Risky Bulletin Podcast Summary

Episode: Dropzone AI on AI's Impact and Role for SOC Teams
Host: risky.biz
Guest: Edward Wu, Founder and CEO of DropZone AI
Release Date: April 27, 2025

Introduction

In this episode of Risky Bulletin, host Campano engages in an insightful conversation with Edward Wu, the founder and CEO of DropZone AI, a Seattle-based cybersecurity startup. DropZone AI is pioneering the use of large language models to enhance Security Operations Center (SOC) teams by automating alert triage and investigation processes. This discussion delves into how AI can transform cybersecurity operations, the functionalities of DropZone AI’s platform, future applications of AI in the infosec landscape, and the implications of AI on cybersecurity jobs.

DropZone AI: Revolutionizing SOC Operations

Edward Wu introduces DropZone AI as a venture aimed at alleviating the overwhelming volume of security alerts that SOC teams face daily. He explains:

“DropZone AI... leverages advancements in large language models to build essentially AI security analysts... our vision is to offload the initial triage and investigation of alerts from the security teams so the human defenders can focus on only the real threats as well as other critical projects."
(00:19)

Edward’s motivation stems from his eight-year experience at Actual Hub Networks, where he witnessed firsthand how excessive alerts could lead to important signals being overlooked. This inspired him to create a solution that not only manages alert volume but also enhances the efficiency of cybersecurity professionals.

Core Functionality: From Alerts to Actionable Insights

The core functionality of DropZone AI revolves around automating the triage and investigation of security alerts. Edward elaborates on the system’s capabilities:

“We build a system that can ingest security alerts as input. It will autonomously pivot across different security tools and data sources to gather relevant metadata and then ultimately within a couple minutes generate a decision-ready investigation report on whether each alert is a true positive or a false positive."
(00:19)

DropZone AI operates by mimicking the investigative intuition of human analysts. When an alert is generated, the AI formulates hypotheses about the potential cause, identifies necessary metadata, and interacts with various security tools to gather relevant information. This iterative process continues until a definitive conclusion is reached, culminating in a comprehensive investigation report.

For example, upon receiving an abnormal login alert, the system might assess the source IP, evaluate geolocation data, check authentication methods, and consult threat intelligence feeds to determine the legitimacy of the alert. This thorough approach ensures that only genuine threats are escalated, significantly reducing the workload on human analysts.

Expanding Beyond Triage: Additional Functionalities

While the primary focus is automating alert triage, DropZone AI offers supplementary features:

1. Automated Containment:
   DropZone AI can initiate containment actions to "stop the bleeding" when a threat is detected, providing immediate responses to mitigate risks.

2. Chatbot for Threat Hunting:
   The platform includes a chatbot that supports ad hoc threat hunting, allowing analysts to perform exploratory investigations more efficiently.

Edward emphasizes the depth of DropZone AI’s capabilities compared to other AI-based security products:

“Our technology does far more than just summarizing the alert JSON into natural language... mimicking the detective intuition and thought process of a human security analyst and automating the entire investigation workflow end to end."
(03:03)

The Future of AI in Cybersecurity: Opportunities and Challenges

When discussing the broader landscape, Edward identifies several areas where AI can further revolutionize cybersecurity:

1. Red Teaming and Penetration Testing:
   AI can simulate sophisticated attack scenarios, enhancing the robustness of security defenses.

2. Software Code Review:
   Automating the identification of vulnerabilities within codebases to streamline the development process.

3. Threat Modeling and Attack Simulations:
   Creating dynamic and realistic tabletop exercises tailored to an organization’s specific context.

4. Vulnerability Management:
   Streamlining the identification and remediation of IT and software vulnerabilities.

5. Threat Intelligence and Hunting:
   Using AI to continuously monitor and analyze vast amounts of data from blogs, social media, and other sources to identify emerging threats.

