What's Up with Tech?

Agentic SecOps That Works

Evan Kirstel

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 20:51

Interested in being a guest? Email us at admin@evankirstel.com

If your SOC is buried under alert noise, another flashy AI demo won’t save you. We go deeper into what actually works: starting with data strategy and detection quality so automation has real signal to work with, not chaos to summarize. Our guest CEO and Founder Karthik Kannan from Anvilogic explains what “agentic SecOps” looks like in practice, from data onboarding and normalization to detection engineering, hunting, triage, investigation, and the integrations that move outcomes into your ticketing or case management systems.

We talk through why many AI security operations tools jump straight to alert triage and why that can turn into a band aid. The more durable path is end-to-end context: knowing exactly which data sources fed a detection, what logic fired, and how the alert was produced. That lineage supports higher accuracy, cleaner investigations, and consistent mapping to frameworks like MITRE ATT&CK. We also dig into “show your work” explainability, why black box answers stall adoption, and how a decision trace helps teams build trust step by step.

On the architecture side, we explore federated security operations across the tools enterprises already run, including Splunk, Microsoft Sentinel, Snowflake, and Databricks. Instead of forcing every byte into a monolithic SIEM, federated queries and data lake strategies let teams correlate where the data lives while controlling cost and complexity. We close with a grounded take on whether AI replaces security analysts and why the real win is reducing burnout and up-leveling people into higher judgment work.

If this helped you rethink SOC automation, subscribe, share the episode with your team, and leave a review with the biggest bottleneck you want AI to tackle next.

Support the show

More at https://linktr.ee/EvanKirstel

Welcome And Guest Introduction

SPEAKER_01

Hey everyone, really excited for this conversation today to dig in where AI security is actually delivering value in security operations with a true innovator and expert in the field at Anvilogic.

SPEAKER_00

Good. Nice to meet you, Evan, and thanks for having me on the show.

SPEAKER_01

Really excited to chat. So much happening in this area that I'm really excited to tap into your expertise.

Anvilogic And Agentic SecOps

SPEAKER_01

Before that, how would you describe Anvil Logic and the journey and the mission you're on?

SPEAKER_00

Again, thank you for having me. Anvil Logic is a seven-year-old company. We've been building an agentic SecOps platform. And that's exactly what we do is with AI automate core SOC functions that enterprise SOCs do, such as data onboarding, detection engineering, hunting, triage, investigation, and any sort of ecosystem integrations, such as sending all of this enrichment off down to a ticketing system or a case management, whatnot. So effectively, today what we sell to large enterprises is our agent ExecOps platform that automates key functions that they do daily.

Why AI SecOps Starts With Data

SPEAKER_01

You recently said that the AI sock story should really start with detection quality, not flashy demos of AI that we see so much. Why do so many vendors seem to skip that part?

SPEAKER_00

Yeah, that's a great question, and uh it is an important aspect of what we do. Um in terms of a completeness of uh platform, the key functions start with even further left of detections. They start with effective data management, such as identifying data sources where they may sit, which may be anywhere in the enterprise, and having an effective strategy to onboard such data for detections, which means having a framework for how the data is going to be standardized, normalized, stored, described, enriched, and whatnot. And then from there, you get into the detection engineering lifecycle, which is identifying what sort of detections that particular organization needs vis-a-vis the data sources that they have, and uh continuously validating and tuning such detections and being able to uh allow the user to kind of interoperate in the uh changing dynamics of their landscape, the uh threat landscape, the data sources that uh are available to them and whatnot.

The Trap Of LLM Alert Band Aids

SPEAKER_00

And then you get to the alert triage and investigation phase, and this is where you see a lot of organizations start to jump into because it is the easiest place to get plugged into. Once all of the hard work is done and alerts are coming out, albeit alerts can get noisy. It is easy to plug in a shim layer at that point and say, give me all of your alerts, and I'll pass it on to an LLM to kind of get me some enriched information back and then help you cull down the alerts. That's a band-aid approach. Sometimes band-aids are important, and uh some environments do require that, but that's the easy place to begin. You haven't solved the fundamental problem, which is ineffective alert strategy, noisy alerts, and uh, you know, perhaps even uh gaps on adopt data and detections you don't have. All of those problems are not solved by just inserting LLM wrapping solutions to the alert triage phase. So, like I said, band-aids are to be used when you have to staunch some sort of bleeding, but you really need to solve the problem further ahead. So that's how we uh kind of uh envision and uh deploy is start with a with a firm data strategy and then a detection strategy, and then the rest will follow much, much easier, which we do too, right? We have to close the loop, but uh just beginning here and starting here and just only staying here isn't sufficient.

