Dropzone AI on AI's impact and role for SOC teams - Risky Bulletin

Summary6 min read

Risky Bulletin Podcast Summary

Episode: Dropzone AI on AI's Impact and Role for SOC Teams
Host: risky.biz
Guest: Edward Wu, Founder and CEO of DropZone AI
Release Date: April 27, 2025

Introduction

In this episode of Risky Bulletin, host Campano engages in an insightful conversation with Edward Wu, the founder and CEO of DropZone AI, a Seattle-based cybersecurity startup. DropZone AI is pioneering the use of large language models to enhance Security Operations Center (SOC) teams by automating alert triage and investigation processes. This discussion delves into how AI can transform cybersecurity operations, the functionalities of DropZone AI’s platform, future applications of AI in the infosec landscape, and the implications of AI on cybersecurity jobs.

DropZone AI: Revolutionizing SOC Operations

Edward Wu introduces DropZone AI as a venture aimed at alleviating the overwhelming volume of security alerts that SOC teams face daily. He explains:

“DropZone AI... leverages advancements in large language models to build essentially AI security analysts... our vision is to offload the initial triage and investigation of alerts from the security teams so the human defenders can focus on only the real threats as well as other critical projects."
(00:19)

Edward’s motivation stems from his eight-year experience at Actual Hub Networks, where he witnessed firsthand how excessive alerts could lead to important signals being overlooked. This inspired him to create a solution that not only manages alert volume but also enhances the efficiency of cybersecurity professionals.

Core Functionality: From Alerts to Actionable Insights

The core functionality of DropZone AI revolves around automating the triage and investigation of security alerts. Edward elaborates on the system’s capabilities:

“We build a system that can ingest security alerts as input. It will autonomously pivot across different security tools and data sources to gather relevant metadata and then ultimately within a couple minutes generate a decision-ready investigation report on whether each alert is a true positive or a false positive."
(00:19)

DropZone AI operates by mimicking the investigative intuition of human analysts. When an alert is generated, the AI formulates hypotheses about the potential cause, identifies necessary metadata, and interacts with various security tools to gather relevant information. This iterative process continues until a definitive conclusion is reached, culminating in a comprehensive investigation report.

For example, upon receiving an abnormal login alert, the system might assess the source IP, evaluate geolocation data, check authentication methods, and consult threat intelligence feeds to determine the legitimacy of the alert. This thorough approach ensures that only genuine threats are escalated, significantly reducing the workload on human analysts.

Expanding Beyond Triage: Additional Functionalities

While the primary focus is automating alert triage, DropZone AI offers supplementary features:

Automated Containment:
DropZone AI can initiate containment actions to "stop the bleeding" when a threat is detected, providing immediate responses to mitigate risks.
Chatbot for Threat Hunting:
The platform includes a chatbot that supports ad hoc threat hunting, allowing analysts to perform exploratory investigations more efficiently.

Edward emphasizes the depth of DropZone AI’s capabilities compared to other AI-based security products:

“Our technology does far more than just summarizing the alert JSON into natural language... mimicking the detective intuition and thought process of a human security analyst and automating the entire investigation workflow end to end."
(03:03)

The Future of AI in Cybersecurity: Opportunities and Challenges

When discussing the broader landscape, Edward identifies several areas where AI can further revolutionize cybersecurity:

Red Teaming and Penetration Testing:
AI can simulate sophisticated attack scenarios, enhancing the robustness of security defenses.
Software Code Review:
Automating the identification of vulnerabilities within codebases to streamline the development process.
Threat Modeling and Attack Simulations:
Creating dynamic and realistic tabletop exercises tailored to an organization’s specific context.
Vulnerability Management:
Streamlining the identification and remediation of IT and software vulnerabilities.
Threat Intelligence and Hunting:
Using AI to continuously monitor and analyze vast amounts of data from blogs, social media, and other sources to identify emerging threats.

Edward posits that these applications are still in their nascent stages, with significant potential for growth and innovation:

“There are still a lot of opportunities at this moment. The most popular use cases... but beyond that, I do think there are tons of other opportunities to apply gen AI."
(08:16)

Real-World Applications and Customer Insights

When asked about unexpected uses of DropZone AI’s platform, Edward notes that while the primary use case aligns with their initial vision, customers have leveraged the technology in diverse and impactful ways:

24/7 Alert Triage Without Additional Staffing:
Organizations with limited staffing have utilized DropZone AI to achieve round-the-clock alert management without the need to hire additional personnel across multiple continents.
Reduced Mean Time to Response (MTTR):
Large organizations have been particularly impressed by the AI’s ability to swiftly conduct investigations, often determining the nature of alerts within minutes, thereby significantly lowering MTTR.

