Arcanna: The Foundation for an Evolving SOC

SOCs worldwide are currently being bombarded with messaging around Agentic AI in every part of their cybersecurity stack, though we’ve noticed that at the high end of the spectrum, most are treading lightly in high-volume, critical problems like alert triage and prioritization. Many of these organizations have invested significantly in their SOAR capabilities, some with many hundreds of playbooks maintained by a small team of expert analysts. While SOAR itself is not solving all of their problems, it is providing significant value that can’t yet be met with Agentic Frameworks. Throwing out their playbooks isn’t a viable solution, but simplifying and enabling them to evolve is.

We also have encountered sophisticated organizations who are working on building their own AI Agents and Agentic Workflows rather than buying something from a vendor. When talking to those teams, we often learn that they’re able to take things to a certain level before they run into challenges with consistency, trust, volume, and cost.

Fortunately, both of those scenarios are well-served by our Decision Models. We believe that as more organizations realize that the future of the SOC involves a hybrid of fully-deterministic (SOAR-like) and highly-flexible (investigation, incident scoping) workflows, the critical infrastructure that binds them will be highly-reliable and consistent knowledgebases learned automatically from their teams.

Use Cases

In fact, some of our customers are working very closely with us to inform this reality as they undergo the exact transformation we’ve discussed. Below is a sampling of Use Cases we’ve seen or built that leverage Decision Models to simplify and strengthen consistency + trust in workflows:

‍

Alert Routing

1. What It Is

Every vendor has a different way of describing the same thing (think about how many different ways you’ve seen MITRE ATT&CK tactics reported across your security stack), and some might not include certain information you need at all. This can cause SOCs to incorrectly handle some alerts, potentially break existing automation workflows, and otherwise be tedious to maintain. Customers who build an Alert Routing Decision Model are able to pick the fields that might contain useful information across their security stack and correctly route each alert to the appropriate workflow (whether that’s a triage-based Use Case in Arcanna, a SOAR playbook, or an Agentic Framework).

2. Why It’s Valuable

• Automatically normalizes data across many vendors
• Evolves with your tooling without needing to hand-build mapping schemas or constantly update code
• MSSPs can onboard new customers with new tooling in minutes

‍

3. Key Metrics 

One advanced customer deployment uses Alert Routing to triage each alert by both technology type (i.e. Firewall, Email, Network) and by ATT&CK tactic (Initial Access, C2, Exfiltration), which allows them to take the highest-confidence result and successfully triage more alerts without human handling.

‍

Arcanna Advisor

1. What It Is

One of the biggest personnel challenges that SOCs face is consistency in decision-making among members of the team. This is exacerbated as people move on, are promoted, or simply can’t keep up with alerts. By deploying Arcanna Decision Models into their existing workflows, we’ve seen customers leverage Arcanna as an A/B test with their analyst teams to help surface inconsistent alert handling at scale. When analysts review an alert and come to a different conclusion than their Decision Models, they have an opportunity to review Arcanna’s guidance to help determine whether they (or Arcanna) made the wrong decision. Either way, Arcanna will record the final disposition and update its model accordingly.

‍

2. Why It’s Valuable

• Junior analysts learn from the team when they’ve made the wrong decision
• Teams become more consistent in their handling of alerts

• All alerts (whether or not a human had an opportunity to look at the result) are automatically triaged with the collective knowledge of the team

‍

3. Key Metrics

In one customer deployment, the analyst ultimately decides that Arcanna was right more than 70% of the time after initially coming to a different conclusion than Arcanna.

‍

Hunting for Anomalies

1. What It Is

Threat Hunting is an important proactive step that SOCs can take to identify threats that may fall outside of their detection capabilities. However, threat hunts are often extremely noisy, and analyzing all of the results is generally too time-consuming. Moreover, reviewing many possibly interesting results and identifying that none were actually concerning can take a toll on morale and accuracy. Customers who leverage Decision Models for their hypothesis-driven threat hunts are able to quickly filter out uninteresting activity, giving them the time to closely analyze the remaining events.

‍

2. Why It’s Valuable

• Enable threat hunts to run continuously
• Easily filter out uninteresting/noisy results without needing to constantly tune queries
• Enables teams to expand their threat hunting coverage without expanding time or effort
• The events that remain can be fed to other Decision Models for deeper automation

‍

3. Key Metrics

In one example, the team was able to filter over 100,000 initial events down to 25 with just a few minutes of initial training.

‍

Threat Report to Tuned Detection

1. What It Is

New threats appear relatively frequently, and having the ability to turn publicly available threat reports into detections is a challenge that usually spans multiple team members and types of expertise. This is often logistically complex and slow, which leads to increased opportunities for adversaries to successfully compromise and cause impact to your organization. By leveraging Arcanna’s upcoming AI Assistant and pre-built capabilities, teams can ingest new threat reports, extract the key details, build a detection query, search retroactively in their SIEMs, and (if no real alerts are found) build simulated alerts to train their Decision Models. 

‍

‍

2. Why It’s Valuable

• Turn a complex and time-consuming process into a fast and simple workflow
• Avoid False Negatives (FNs) from newly-discovered attacks
• Enable Decision Models to be highly confident of new attacks before you encounter them

‍

3. Key Points

Watch as our Lead Solution Architect, Darius, discusses how he created this use case here.

‍

Continuing the Journey

This is the second post in a series where we’ll be discussing how Arcanna enables exceptional outcomes for our growing customer base. Our first post talked about the importance of Trust in AI for the SOC and introduced a video where we discussed how we see the market reacting to all of the GenAI buzz arriving at dizzying speed. This post went a bit deeper into use cases we’ve seen and built with customers as they deploy Arcanna into some of their most important workflows. Going forward, we’ll be announcing major new functionality coming to our platform, so be sure to follow along!

‍

Get Started Today

If you’re looking to get started on your own, we’ve made Arcanna easy to use in your AWS ecosystem by releasing an AWS Marketplace offering. However, if you’d like to get a deeper demo, reach out to our founding team today!

‍