Reaching 98 Percent Triage Accuracy

SPEAKER_01

Well, given your uh medical analogy here, I like that. I think triage is is is is kind of the word of the day, and certainly when it comes to alert noise, that is a problem. You actually claim a 98% accuracy and and reduction in that alert noise. That that's kind of amazing to hear. Tell me more about that and what your customers are seeing in action and actuality.

SPEAKER_00

Yeah, yeah, sure. Um, that is one of our more popular use cases for um our uh AI workflow automation uh is that investigations phase. So typically what happens in an enterprise is you you have alerts coming from various places, and those alerts need a lot of contextualization, they need a lot of enrichment because just the alert as a standalone entity isn't sufficient. This is where the human beings come in, the L1, L2 analysts. They spend a lot of time looking up that alert and trying to correlate it with the other identifying information and building a whole context around it. And then they figure out what to do if it truly were looking like a true positive uh incident. And there's a bunch of playbooks that they have to either write or use from institutional knowledge and practices, and that's what the process is all about, and that's why it's so heavily manual and it's impossible to triage and then investigate hundreds, if not thousands, of such alerts coming in daily. So this is where we kind of shift left and say the reason why we get to a 98% accuracy is because we are able to go achieve the full context from the beginning to the end, not just start where someone else left off, which is the alert phase, but to go all the way back to say the data was this, and the detections that ran on the data were like this. Therefore, the alerts I understand a lot better because I have the full context. So our enrichment begins right at the data phase. How we describe the data, how we normalize it, how we store it in uh uh uh ETL for uh normalized form, and then the detections that play on top of it, every stage of it is enriched, every stage of it is labeled with the right mitre attack um uh technique or uh tactic. It is fully labeled. And therefore, by the time we come to the alert phase, we know what data corresponding to what detections ticked off that alert in the first place. So it's half the job is already done. So we have a greater accuracy because we don't have to go figure out where this alert came from. We already know the history of it. So that's why we are more successful and have a high rate of success in terms of accuracy.

SPEAKER_01

That's really interesting.

Explainability And Decision Trace

SPEAKER_01

I think you use the term explainability in your your focus there. I found that interesting. Why is that show your work uh kind of becoming such a critical requirement?

SPEAKER_00

Yeah, if we listen to our teachers, we'd know that, right? Show your work at all times. That's exactly what we do. Is no one wants to trust a black box. It takes a long time. I mean, if you sit in a self-driving car, for instance, I have a self-driving car, and I've practically turned off everything except lane assist, which is plane drift uh detection. Because I don't quite trust it yet. But I slowly turn things on, right? And that's exactly the mode that we want to be in with our platform too. So I don't want a black box answer saying this one's good and this one's bad. Every step of the way, we have paragraphs of text that explain what happened there. So the full context is explained. If there is a detection we ask that you deploy, we explain why. And we also explain what data sources get you what level of efficacy in this detection version versus this detection version. If you added one more data source, we could get you up level to this detection, which tells you a bit more. So every step the way the human being feels like they understand why something is happening. And that is, you know, sometimes what we call a decision trace. It's essentially knowing the rationale behind an action is as important as the action itself. This is where we start to capture the institutional knowledge that uh exists in an enterprise because your enterprise stock, the best of your enterprise stock's work is done by the best of people who know the context, who know uh the environment, and who had the experience of uh being there. And that's what we need to capture in our systems. So when an action happens, we need to know why, as much as we need to know what the action was. So we encapsulate all of that. And that is the explainability that is really important. At one point, when the efficacy of the system has been proven, there will be more trust, people will turn

Human In The Loop Trust Building

SPEAKER_00

on more. So even in our newer AI workflow automation capability that we've called blueprints, what we do is we have a step that you can insert anytime called the human in the loop step, which is after n number of things that we do, you can insert that step right there, and it'll say, unless and until the human being has inspected and validated and verified and given you the green signal, you shall not proceed to the next set of steps. So that uh you know is important. And just plugging in a human in the loop without context isn't useful either. You've got to give them the explainability and the transparency behind actions, and then plug the human in. And over time, let people gain trust to say, I don't need so many human-in-the-loop steps. Maybe just here and here will do. That's where we want to get to.