“They are really able to drastically reduce their MTTR with our technology because... we are able to immediately start investigation within a couple of seconds and then within 10 minutes reach a definitive conclusion."
(11:50)

These real-world applications underscore the platform’s effectiveness in enhancing operational efficiency and security posture.

Seamless Deployment and Integration

DropZone AI prides itself on ease of deployment, ensuring that organizations can integrate the platform with minimal disruption:

“Our technology sits on top of customers' existing security systems and all it needs are API access... end to end within five minutes."
(14:07)

This rapid deployment capability is complemented by compatibility with major security ecosystems, including Microsoft Defender and Sentinel, Exchange, and on-premise Splunk instances. The quick setup allows organizations to immediately benefit from enhanced alert management without extensive configuration or downtime.

AI’s Role in Cybersecurity Employment

A pertinent topic is the impact of AI on cybersecurity jobs. Edward asserts that AI is designed to augment rather than replace human analysts:

“We do believe the future of security does not involve AI replacing existing security engineers and analysts, but it's more about AI substituting, taking over the lower-level tasks and up-leveling existing engineers and analysts to focus on more challenging projects."
(15:55)

He likens the role of AI to a "force multiplier," enabling security teams to handle a higher volume of tasks and concentrate on strategic initiatives. Furthermore, DropZone AI has introduced Coach, a free Chrome extension that provides investigation guidance and metadata to analysts in real-time, acting as a second opinion and enhancing decision-making processes.

This perspective highlights a symbiotic relationship between AI technologies and human expertise, where AI handles repetitive tasks, freeing up analysts to engage in more complex and impactful work.

Conclusion

The episode with Edward Wu offers a comprehensive look into how AI, specifically through platforms like DropZone AI, is transforming cybersecurity operations. By automating alert triage and investigation, AI not only enhances the efficiency of SOC teams but also elevates the role of human analysts, allowing them to focus on more critical and strategic tasks. As AI continues to evolve, its applications in cybersecurity are poised to expand, offering innovative solutions to long-standing challenges in the infosec landscape.

Notable Quotes:

“DropZone AI... leverages advancements in large language models to build essentially AI security analysts... our vision is to offload the initial triage and investigation of alerts from the security teams so the human defenders can focus on only the real threats as well as other critical projects."
(00:19)
“Our technology is really mimicking the detective intuition and thought process of a human security analyst and automating the entire investigation workflow end to end."
(03:03)
“There are still a lot of opportunities at this moment... there are tons of other opportunities to apply gen AI."
(08:16)
“They are really able to drastically reduce their MTTR with our technology because... we are able to immediately start investigation within a couple of seconds and then within 10 minutes reach a definitive conclusion."
(11:50)
“We do believe the future of security does not involve AI replacing existing security engineers and analysts, but it's more about AI substituting, taking over the lower-level tasks and up-leveling existing engineers and analysts to focus on more challenging projects."
(15:55)

This summary encapsulates the key discussions from the episode, providing a comprehensive overview for those who haven't had the chance to listen. Edward Wu's insights into the integration of AI in cybersecurity operations highlight both the current benefits and future potential of such technologies in enhancing SOC team effectiveness.

