Our Mission: Eliminate the Role of SOC Analyst
I had the pleasure of going through some brand and positioning workshops in a prior role at another company with Andy Cunningham, marketing leader under Steve Jobs at Apple during the “Think Different” campaign and author of Get to Aha!
Andy says all companies are primarily one of the following company genotypes:
- Mother (focused on caring for their customers)
- Mechanic (focused on having the best features)
- Missionary (focused on changing the world)
It’s still too early to tell exactly which genotype Wirespeed is. We definitely see elements of all three:
- We care deeply about our customers. We want them to be safe. This is how we are “mother.”
- We also have very strong opinions about the technically-superior way to accomplish detection & response at scale. We iterate on features and have big plans to keep iterating and add more. This is how we are “mechanic.”
- We definitely want to change some specific behaviors throughout the entire cybersecurity industry, which is our “missionary” side peeking through.
The focus of this post is our “missionary” genotype characteristics. We may not want to change the world the way Steve Jobs did with the iPod or iPhone, but we do want to radically change our little corner of the world in cyber. This has always been Wirespeed’s goal, but now that we’re actually doing it for customers (and they love it), we have the confidence to say it out loud now:
I admit, I was hesitant to say it boldly. I’d say it to friends, advisors, prospects, and customers, but not to the world at large. I knew how I would perceive such a statement, if I wasn’t actively doing it myself. It would feel like yet-another-shill for AI (which is so opposite the case with Wirespeed), or some sort of half-baked alert factory pass-through “Pager Duty as a Service” fake approach, or it would just flat out sound impossible. As we began the journey of building and launching Wirespeed, I consulted many, many smart people and asked them if it was crazy to want to completely automate Managed Detection & Response (MDR), doing the work traditionally performed by humans only. Not one person told me it was a crazy idea — and this was long before the half dozen (probably dozen-plus by the time you read this) AI startups, most of whose founders have no SOC experience whatsoever and are just trying to use foundation LLM models with a little RAG augmentation to capture a piece of the AI gold rush, but with lackluster, slow, expensive, and unreliable results; worse: they’re not even close to removing the human from the process.
What we’re not going to eliminate
We’re not out to eliminate the great people who do SOC work today. We love SOC Analysts, especially SOC Analysts at MSSPs. Most of the smartest people in cybersecurity spent time in SOC roles! We just want to see this talent transition into more strategic roles, like threat hunting, incident response, and security engineering. We even have plans to help them with that. (Stay tuned!) We envision a world without people doing SOC Analyst work, and we want to make that a reality. And no, this doesn’t mean we’re just “automating level 1 SOC.” We do both Level 1 and Level 2, from triage to response, only escalating in situations that require true incident response expertise.
Five Reasons Why We Want to Eliminate the Role of SOC Analyst
1. Because Humans Can’t Keep Up with Both Adversaries and the Scale of Telemetry
The data shows that adversaries are faster than ever and it’s universal that alert telemetry volumes are increasing at exponential rates as more and more systems are instrumented and cloud/SaaS adoption skyrockets, resulting in “alert fatigue” (dock me one buzzword demerit for that). If you’ve been in cyber more than five minutes, you’ve heard of the “millions of unfilled cyber roles” (okay, dock me two demerits now). Whether that number is true or not, we certainly can help solve the resource staffing problem by re-allocating people into roles where their talent can be most impactful, like moving detection engineering talent from enterprises and service providers into product companies where more organizations can benefit per engineer, and from fully automating the SOC so people working analyst roles can take on other cyber jobs.
2. Because in Many Cases, the Humans Aren’t Doing Much
Many outsourced and managed SOCs, sadly, have become notorious for simply forwarding alerts to their customers with little to no context, calling that “response.” In those cases, the humans can easily be replaced, because they’re hardly doing anything at all! But those outsourced SOCs are not the standard we want Wirespeedto be measured by. We will exceed them in every way, especially user experience.
For many types of alerts, it makes sense: the only way to get to a verdict is to ask other people — in your organization — about what happened. So many people in cyber, and in tech more generally, are introverted. They don’t want to pick up a phone and call an end user to ask if they just logged in from some random location. And this problem works both ways; neither the SOC analyst wants to reach out to ask the victim user, nor does the MDR customer who receives the escalation! If they have 17 things to do that day, and one of them is to confirm with Jane Doe if she just logged in from a place 1,000 miles away from her routine, odds are high the other 16 things will happen first, even if Jane Doe is an accountant and simple BEC (business email compromise) damages cost 50x more than ransomware!
At Wirespeed, we take a totally different approach: we try to do as much as we can. For example, we break the fourth wall of cybersecurity and talk to your users, so we can learn what really happened in cases.. Because we do it in an automated way over your Slack, Teams, or Email, neither the “SOC Analyst” side nor the security contact at your organization has to deal with their introversion as a mental blocker from making good response decisions quickly.
For many of these MSSPs, the problem is that they, too, are swamped with alerts, and they feel intense pressure to compete against other MSSPs by lowering prices. When they drop prices, they can’t spend as much on labor, so the most common business strategy these MSSPs adopt is to hire very junior, under-skilled talent locally, or hire more senior personnel offshore at favorable cost of living exchange rates. Wirespeed is already quickly becoming “the MDR’s MDR” by drastically lowering the price of SOC triage and response through automation, so the MSSP can focus their payroll on higher order tasks, like:
- executing proper incident response when a confirmed incident happens
- guiding the complete remediation of security engineering problems that are discovered after alerts are triaged
- proactive threat hunting (MSSPs often tell their customers they’ll do this, but just struggle to find the time to do it)
- and bespoke detection engineering — which should be done sparingly, but for unique line-of-business applications and assets, this can be super valuable
3. Because One Solution Solves Many Instances of the Same Problem
One-to-many is the ultimate goal for many types of problems. In Security Operations, having one human look at one alert and create one verdict for it, doesn’t scale when an organization generates thousands of alerts monthly. Instead, treating a set of problems as a class of problems allows for a more effective response. Despite what many cybersecurity vendors tell you, cybersecurity isn’t actually all that complex, and you shouldn’t want to invent new ways or processes to address every alert that happens.
