandboxing and deep malware analysis engine. This foundation enables Intezer to offer high-confidence investigations, particularly in environments dealing with malware-heavy threats or nation-state level adversaries.
At the core of the platform is a dynamic sandbox integrated into the broader SOC workflow. This sandbox executes suspicious files and payloads in a controlled environment and captures detailed behavioral indicators, including process creation, memory injection, persistence techniques, and network communication. Rather than simply flagging based on signatures or basic heuristics, the sandbox enables high-fidelity behavioral analysis that directly informs automated decisions and escalations. The sandbox is tightly integrated with static analysis, code reuse detection, and memory forensics, allowing for a comprehensive understanding of threats at multiple levels.
Intezer’s investigative approach is informed by years of experience in reverse engineering and malware classification. The platform’s core engine dissects binaries into code fragments and compares them to a proprietary database of known code from legitimate software, malware families, and threat actor toolkits. This allows the system to identify reused components across malware campaigns, even in polymorphic or obfuscated variants. As a result, Intezer can make high-confidence verdicts on new and unknown threats by tracing their code origins and matching behavior against known profiles.
Intezer functions as a full SOC automation platform. It ingests alerts from existing tools, including EDRs, SIEMs, and email security platforms, and applies layered analysis to surface only high-fidelity incidents. The system automatically enriches alerts with sandbox results, memory scan indicators, MITRE ATT&CK techniques, and threat intelligence. Analysts receive structured investigation reports that combine behavioral summaries, classification context, and recommended actions, allowing them to understand and respond to incidents without pivoting across tools.
Case management is built into the platform, enabling teams to track investigations, assign tasks, and collaborate within the system. Analysts can submit files, memory dumps, or suspicious processes manually or through automated workflows. Each investigation benefits from the same deep analysis pipeline, whether triggered by an endpoint alert or an email attachment. Verdicts are recorded and shared across the team, improving consistency and organizational memory over time.
The platform offers broad integrations across Cloud, Email, Endpoint, SIEM, SOAR, Identity, Network and Ticketing environments supporting both fully automated and analyst-in-the-loop workflows. Customization is supported through tagging policies, trusted software lists, suppression rules, and automation playbooks. Deployment options include cloud-hosted and private cloud configurations, enabling scalability for enterprise and MSSP use cases.
While Intezer provides broad SOC coverage, its sandbox and malware analysis engine remains a central differentiator. This capability allows the platform to deliver depth on threats that would otherwise evade lightweight analysis, including fileless malware, in-memory implants, and customized payloads. For organizations facing persistent or sophisticated threat actors, Intezer offers an AI SOC platform with a malware investigation core that maintains the fidelity and investigative rigor often missing from generalized detection tools.
In summary, Intezer is a full AI SOC platform that integrates alert ingestion, analysis, and response, with a particular strength in sandbox-driven threat understanding. Its combination of behavioral analysis, code origin tracing, and memory forensics delivers comprehensive coverage for complex attack scenarios, making it a strong option for security teams prioritizing depth and accuracy in malware investigations.
Crogl
2023
Crogl is a cybersecurity company that provides a software platform focused on automating alert triage and incident management within enterprise Security Operations Centers (SOCs). It positions itself as an alternative to both managed detection and response (MDR) services and traditional Security Information and Event Management (SIEM) platforms. The system is built to streamline detection engineering, investigation workflows, and analyst productivity through a fully integrated artificial intelligence (AI) and data stack.
The foundation of Crogl’s platform is a compound AI system that includes a knowledge engine that automatically learns the customer’s data environment, without requiring data normalization or movement. It connects to all security relevant data sets and learns their schemas, including security telemetry, cloud and identity logs, and human analyst input such as process documentation or ticket annotation. It includes threat intelligence from security advisories. Crogl does not rely on rule-based correlation or static detection signatures. Instead, it uses a series of AI agents that continuously process security events and classify activity in real time. These agents operate on normalized timelines that include events from multiple sources, providing context for accurate threat assessment and decision-making.
A key aspect of Crogl’s system is its learning-based approach to triage. When new alerts are received, the platform attempts to classify them based on prior data and learned patterns. It autogenerates response plans based on industry best practices, and learnings from prior analyst processes, and executes them surfacing evidence and documentation at each step. If confidence is high, the alert is suppressed or resolved automatically. If not, the system surfaces the alert to an analyst as an investigation. Analyst decisions, including annotations and feedback, are captured and used to refine future detection and response behavior. This forms a continuous learning loop where the system evolves based on local operational knowledge.
