Product
Company
Success stories
Resources
Try Arcanna
Book a Meeting

Trustworthy AI In the SOC

TL;DR: AI's time is now, but it's not just "AI Agent All the things“

Most SOCs are drowning in alerts. Every vendor has their own opinion of what's important, and security teams are stretched thin doing too many things at once. Even if headcount budgets magically expanded, there simply aren't enough professionals with the right training waiting to join your team. Meanwhile, the volume and creativity of attacks keeps increasing, and the need to respond in seconds—not minutes—becomes increasingly critical.

The Ideal vs. Reality

In an ideal world, your smart, capable teammates would have unlimited time to review every alert, enrich it properly, correlate it with other alerts, and determine the right disposition and priority. When knowledge gaps emerge, they'd ping colleagues through conversation or hand alerts off to reach the right conclusion based on available facts and collective knowledge.

But that's fantasy. In reality, alerts flood in while attackers move faster than ever, forcing you to accelerate as well. You need the precision and collaborative nature of manual analysis, but at a speed that NO SOC can (or should) manually handle.

Current SOAR tools work well when you have time to build playbooks, understand exactly what needs to be done, and have dedicated resources for maintenance. But keeping them updated with evolving knowledge is time-consuming and fickle. We clearly need more capable technology that adapts and evolves with you. What’s less clear is what that actually looks like.

"Agents to the Rescue?" - The Hype vs. Reality

For every complex problem there is an answer that is clear, simple, and wrong.

- H. L. Mencken

Nearly every vendor in this space is hyping AI Agents as the solution—autonomous swarms of "GenAI goodness" that supposedly ingest every alert and automatically handle 90%+ of them as effectively as humans or conventional automation. And if they make mistakes, analysts can supposedly provide natural language feedback to correct future behavior.

It's a compelling story with an attractive value proposition, but it glosses over several critical issues.

The Power of Local Knowledge

Let’s step away from cybersecurity for a moment. Imagine you’re in a self-driving car stuck in traffic at a railroad crossing between you and your destination. The only alternative route has a "No Outlet" sign, so the car won’t consider it. Without local knowledge, you and all the other cars would wait for upwards of 10 minutes until traffic cleared. But if you could tell the car that the "No Outlet" route actually does connect, you'd make the right decision and save valuable time (especially if there’s a bunch of cars stuck in the same situation).

The Consistency Problem

Now suppose you can tell your GenAI-enabled car about the shortcut. Great—you've bypassed the issue this time. But will it "remember" this trick next time? What about the fiftieth time? And what if it incorrectly applies this knowledge in another town where the "No Outlet" route truly is impassable?

Now imagine that each car was an alert, the "No Outlet" local knowledge is something like “an IT Engineer rm -rf ing a bunch of files and directories isn’t concerning”, and the 10+ minutes wasted per car is actually the time it takes for someone in your SOC to realize the alert’s a false positive that was incorrectly escalated. However, if the same behavior is coming from the CEO’s machine, that’s very interesting and should be escalated! Will the Agent catch that critical difference every time and make the right decisions?

A Need for Speed

While Generative AI can provide rapid answers for simple queries, its response time increases with greater complexity and flexibility. Deploying multiple Agents in a series only compounds that processing time. As attackers accelerate their operations, slower systems aren't the answer.

The Control Deficit

As a former practitioner with extensive experience in threat hunting and alert triage across numerous enterprise networks, I strongly advocate for understanding what your tools are doing and how to fix things when they go wrong.

While Agents can describe their actions and attempt to explain their reasoning, there's no reliable way to:

  • Revert what they've learned to a previous state
  • Understand their confidence levels (and why)
  • Know that your feedback will have the intended effect

Couple these limitations with risks of sensitive data leaks and inadequate data sanitization, and the proposition becomes concerning.

The Cost Factor

GPUs aren't cheap, and realistically, many alerts don't require GPU capabilities (or GenAI) to determine whether or not they're concerning. Running everything through that resource-intensive path is wasteful.

The Integration Challenge

Many Agent-based systems aim to “rip and replace” existing technology, forcing already overburdened teams to learn entirely new screens and workflows at a time when attackers are moving faster than ever.

Why Arcanna's Approach Is Different (and Why We Think It’s Right)

In our view, AI Agents are part of the solution, not the entire solution. They are great for ease of use, summarization, and workflows that benefit from flexibility and creativity. But their challenges are significant, which is why we believe our Decision Models are a necessary part of a fast, trustworthy, cost-effective solution.

Arcanna's Decision Models allow your SOC to easily build and train Deep Learning-based Convolutional Neural Network models that:

  • Encode your team's security and institutional knowledge
  • Provide AI flexibility without unpredictability
  • Return answers in less than 15 seconds
  • Deploy on-prem or in your cloud
  • Offer confidence metrics, auditability, guardrails, and rollback capabilities
  • Run entirely on CPUs
  • Embed directly into your existing workflows

Proven Results

Enterprises and major MSSPs worldwide are already using Arcanna to dramatically reduce triage efforts, expand attack coverage without generating false positives, respond to critical alerts faster, maintain consistency among analysts and shifts, and (for MSSPs) onboard new customers in record time without increasing headcount.

The Journey’s Only Just Begun

This is the first post in a series where we’ll be discussing how Arcanna enables exceptional outcomes for our growing customer base. As we go forward we’ll be digging much deeper into the intersection of Arcanna and GenAI, as we believe that GenAI is a critical enabler for SOC transformation–when operationalized with trust built in. In fact, this very topic came up recently while discussing AI in the SOC, and we think it’s a great sneak peek of what’s to come from Arcanna!

Get Started Today

If you’re looking to get started on your own, we’ve made Arcanna easy to use in your AWS ecosystem by releasing an AWS Marketplace offering. However, if you’d like to get a deeper demo, reach out to our founding team today!

David Pearson
June 12, 2025

Discover more

Read more blog posts

This Website uses cookies. See Details.

OK
Product
Company
Resources
Legal
© • Arcanna.ai • All rights reserved