This is our goal: to convert security operations from an analyst problem to an engineering problem. We used decades of expertise to build a taxonomy, data model (not an AI model), and decision tree that encapsulates the best knowledge for how to handle detections. We solve them once, in the abstract sense, as a reusable algorithm. Once built, the algorithm can serve millions of alerts, and it requires minimal upkeep and tuning, primarily on the inputs more so than its outputs. This is how we (the “cyber we”) win — how we get ahead of BEC and ransomware.
Similarly, we would like to see less detection engineers in Enterprises and MSSPs and solve more detection problems, one-to-many, via purpose-built detection products. We’re helping our customers do that by cutting their MDR costs so low that they can reuse budget towards better detection products, get better detection coverage, and an even better overall outcome.
4. Because Human-led MDR Doesn’t Scale Downmarket to SMBs Well
Economies need the smallest of businesses just as much as they need the super-large enterprises (and I’ve worked at both). At the super large scale, internal SOCs are justifiable. At the medium scale, internal SOCs really aren’t (although some organizations try); outsourced is the only way to go. Human-led MDR farther down-market is a relatively new concept in the past few years. Early indicators show the most successful in that category aren’t profitable, which means that someday (perhaps post-IPO) they will either have to do less work for the same money, or they will have to raise their prices on their SMB customer base, who often struggle to justify the expense.
To put it bluntly: to properly protect the smaller businesses critical for the economy, there has to be a scale of automated delivery well beyond what anyone has delivered to date. The cool part is: an automated MDR solution can scale the entire market segment, from small to large. Really, this is just reason #3 above (solving SecOps problems one-to-many), but in market terms.
5. Because Other Tools (ahem, AI) Aren’t Helping Enough
If we are going to automate the SOC, in 2024, the most common response is to assume that means using Generative AI. Gen AI is not predictable, repeatable, or transparent, yet there are at least 7 AI SecOps startups in our space, racing to the AI gold rush that got big in 2023. Companies are and will certainly continue to adopt Security Operations solutions that involve LLMs triaging detections, but it’s a GIANT MISTAKE. Mark our words: there will be companies that get ransomware because an LLM triaged an alert during a hallucination, dismissing the signal that an adversary was inside the company, escalating privileges and staging for the lockout. It’s going to happen. Don’t let it happen to you.
The other problem with AI SecOps tools is that they don’t claim to replace the human. Instead, they only “augment” or “reduce the impact on the humans by up to 90%.” Some of them just say “you can finally triage all of your alerts,” implying that alerts under your historical radar can now be reviewed by the AI agent on your behalf.
(Side note: why is it always 90%? That’s an awfully specific and yet whole number. Very suspect! Also, in a past role at a large MSSP with hundreds of enterprise customers, my team and I reduced the workload on the human SOC Analysts by roughly that same 90% with commercial SOAR products … which Gartner says is now a dead category … so to all the AI SecOps companies out there: your pitch isn’t compelling enough!)
My LinkedIn feed is full of developers complaining how AI dev tools bury defects deep in the details of the code that is AI generated, while executives tout statistics of AI generated code, which developers say is “really just fancy auto-complete.” The same is true of SOC Analysts using AI tools that have a stochastic moment and fail subtly and catastrophically. It’s always in the back of your mind: what are you missing? The trust simply isn’t there. It may be nice to ask the LLM to generate a query for a SIEM, but if you don’t trust it, you’ll end up spending just as much time, double-checking the query syntax to make sure it really did get the negative result it claims.
If these AI SecOps tools are so effective, where are the mass layoffs of SOC Analysts at large MSSPs, some of whom have built their own complex models? Has their hiring rate even gone flat while their revenue continues to climb? The answer is: there is no evidence that supports this whatsoever.
5. Because we are doing it already!
The last and most important reason is simple: we are ALREADY DOING IT. That’s right. This isn’t theoretical. It’s working right now while you read this! We have paying customers, some of whom switched from big MSSP/MDR providers, dissatisfied with how they didn’t learn their organization, escalate with poor quality, and provide confusing descriptions of alerts with disorganized titles and categories. We don’t have any SOC Analysts on staff today, nor will we ever. We’ll always have software and security engineers, along with the most robust quality assurance methodology among all MDR providers (see our post on being the first to introduce AQL Quality Management to cyber), but we will never let ourselves solve a triage, response, or workflow problem by having a human perform a one-off manual touch on a case, because it breaks the one-to-many principle. We solve classes of problems once, at scale.
As I often say to Wirespeed customers: “we wrote an algorithm that works cases just like I would work the case.”
- We dismiss non-actionable alerts in milliseconds.
- We escalate with very clear verdicts and directions.
- We have granular, automatic containment options that protect you fast while leaving you in control.
- And our human random-sampling QA process validates everything end-to-end.
Want to see for yourself? Start a FREE TRIAL in 5 minutes and put us head-to-head against whatever you use for detection & response.