Crogl emphasizes the generation of structured case timelines that consolidate related events. These timelines integrate metadata such as user and asset context, behavioral indicators, and external threat signals. Analysts can interact with these timelines directly within the platform, conduct investigations, and document findings without switching tools. The interface is built for collaborative workflows, allowing for shared views and contextual notes among team members.
The platform is designed to integrate with existing SOC tooling and processes. It offers APIs for alert forwarding, case ticketing, and automated remediation. Out-of-the-box integrations with common platforms like XSOAR, Splunk, Jira, Crowdstrike and allow security teams to embed Crogl’s capabilities into their day-to-day operations without major changes in workflow.
Crogl is designed to reduce the volume of alerts requiring human attention. According to reported performance in customer environments, more than 95 percent of incoming alerts are either suppressed or resolved automatically. This reduction is achieved through AI-based contextual analysis rather than static filtering. The platform uses environmental understanding and behavioral context to decide which events need escalation, preserving fidelity while reducing noise.
From an infrastructure standpoint, Crogl supports flexible deployment options. Customers may choose to use their own cloud object storage, default to Crogl’s managed infrastructure, or deploy the platform fully on-premises in air-gapped environments will no Internet access. This flexibility allows organizations to meet specific compliance, sovereignty, or operational requirements. The pricing model is based on the number of monitored workspaces or log sources rather than data volume, making the platform scalable without variable cost penalties based on ingestion rates.
Customization is driven by analyst interaction and feedback. Unlike platforms that require manual tuning or rule creation, Crogl uses customer input and best practices as training data for its models. However, organizations can still apply custom business logic, exclusions, or policy constraints to guide alert disposition and suppression.
In summary, Crogl delivers an AI-based SOC automation platform that focuses on intelligent alert triage, integrated investigation support, and analyst-driven learning. Its emphasis on adaptive response, structured data correlation, and operational integration provides a framework for modernizing SOC functions without relying on external service providers or traditional rules-based systems.
Sekoia
2020
Sekoia.io is a European cybersecurity vendor that delivers a unified SOC platform integrating SIEM, SOAR, XDR, and Cyber Threat Intelligence (CTI) capabilities under a single architecture. Founded in France and now expanding globally, the company has raised over €60 million in funding to date, signaling strong investor confidence in its product vision and operational execution. The platform’s focus is on reducing the operational burden on SOC teams by combining structured data ingestion, automated detection, and AI-enhanced workflows, all with native threat intelligence at its core.
Sekoia’s primary offering is its AI-powered SOC platform, Sekoia Defend, which is tightly integrated with Sekoia Intelligence, a standalone threat intelligence module that can also be used independently. Together, these components provide flexible deployment options and align well with the needs of both enterprise SOCs and MSSPs. Sekoia’s MSSP strategy, in particular, is a major pillar of its go-to-market approach, supported by deployments across Europe.
A defining feature of the platform is its approach to AI integration. Rather than focusing on full automation or replacing analysts, Sekoia’s AI is designed to work alongside human operators. AI features assist with alert enrichment, contextual grouping, tuning recommendations, and providing intelligent summaries, aiming to reduce alert fatigue while retaining human oversight. One example of this is “Roy,” Sekoia’s AI chatbot, which enables natural language interactions across use cases ranging from threat intelligence lookups to alert triage and detection logic. Roy supports threat hunting, assists with query generation, and can explain threat actor campaigns, helping analysts work faster without needing deep familiarity with the underlying tooling.
Sekoia’s detection capabilities span multiple layers. These include:
- CTI-based detections, leveraging log matching against threat intel indicators
- Anomaly-based detections, which surface unusual behavior in network or user activity
- Sigma rule-based detections, offering flexibility and extensibility for custom use cases
All detection outputs are mapped to the MITRE ATT&CK framework, providing structured visibility into how threats manifest and enabling SOC teams to assess and prioritize coverage gaps.
The platform is designed to ingest telemetry from a wide range of sources, including cloud providers, endpoint tools, and network sensors. Its open-standards approach ensures compatibility with other tools in the security ecosystem: CTI is stored as STIX objects, and network telemetry follows the OCSF format. This data-first design simplifies integration and supports more precise correlation and enrichment during investigations.