SPEAKER_01

Fascinating.

Federated SecOps Across Data Silos

SPEAKER_01

And speaking of humans, I mean, the security teams today are juggling so much. I mean, maybe they have 40 browser tabs open. They already got Splunk and Sentinel Databricks and Snowflake tabs open. Um, that's a you know, a lot of fragmentation problems. Uh one of the top problems you're you're hearing from CISAs, that's one of them, but one of the others that you're you're trying to help with.

SPEAKER_00

Yep. Now you uh hit the nail on the head that with those technologies, by the way, those are what dominate the environment today. We see a lot of Splunk, a lot of Sentinel, and a lot of snowflaking data breaks. So the data lies everywhere. What we've uh said right from the beginning uh of our company was the vision was to have a federated approach to security operations. So we took this approach of the old legacy world was bring all your data into one place and then we can build on top of that. That's just an impossible thing. And it never happened. People thought it happened and they put a lot of data in, but there was still what we call a lot of dark data sitting out here that no one was with. But today, what we are saying is look, it's a federated approach. Leave the data where it is, and we can push our federated queries and therefore build detections and correlate here. You don't need to move a lot of expensive data against the laws of physics into some place just so you can run a query on it. We can be very federated about this approach. So we see a lot of enterprises, particularly large enterprises, move in the direction of leaving data where it is or implementing a data lake strategy where it is much more cost-effective, much more elastic, uh, much more uh open to run other workloads on. They're uh kind of uh divesting away from the legacy sim approaches to the more federated approaches, which suits our uh platform uh capabilities as well as our vision. And uh so that's how I think I imagine the world will continue to be.

SPEAKER_01

Amazing.

How The SOC Is Evolving

SPEAKER_01

Uh so you you spent three decades or so in security analytics. That's quite a journey. Um, how does your SOC today differ from that of two, three years ago? And maybe you can then talk about what we'll be in another two or three years. Things are moving at such speed, it's really incredible.

SPEAKER_00

Yeah, yeah. That's a great question. For the longest time, even uh, I think for about 15 years, the SOC score remained the SIM, and it still does. But that SIM was very, very monolithic in nature, right? And uh that uh meant you move all the data into one place, and then you have proprietary languages uh to query, uh, you have proprietary formats of data that sit on top. And the whole thing is legacy, therefore, uh, from today's perspective, and very, very proprietary and monolithic. That we've kind of in in the first wave a couple years ago, started to show to the industry that you don't need to do that. You can, in fact, have a data lake strategy where some of your newer cloud data that you were not putting in your legacy systems could go to, and uh, someone like an Anvilogic can unify and correlate across both of these. So we started to uh create validation in the industry that your legacy can be augmented by uh data lake, so creating a hybrid strategy. That was the first wave of transformation. And now the second wave of transformation has begun where uh large enterprises are uh you know subscribing to this and either hybridizing or completely leapfrogging to the new data lake world, which is great. Now that's happening at one dimension. The second dimension that has started to happen in the last couple of years is how you apply AI to the usability. Now, all of this is infrastructure, which is important, but then there is the usability dimension, which is where AI has come in, where it has helped human operations be automated and at a rate at which humans will never be able to keep up, and that's how AI works, but it is going through its steps of gaining trust. And that's why all of this explainability and human in the loop and applying AI to a function at a time rather than say your whole SOC has been AI-fied. We're saying no, your data management has certain AI workflows, and here's a in our power glance a blueprint to automate data onboarding. And here's everything it does, and that's use case number one. Use case number two, let's now get your detections automated. Here's how a blueprint for that could work. And it could be rolling out new detections or doing continuous detection validation, whatever it is. And then a use case number three would be how do you triage and investigate it now? Let's automate that workflow. And that's kind of the approach we've taken. So we I see this as the third wave of disruption to that traditional SOC architecture. But it's happening in two dimensions. One dimension is the infrastructure dimension, which is transforming from that monolithic proprietary state to a more open data lake state. And the second dimension is the usability dimension, which is AI automating specific workflows. And to do that, you need to be an expert in the industry. Otherwise, you don't know what the workflow is and you cannot automate it.

