Calling in AI reinforcements for security teams - Our investment in Dropzone AI

There’s no space where reinforcements are as desperately needed as in security operations centers (SOCs). These teams are perpetually understaffed and face a barrage of alerts, each requiring a cumbersome manual investigation even though most will be false positives.

Dropzone AI is a team of AI and security experts building AI analysts that reinforce and expand the capabilities of SOC teams. We are thrilled to partner with them and lead their $16.85 million Series A round with support from Decibel Ventures, Pioneer Square Ventures, In-Q-Tel, and numerous security experts.

The pains of running a security operations center

Growing companies face increasing cybersecurity risks, customer scrutiny, and regulatory compliance burden. To deal with these, they procure detection tools to cover their technical surface area – email, network, endpoints, cloud infrastructure, etc. Each tool generates alerts: some are true attacks but many are false positives. Companies then set up a (or contract with an outsourced) security operations center, or SOC. These are teams of on-call analysts that triage and investigate alerts as they come in.

Any CISO will tell you it’s not easy to staff and manage a SOC. 

It’s expensive: running a 24/7 SOC requires at least 5 analysts, which is more than most companies under 5,000 employees can afford. Even with a sufficient budget, there are only ~5.5M security analysts today and an estimated shortage of ~4M. 67% of security organizations reported talent shortages, the top reason being “can’t find enough qualified talent.” Typical security analyst churn is north of 20%, and new employees face a steep learning curve as they are familiarized with an organization and all its tools. Take all these factors and imagine trying to staff a 24/7/365 global operation. 

It’s clear why there are staffing challenges – it’s a hard and tedious job. Analysts work long shifts where they look at dozens of near-identical alerts to determine which are real or not. They have to deal with fragmented tools and data, each with their own query languages and product nuances. Nearly every analyst mentions alert fatigue and false positive overload. The result is a slow response time and true attacks that slip through the cracks – either because an alert was ignored or an analyst wasn’t able to connect the dots. 

This situation is only getting worse. Generative AI makes it much easier for anyone to launch attacks (e.g. sending personalized spear-phishing emails at scale). More attacks also mean more security tools, each generating a new set of alerts. The volume of tickets a SOC receives already grows each year, and will further accelerate in coming years.

SOC automation, past and future

The first attempts to tackle these problems were Security Orchestration, Automation, and Response (SOAR) platforms founded in the 2010s. Their rules-based automation playbooks are fundamentally limited. They can reliably automate simple workflows, like “if there is an endpoint compromise alert from an executive’s device, isolate their account”. But they can’t actually automate any of the analysts’ investigatory work: each investigation requires slightly different workflows, evaluation, and manipulation of data. 

In recent years, “hyperautomation” platforms have promised to make SOAR more useful. They provide more integrations, and low/no-code interfaces to create playbooks. They are indeed much more capable and user-friendly. But at their core, they still rely on rules-based automation, and even with dozens of playbooks, you can’t replicate the work of a human investigation. 

But recent innovations in AI – particularly LLM agent systems – provide new capabilities that dramatically change what’s possible in security automation: 

1. Data extraction and manipulation:  LLMs can learn each platform’s unique querying language and data structures, operating like a subject matter expert to query and parse results from dozens of tools.

2. Interpretation and planning: LLMs can be trained to interpret results with common-sense security analysis. They can plan each step of an investigation, and then make a final determination if a set of evidence is most likely malicious or benign.

Dropzone AI is the first truly AI-native SOC automation platform. Security teams don’t need to configure more rules-based playbooks. Instead, Dropzone AI analysts are integrated just like another member of the SOC team. They perform Tier 1 investigations on their own – escalating real issues for human review and closing benign ones. These virtual analysts can respond to threats in minutes, 24/7. They never get tired or forget the context of previous alerts. And with feedback from other analysts, they continuously learn more about the organization, systems, and investigation best practices.

Building autonomous AI systems is not easy – especially in security where reliability is critical. It requires deep knowledge of AI, security operations, data, and UX. The Dropzone team brings expertise in all these areas from their time building AI products at ExtraHop. Their agents are deployed today, investigating alerts at multiple enterprises and MSSPs.

The impact of AI analysts

AI analysts will transform SOCs, for the first time allowing these teams to be proactive instead of reactive. They will address alerts faster and more accurately. The same team can cover an increasing number of issues, 24/7, without staffing challenges. Analysts can focus on more advanced analysis or proactive work, instead of dealing with rote triage tasks. 

Software systems are becoming increasingly more sophisticated and interconnected. These systems have more capabilities, but also more noise, more data, more surface area, and more issues. Technical teams are already strained and will only get more so. 

Fortunately, advances in LLMs mean that AI agents can work the way a human would. Traditional rules-based automation quickly hits its limits. But LLM-based automation can operate flexibly and learn, effectively becoming another member of the team.

Dropzone AI is one of the first companies to tackle this issue head-on. Instead of silencing the wave of new data, they look at all of it – using AI to handle the cognitive workload and freeing up humans to focus on what’s most important. It’s amazing to watch Dropzone’s agents in action, and we can’t wait to support Edward and the team as they transform security operations forever.