Sekoia also provides a query-based threat hunting interface, supporting syntax similar to Microsoft’s KQL. Analysts can craft complex searches or rely on Roy to assist with hunt logic and execution, allowing both junior and senior team members to contribute effectively to proactive threat identification.
On the response side, Sekoia currently supports playbooks and SOAR-style automation, with AI-driven remediation capabilities under development. While the current system avoids fully automated alert closure, upcoming releases will introduce customizable AI agents that support guided remediation actions, designed with varying degrees of autonomy to accommodate organizational risk tolerance.
From a commercial standpoint, Sekoia offers both per-asset and volume-based pricing models. The per-asset model is favored by customers for its predictability and affordability relative to traditional SIEM licensing. Additionally, Sekoia is optimizing its storage backend to reduce long-term retention costs, enabling customers to retain more searchable data beyond the default 90-day window.
In summary, Sekoia.io offers a full-spectrum AI SOC platform that combines detection, investigation, response, and threat intelligence into a tightly integrated system. Its analyst-centric AI design, native CTI engine, and strong support for open standards position it as a flexible and scalable solution for modern SOC environments, particularly those prioritizing speed, transparency, and contextual depth in security operations.
Prophet Security
2023
Prophet Security is a cybersecurity platform (Prophet AI) designed to automate alert triage, investigation, and incident response. It provides an AI-driven system that ingests alerts from existing detection tools and applies automated reasoning to determine their severity, relevance, and context. Built for modern Security Operations Centers (SOCs), Prophet Security aims to reduce the volume of alerts requiring manual analyst review by resolving or escalating them based on high-confidence analysis. The platform’s core focus is on investigation fidelity, combining structured workflows with machine learning models and large language model (LLM) capabilities.
Prophet AI ingests alerts from tools such as CrowdStrike, SentinelOne, Okta, and Microsoft Defender as well as custom detections from SIEMs . Once alerts are received, the system conducts contextual enrichment using telemetry from endpoints, cloud infrastructure, identity systems, and threat intelligence. Rather than acting as a rule-based filter, Prophet AI applies automated investigation logic designed to replicate how experienced analysts would approach each case. The platform reviews user behavior, asset roles, recent activity patterns, and known threat indicators to determine whether an alert is benign or requires further investigation.
At the heart of Prophet’s approach is the concept of “resolving” alerts through agentic reasoning . The system generates structured, evidence-based reports for each alert, summarizing findings in natural language and citing the data sources used. These investigation reports are designed to be human-readable and ready for audit, documentation, or escalation. The reports include confidence levels, reasoning steps, and relevant context such as attack techniques mapped to the MITRE ATT&CK framework.
Prophet AI supports multiple modes of operation, including fully automated resolution, analyst-in-the-loop confirmation, and automatic escalation to case management systems. This flexibility allows organizations to phase in automation based on trust, maturity, or compliance requirements. Security teams can configure policies to automatically close low-risk alerts, forward medium-risk alerts for review, or escalate high-risk findings with full investigative context.
Additionally, Prophet AI offers copilot-style capabilities where users can ask their own investigative questions in free form, natural language, both in the context of individual investigations as well as more open ended threat hunts.
The platform is built to support the needs of Tier 1 through Tier 3 analysts. Junior analysts benefit from structured reports that provide visibility into investigative reasoning, while senior analysts can rely on automation to reduce the burden of repetitive triage. Prophet’s use of LLMs supports summarization, data correlation, and contextual reasoning, enabling faster understanding without compromising accuracy.
Integration with existing SOC tooling is a key part of the deployment model. Prophet AI connects with alerting systems, ticketing platforms, SIEMs, and SOAR tools via API. Alerts can be ingested in real time, with investigations triggered automatically or manually based on use case. Deployment options include cloud-hosted and private infrastructure models, allowing for flexibility across enterprise environments.
Customization is supported through tuning policies, alert handling logic, and feedback mechanisms. Analysts can tag misclassified alerts, adjust thresholds, or define business-specific logic for disposition. Prophet incorporates these inputs to refine its reasoning over time, improving performance in dynamic environments.
In summary, Prophet Security offers an AI-driven SOC platform focused on resolving alerts through automated investigation. Its strength lies in delivering structured, auditable findings for each alert while reducing the time and effort required from analysts. With support for real-time enrichment, LLM-powered reasoning, and flexible automation workflows, Prophet provides a scalable solution for organizations looking to improve SOC efficiency without sacrificing investigative quality.