SPEAKER_01

Oh, really well said. So

Will AI Replace Security Analysts

SPEAKER_01

there's a lot of um media stories these days about AI replacing analysts or replacing lots of people. I think it's overblown. But what's your take on AI replacing people on the human equation and really genuinely helping security teams?

SPEAKER_00

Yeah, I think there's partial truth to that, uh, Evan. I think it's often overblown. And uh in a lot of industries, including in security, people kind of use um that sort of uh you know, um, analogy to um automation from the Industrial Revolution to other places to now uh pretty loosely. I think the I go back to knowing the domain and the workflows of that domain, the ontology of that domain, essentially knowing security entity relationships and the local environment is fundamental before you can automate anything. And a product like ours that has been there and uh drawn a lot of uh data gravity to it from which to learn and then augment with LLMs is what it takes to automate. But having said that, there is some truth too, yes, we can automate, and we have shown automation of real human mundane tasks so that those L1 type analysts, sometimes even L2 type analysts, can move up to L3 and L4 and do better work. So it is essentially making organizations more efficient and hiring people at greater and higher levels, where personally their job satisfaction is a lot better. If you look at the uh average industry, the churn at the L1, L2 and the burnout is so high that they're losing productivity anyway. By the time they train, uh an L1 analyst or even an L2 sometimes is 12 months, and then in 18 months they burn out and move on elsewhere, and then you get the new wave of people. It's just it's impossible. That's the sort of thing that shouldn't happen. That's where AI and automation can really play a good role, is to keep uh the institutional memory and practices and the learnings and continue to grow. It's never going to go away. It's never gonna get burnt out. Move your people up the stack so they get more intelligent work done rather than mundane data wrangling and uh you know detection building and tuning and learning new proprietary languages of new data lakes and whatnot. Leave all that to the machine. So I think there is some truth to some human um analyst positions are going to be up-leveled and therefore will not be done by humans anymore. It's like uh, you know, uh spray painting painting cars in an uh industry assembly line in a car manufacturing industry. I mean, who wants to do that anyway, right? That's the sort of thing uh we are considering here in security analytics as well, is happening. So element of truth is certainly there, but is it also being overblown to all jobs are being taken by AI? Honestly, no.

SPEAKER_01

Yeah, really great insight.

Product Roadmap And Blueprint Automation

SPEAKER_01

And um, you know, talk about to the degree you can, your roadmap, where are you investing, innovating? Anything you could share over the next year or so?

SPEAKER_00

Absolutely. Again, I think I will um uh uh draw the focus back to those two axes. I think it is important for us to continue to stay on course with the federator approach as well as the AI usability and workflow automation approach. So our roadmap involves both more platforms to support, more AI workflows to automate. And the AI workflow automation we've uh trademarked as uh what we call blueprints, and that's what we announced recently, uh, you know, and we're gonna do some more announcements on that uh coming up very soon. So we're putting all of our investments into AI workflow automation. And that is the future of Agentic SecOps, is to be able to automate core SOC functions with extreme knowledge of that domain and data pertinent to that domain in the local environment, and that's our future. That's what we continue to do. Agentic secops, everything.

SPEAKER_01

Brilliant.

Events And Final Takeaways

SPEAKER_01

And where can folks meet you or the team? Um got some industry events still happening despite the summer and like that coming up in a couple months. Where where will you be in the team?

SPEAKER_00

Yeah, we are at the uh Gartner uh IT and risk uh risk and security symposium or risk and security conference summit, I think it's called, in Maryland, um, coming up in a week, first week of June. Uh, we will also be at the uh Snowflake Summit and the Databricks Summits, uh, all happening in June. And then uh in uh Black Hat, of course, early August. And we've got some announcements to make all through this time in the summer. So the summer is a heavy work period for us.

SPEAKER_01

No rest for the weary. Well, congratulations on all the work. It's much needed, incredibly important work from all of us. So we're rooting for you onwards and upwards.

SPEAKER_00

Thank you so much, Evan. Really pr a pleasure here.

SPEAKER_01

Thanks, Garthik. And thanks everyone for listening, watching. Also checking out the TV show, uh techimpact.tv on Bloomberg Television and Fox Business. Thanks, everyone. Thanks, Garth.

SPEAKER_00

Thank you, Evan.