Edward posits that these applications are still in their nascent stages, with significant potential for growth and innovation:

“There are still a lot of opportunities at this moment. The most popular use cases... but beyond that, I do think there are tons of other opportunities to apply gen AI."
(08:16)

Real-World Applications and Customer Insights

When asked about unexpected uses of DropZone AI’s platform, Edward notes that while the primary use case aligns with their initial vision, customers have leveraged the technology in diverse and impactful ways:

1. 24/7 Alert Triage Without Additional Staffing:
   Organizations with limited staffing have utilized DropZone AI to achieve round-the-clock alert management without the need to hire additional personnel across multiple continents.

2. Reduced Mean Time to Response (MTTR):
   Large organizations have been particularly impressed by the AI’s ability to swiftly conduct investigations, often determining the nature of alerts within minutes, thereby significantly lowering MTTR.

“They are really able to drastically reduce their MTTR with our technology because... we are able to immediately start investigation within a couple of seconds and then within 10 minutes reach a definitive conclusion."
(11:50)

These real-world applications underscore the platform’s effectiveness in enhancing operational efficiency and security posture.

Seamless Deployment and Integration

DropZone AI prides itself on ease of deployment, ensuring that organizations can integrate the platform with minimal disruption:

“Our technology sits on top of customers' existing security systems and all it needs are API access... end to end within five minutes."
(14:07)

This rapid deployment capability is complemented by compatibility with major security ecosystems, including Microsoft Defender and Sentinel, Exchange, and on-premise Splunk instances. The quick setup allows organizations to immediately benefit from enhanced alert management without extensive configuration or downtime.

AI’s Role in Cybersecurity Employment

A pertinent topic is the impact of AI on cybersecurity jobs. Edward asserts that AI is designed to augment rather than replace human analysts:

“We do believe the future of security does not involve AI replacing existing security engineers and analysts, but it's more about AI substituting, taking over the lower-level tasks and up-leveling existing engineers and analysts to focus on more challenging projects."
(15:55)

He likens the role of AI to a "force multiplier," enabling security teams to handle a higher volume of tasks and concentrate on strategic initiatives. Furthermore, DropZone AI has introduced Coach, a free Chrome extension that provides investigation guidance and metadata to analysts in real-time, acting as a second opinion and enhancing decision-making processes.

This perspective highlights a symbiotic relationship between AI technologies and human expertise, where AI handles repetitive tasks, freeing up analysts to engage in more complex and impactful work.

Conclusion

The episode with Edward Wu offers a comprehensive look into how AI, specifically through platforms like DropZone AI, is transforming cybersecurity operations. By automating alert triage and investigation, AI not only enhances the efficiency of SOC teams but also elevates the role of human analysts, allowing them to focus on more critical and strategic tasks. As AI continues to evolve, its applications in cybersecurity are poised to expand, offering innovative solutions to long-standing challenges in the infosec landscape.

Notable Quotes:

• “DropZone AI... leverages advancements in large language models to build essentially AI security analysts... our vision is to offload the initial triage and investigation of alerts from the security teams so the human defenders can focus on only the real threats as well as other critical projects."
  (00:19)

• “Our technology is really mimicking the detective intuition and thought process of a human security analyst and automating the entire investigation workflow end to end."
  (03:03)

• “There are still a lot of opportunities at this moment... there are tons of other opportunities to apply gen AI."
  (08:16)

• “They are really able to drastically reduce their MTTR with our technology because... we are able to immediately start investigation within a couple of seconds and then within 10 minutes reach a definitive conclusion."
  (11:50)

• “We do believe the future of security does not involve AI replacing existing security engineers and analysts, but it's more about AI substituting, taking over the lower-level tasks and up-leveling existing engineers and analysts to focus on more challenging projects."
  (15:55)

This summary encapsulates the key discussions from the episode, providing a comprehensive overview for those who haven't had the chance to listen. Edward Wu's insights into the integration of AI in cybersecurity operations highlight both the current benefits and future potential of such technologies in enhancing SOC team effectiveness.