Dropzone AI
2023
Dropzone is a cybersecurity company that provides an AI-powered platform focused on reducing alert fatigue and improving incident response efficiency within Security Operations Centers (SOCs). Its primary function is to automate the triage of alerts generated by existing security tools, while maintaining high fidelity through a structured quality assurance process. Dropzone positions itself as a complement to established detection infrastructure, offering integration with a wide range of alert sources such as EDR platforms, SIEMs, cloud logs, and identity providers.
The platform is built around an AI system trained to mimic and scale human analyst behavior. Each alert received by the system is enriched and investigated through a series of structured reasoning steps, with results summarized in a natural language format. These summaries provide evidence-based justifications for classification decisions, helping analysts quickly assess whether an alert requires escalation. Alert dispositions are categorized along a confidence spectrum, typically ranging from benign to confirmed malicious, with appropriate context included for each outcome.
A distinguishing feature of Dropzone’s approach is its emphasis on human-in-the-loop quality control. Unlike black-box AI systems or fully automated triage layers, Dropzone designs its user interface to make it easy for human analysts to review investigations and provide feedback, if needed. Dropzone incorporates a dedicated QA process that systematically samples and reviews the output of its AI models. This QA function is performed by a team of experienced analysts who validate alert decisions, assess correctness, and provide structured feedback
Dropzone integrates directly into customer environments via APIs and does not require changes to existing detection rules or logging pipelines. It consumes alerts from platforms such as CrowdStrike, SentinelOne, Microsoft Defender, and Okta, among others. The system acts as a triage layer between raw alerts and case management platforms like Jira, Splunk, or ServiceNow. Customers retain control over how Dropzone’s decisions are operationalized, with options to automatically close low-confidence alerts or escalate high-confidence alerts directly into ticketing systems.
Deployment options include cloud-hosted and hybrid models. Customers can bring their own storage or use Dropzone’s managed infrastructure. The platform is designed to be lightweight to deploy, with initial onboarding often completed in under a week. Pricing is typically based on the volume of alerts triaged, rather than log ingestion or storage capacity.
Customization is available through environment-specific tuning and policy controls. Customers can define business logic for alert disposition, suppression, or routing. Additionally, the platform supports tagging and feedback mechanisms, which analysts can use to correct or reinforce model behavior. These inputs are incorporated into system updates via the QA loop.
The QA process operates on a near-daily cycle, with performance metrics such as false positive rates, investigation completeness, and reasoning quality tracked over time. Dropzone uses this data to tune both its prompts and the workflows that guide automated investigations.
Dropzone stores details about the customer environment and business learned during investigations, providing RAG context to improve future investigations. Customers can also add details to this context memory database and report this feature improving accuracy.
In summary, Dropzone offers an AI-powered alert triage platform focused on high-quality, analyst-validated decisions. Its structured QA process, combined with real-time alert reasoning and transparent summarization, allows organizations to reduce manual workload without compromising accuracy. By prioritizing model oversight and operational trust, Dropzone provides a rigorous framework for integrating AI into SOC workflows with measurable performance assurance.
D3 Security
2025
D3 Security is a cybersecurity automation vendor focused on enabling AI-driven operations within security teams. Its platform, Morpheus, is an Autonomous SOC solution that combines automation, adaptive logic, and cross-stack correlation. It is designed for both enterprise SOCs and managed security service providers.
The core functionality of Morpheus is its dynamic, AI-driven playbooks, which can adjust their behavior during investigations based on contextual changes. These playbooks incorporate both horizontal correlation across different tools, such as SIEM, EDR, IAM, and cloud platforms, and vertical analysis within time-series or source-specific patterns. This enables the platform to investigate and triage threats at machine speed with minimal human intervention, improving response consistency and reducing analyst workload.
Morpheus supports over 700 integrations across endpoint, cloud, identity, ticketing, and threat intelligence platforms. These integrations are maintained and versioned through a modular framework that ensures long-term stability and makes it easier to adapt to evolving tech stacks. This integration depth allows security teams to operationalize automation across diverse environments and rapidly onboard new tools without extensive engineering effort.
A key feature of Morpheus is its data normalization and correlation layer. Alerts from different systems are standardized into a common format, enabling unified analysis, de-duplication, and automated enrichment. This makes it easier to group related alerts, draw faster conclusions, and leverage asset data, vulnerability intelligence, and historical incident records.
Morpheus includes a built-in chatbot that allows users to query, orchestrate, and investigate across the stack using natural language. Analysts can interact with the platform in plain English, eliminating the need for coding or familiarity with query languages like KQL. This capability shortens investigation times and makes key functions accessible to junior analysts and non-technical users.
While Morpheus is designed for autonomous operation, it also incorporates functionality developed during D3’s history as a SOAR vendor. These include robust case management, role-based access control, SLA tracking, audit trails, and executive dashboards. Each case can be linked to the automation that triggered it, ensuring traceability from alert to resolution and supporting compliance and oversight requirements.
The platform offers flexibility in deployment, with support for cloud-hosted, hybrid, and on-premises models. Multi-tenant capabilities allow MSSPs to maintain customer separation while centrally managing playbooks and response logic. Customization is supported at multiple layers, including playbook logic, UI configuration, and data handling, allowing teams to align automation with internal policies and update workflows based on real-world experience.
Morpheus actively performs investigations and triage, and supports remediation, across the security stack. By correlating alerts, executing automated responses, and enriching context on the fly, it delivers faster and more accurate outcomes than manual processes. The platform significantly reduces analyst fatigue by resolving routine alerts automatically and also relieves engineering teams of scripting and maintenance overhead. This makes security operations more scalable, more consistent, and ultimately more effective in preventing and containing threats.
Exaforce
2023
Exaforce is an AI security automation platform built on a real-time, streaming architecture designed to support full lifecycle security management. Its core functionality centers on processing telemetry from detection systems as it is generated, enabling rapid triage, enrichment, and decision-making without the need for centralized storage or batch analysis. The platform is positioned to assist security operations teams in automating both low-level alert handling and more complex investigations through policy-driven logic and adaptive workflows.
A defining aspect of Exaforce’s approach is its ability to deliver full lifecycle security management automation, encompassing alert ingestion, contextual enrichment, triage, escalation, and case generation. This automation is enabled through modular pipelines that can be configured to meet the specific operational policies of each organization. These pipelines define how different types of telemetry are enriched, evaluated, grouped, and acted upon, allowing organizations to tailor decision logic to their environment without relying on static rules.
Unlike platforms that require extensive configuration or rule tuning to provide value, Exaforce is designed to deliver significant out-of-the-box effectiveness. Upon deployment, the system is capable of handling a wide range of alert types, applying baseline detection and enrichment logic to produce structured, actionable results. This allows organizations to accelerate time-to-value and begin reducing manual analyst workload early in the adoption process.
The platform includes an investigative graph, which maps relationships between entities such as users, hosts, alerts, and observed behaviors. This feature supports visual investigation and helps analysts understand the broader context of an alert or incident. However, Exaforce emphasizes that the investigative graph is an augmentation feature, not a central architectural pillar. Unlike other vendors that rely on graph-based detection logic as a primary input (such as Wiz), Exaforce uses the graph to enhance human understanding and navigation of incident data rather than to drive detections directly.
Analyst interaction with the platform is structured around a web-based interface that displays investigation timelines, alert summaries, and asset relationships. Analysts can take action, escalate, or annotate directly within the interface. Notably, user feedback on alert quality is automatically incorporated into the system’s decision-making logic. This adaptive feedback loop helps reduce false positives over time and ensures that the platform remains aligned with operational needs as environments evolve.
In addition to feedback, Exaforce allows for the integration of business context into its workflows. For example, user roles, behavioral baselines, or attributes such as frequent travel status can be included in decision-making to minimize noise from legitimate activity. This ability to incorporate contextual awareness into detection and triage processes helps improve accuracy and reduces unnecessary escalations.
Overall, Exaforce offers a real-time automation platform focused on delivering full lifecycle security operations support without the overhead of complex tuning or post-deployment configuration. Its combination of out-of-the-box value, user-driven adaptation, and context-aware enrichment makes it well suited for organizations seeking to scale SOC capabilities without sacrificing accuracy or visibility. The platform’s modularity and investigative tools provide flexibility for both automated workflows and analyst-led investigations, supporting a hybrid model of SOC operations that balances speed with control.
Qevlar AI
2023
Qevlar is an AI-driven security platform built to assist analysts in investigating alerts with greater speed, consistency, and accuracy. Rather than functioning as a full alert triage system or replacing detection tools, Qevlar is positioned as an investigation co-pilot that enhances the analyst workflow by automating the reasoning and documentation processes. The platform integrates into existing SOC environments and is designed to support analysts in making informed decisions while reducing the time and effort spent on repetitive tasks.
Qevlar operates by ingesting alerts from various sources such as EDR platforms and identity providers. Upon receiving an alert, the platform performs an automated investigation that mimics the type of reasoning and research an analyst would typically conduct. It produces a structured report for each alert, outlining whether it is benign or malicious, providing supporting evidence, and assigning a confidence level to the conclusion. This format is designed to be immediately usable by analysts, team leads, or case management systems and includes links to the data sources used in the decision process.
Unlike traditional automation platforms, Qevlar does not aim to suppress or prioritize alerts at the point of ingestion. Instead, it focuses on enriching and interpreting alerts after they have been generated, ensuring that analysts receive clear, context-rich findings for review or action. The system is built to preserve analyst oversight, making it well-suited for SOCs that require human-in-the-loop validation, high-confidence decisions, and audit-ready outputs.
A key design feature of Qevlar is its ability to automate the documentation process. Each investigation results in a report that includes a plain-language summary of findings, references to supporting data, and a justification for the final verdict. These reports are structured and consistent, helping teams reduce the manual burden of writing investigation notes or escalation summaries. This also supports faster peer review, incident handoff, and knowledge sharing across the SOC.
Qevlar integrates with a range of commonly used security tools. The platform supports ingestion of alerts from sources such as SentinelOne, CrowdStrike, Microsoft Defender, and Okta, and can export investigation results to case management and ticketing systems like Jira or TheHive. This allows organizations to embed Qevlar’s automated reasoning into their existing workflows without significant disruption.
Deployment options include cloud-hosted and fully on-premises models. The on-premises option allows Qevlar to operate in environments with strict data residency, sovereignty, or compliance requirements. Regardless of deployment model, investigation data remains within the customer’s infrastructure, and the system does not require log ingestion or large-scale data duplication.
Qevlar is designed to evolve with the environment it operates in. The platform supports feedback loops where analysts can correct outcomes, tune decisions, and provide input on edge cases. These corrections are incorporated into future investigations, improving the system’s ability to align with internal policies and expectations. This enables a continuous improvement cycle without needing complex rule writing or manual tuning.
In summary, Qevlar is an investigation-focused AI platform that acts as a co-pilot for SOC analysts, providing structured, explainable findings for each alert without removing human control. Its emphasis on automated reasoning, report generation, and easy integration into existing environments makes it a strong fit for teams looking to increase investigative capacity while maintaining accuracy, transparency, and adaptability. With support for on-prem deployment and analyst feedback, Qevlar offers a high-trust automation layer tailored to the needs of modern security operations.
Torq
2020
Torq is a security automation platform that enables organizations to build, manage, and scale workflows across the security operations lifecycle without writing code. Designed for SOC teams, incident responders, and security engineers, the platform provides an orchestration layer that connects tools, data sources, and decision logic into real-time automated processes. Its core value lies in accelerating detection-to-response cycles, reducing manual workload, and enabling consistent operational execution through a modular and extensible design.
The platform’s foundation is a no-code visual editor that allows users to build automation workflows by assembling actions, triggers, and decision points. These workflows, referred to as “hyperautomation pipelines,” can span across SIEMs, EDRs, identity providers, cloud platforms, ticketing systems, and threat intelligence feeds. Security teams use these pipelines to automate tasks such as alert triage, data enrichment, case assignment, threat containment, and remediation. The system supports real-time execution of workflows, enabling immediate response to new alerts or indicators.
Torq includes over 1,000 prebuilt integrations with widely used security and IT tools. These include platforms such as CrowdStrike, SentinelOne, Microsoft Defender, Okta, ServiceNow, Jira, and Slack. The integration framework is API-first and extensible, allowing teams to add new tools or custom connectors without disrupting existing workflows. This makes the platform adaptable across different environments, including enterprises with diverse tooling or MSSPs managing multiple tenants.
The platform is designed to support dynamic, event-driven automation. Triggers can be based on incoming alerts, scheduled tasks, analyst inputs, or external API calls. Workflows can incorporate conditional logic, parallel branches, and data transformations, allowing for complex decision trees and branching behavior. Torq’s architecture enables workflows to evolve over time, with version control and audit logging to track changes and maintain compliance.
One of Torq’s key design principles is usability for both technical and non-technical users. Security engineers can build and maintain workflows without needing to write scripts, while analysts can interact with them through forms, approvals, and notifications. This enables a collaborative operating model where different SOC roles can contribute to and benefit from automation without siloed ownership.
Torq also supports templated “use cases” that bundle workflows for common security tasks. Examples include phishing response, malware containment, privilege escalation review, and suspicious login analysis. These use cases can be deployed and customized quickly, accelerating time to value for teams seeking to operationalize automation without starting from scratch.
Deployment options include cloud-hosted and customer-hosted environments, with features for multi-tenant isolation and enterprise access controls. The platform is built to scale across large volumes of alerts, users, and integrations, with monitoring and performance dashboards to support operational management.
Customization is central to Torq’s value proposition. Every workflow can be adapted to match an organization’s environment, policies, and processes. Data inputs and outputs can be normalized, enriched, or transformed as needed, and analyst inputs can be integrated at any stage of execution. This flexibility allows organizations to maintain high trust in automation outcomes while preserving the ability to intervene or escalate when required.
In summary, Torq provides a scalable security automation platform that allows SOC teams to build and run real-time workflows across their tool ecosystem. Its no-code design, extensive integrations, and support for dynamic decision-making make it well suited for organizations looking to operationalize automation without the complexity of traditional scripting or orchestration tools.
Mate
2025
Mate is a security automation platform designed to scale and operationalize the investigative expertise of human analysts. While often described as a “record and replay” system, this characterization significantly understates its architectural depth. Browser-based observation is only one of multiple data sources Mate uses to learn from and emulate analyst decisions. The platform integrates backend systems such as ticketing and documentation tools, real-time business systems like HR and asset management, and external APIs, allowing it to build a rich, organization-specific model of investigative behavior and context.
The platform’s onboarding process is a key differentiator. From the outset, Mate ingests data across systems and observes analyst activity to understand not just what actions are taken, but why they are taken. Unlike behavior-learning tools that mimic workflows, including mistakes, Mate employs reason mining to infer the logic behind analyst choices. These insights are validated through a judgment engine, which filters learned behaviors against security best practices and organizational context. This ensures that only successful investigative strategies are encoded and operationalized as repeatable automation workflows.
While browser-based recording remains a valuable source of observational data, it is treated as one input among many. Recorded workflows include data lookups, cross-tool navigations, tagging logic, and response actions, all contextualized by correlated inputs from structured backend systems. These workflows are then reviewed, edited, and versioned before being deployed, ensuring traceability and oversight. As analysts work through new alerts, the platform continuously expands its automation library and adapts based on ongoing feedback.
Mate is capable of resolving routine alerts autonomously and accelerating more complex investigations by surfacing rich contextual data and proposing recommended actions. Because of its multi-source architecture, Mate is not limited by tool-specific integrations. It works across third-party platforms and organizational systems, even in environments where formal APIs are not present. This independence from integration constraints enables rapid onboarding and broad applicability across environments with heterogeneous tooling.
The platform also supports user feedback as a live input into its learning model. Analysts can accept, reject, or modify automated actions, and Mate incorporates this feedback automatically into its reasoning. Over time, this creates a feedback loop where human oversight drives continuous refinement without the need for manual rule tuning or retraining. Additionally, business context, such as frequent traveler status, role-specific activity, or privileged account usage, can be factored into decision-making, helping to reduce false positives and better reflect organizational norms.
Deployment can be cloud-hosted or hybrid, with all automation and data handling confined to the customer’s controlled environment. This ensures data sovereignty while maintaining the flexibility and speed of a modern security automation platform.
Mate’s approach delivers value from day one. Unlike conventional automation systems that require weeks of rule development or machine learning models that depend on large training datasets, Mate’s reasoning engine and contextual awareness allow it to begin providing meaningful assistance during the earliest phases of deployment.
In summary, Mate is a multi-source, context-aware automation platform that combines behavioral observation with backend integration, reason-based learning, and judgment-driven validation. By focusing on why analysts act, rather than just what they do, and by incorporating feedback and business context continuously, Mate delivers high-fidelity automation that aligns with real-world security operations needs from the outset. Its unique architecture allows organizations to scale analyst expertise without compromising accuracy, control, or adaptability.
To view the complete scoring, head over to this spreadsheet.