Loading summary

Transcript25 lines

[00:00]
A
Foreign.
[00:07]
B
Campano and this is a risky business sponsor interview with Edward wu, founder and CEO of DropZone AI. Welcome Edward.
[00:14]
A
Glad to be here.
[00:15]
B
Edward, you're a first time sponsor on the show. Do you mind explaining what's dropzone AI?
[00:19]
A
Dropzone AI we are a Seattle based cybersecurity startup that's leveraging advancements in large language models to build essentially AI security analysts. So we build a system that can ingest security alerts as input. It will autonomously pivot across different security tools and data sources to gather relevant metadata and then ultimately within a couple minutes generate a decision ready investigation report on whether each alert is a true positive or a false positive. And our vision is is with our technology we can offload the initial triage and investigation of alerts from the security teams so the human defenders can focus on only the real threats as well as other critical projects as if they have an additional army of analysts augmenting them with extra pairs of hands, eyes and brains. My personal background before founding DropZone is I was at Actual Hub Networks for eight years where I built its AI ML and detection product from scratch. So during that time generated millions of alerts, overwhelmed a good number of security teams and ultimately also got my heart broken a number of times when I heard customers were not paying attention to the alerts that we put a lot of effort into. So after being on the alert generation side for eight years, I decided to switch sides and partially redeem myself and start dropzone that is specialized in the automation of alert investigations.
[01:56]
B
Well, yeah. Well, you're going to redeem yourself then. You seem to describe a product that's useful for SOCA triage operations. I see on your website you're taking data from a long list of products and places. Does it have any other applications besides basic triage?
[02:16]
A
Yeah, at this moment our primary focus is in the automation of alert triage and investigation. But there are a couple like auxiliary functionalities. For example, our technology if configured, can also perform automated containment so stops the bleeding actions. In addition to that we also have a chatbot where it could be utilized to facilitate ad hoc threat hunts.
[02:44]
B
Edward, I'm going to go a little bit deeper into the guts of your project. You run your own AI agent, but the low level tools you're tapping from are also adding AI features as well. Aren't you afraid people are will get tired of AI summaries the same way they're tired of soccer alerts?
[03:03]
A
Good question. We have seen a lot of use cases of security products adding AI summaries where they essentially take like a JSON representation of the alert, put it into a large language model and then summarizes it in natural language. But for our technology, it does far more than just summarizing the alert JSON into natural language. Our technology is really mimicking the detective intuition and thought process of a human security analyst and automating the entire investigation workflow end to end. For example, when we see a abnormal logging alert, we will feed that alert into our system and the first thing that happens is our system will understand the alert and then come up with multiple hypothesis on why or what kind of activity might have triggered this abnormal logging alert in the first place. And then after that our system will figure out what kind of information it need to gather. For example, is the source IP address a vpn? Like what is the home or geolocation of this particular employee? Was the authentication attempt performed after some sort of multi factor authentication? So our system will identify a sequence or list of metadata that it needs to figure out which hypothesis was actually real. And then it will intelligently go through different security tools in the environment. For example, it might reach out to okta to get the employee metadata. It might reach out to entra ID to looking at the logging history to see is this the first time or is this the 50th time that this particular user has logged in from the IP address or geolocation. It might also reach out to additional IP enrichment data sources or threat intelligence feeds to see if do we know anything about the client IP or for example the user agent. So the technology will perform all of these kind of investigative steps and then gather different metadata that will help it to either validate or invalidate hypothesis. And then it will actually update this hypothesis and repeat this process until there is one final hypothesis left with a lot of supporting evidence. And that's where our technology will compile all of these information, including all the evidences into an decision ready investigation report. So the report generation part is kind of a sliver of the overall systems capability. The bulk of the work it is doing is automating the multitab pivoting and query generation and log scrolling that a typical analyst needs to perform manually.
[06:03]
B
So basically the closer the AI agent is to the person, the human, and farther away from the raw low level streams, it's better right?
[06:11]
A
Correct. In some of our early customers and adopters, they actually plug in our technology into their existing case management system and then every piece of analysis our system is generating on each alert gets published back to the case management system as additional Comments on the tickets and we have heard a couple times where people ask like who is this drop zone? Saying why are they commenting on quickly commenting and performing analysis on every single ticket in the alert queue.
[06:44]
B
My boss Patrick seems to think that as these AI agents will get smarter, will eventually reach a point in the future where agents will just pass security events between them. Like you were saying, putting back in into case management tools, are you seeing this future as well where human intervention is, let's not say removed, just deferred until an actionable decision needs to be taken? Or do you think that having systems with multiple agents interact with each other just thins out the raw intel, just loses its usefulness?
[07:24]
A
Yeah, from our perspective, we do see with our technology as well as other AI agents, the amount of manual repetitive work that security analysts need to perform day to day will drastically decrease. One analogy we use is it's kind of like up. Leveling existing tier one security analysts from foot soldiers to generals and special forces generals means they are transitioning from doing the work themselves to more like a supervisory role. They are reviewing the challenging alerts and then special forces means they are primarily focused on tackling only the true positives and the tricky ones that require comprehensive as well as contextual corrective actions.
[08:17]
B
You obviously have more insight into the proper use of AI for security operations. Where's the most fertile ground for expansion right now? Is there a place in the infosec landscape that AI can grow further and help analysts? Because I personally think it's email. Not necessarily they're looking in the email content, but the flow of email from inside a company and who exactly sends and receives emails. But what do you think? Is there such a place where AI has not yet been expanded and used to its full potential?
[08:54]
A
Yeah, in terms of commercial products, I do think we're still at the early stages. If you look at security operation or cybersecurity overall, like if you look at the responsibilities of CISOs and security teams and the different type of manual repetitive tasks that they need to do. I do think there are still a lot of opportunities at this moment. The most popular, you can say use cases or startup ideas for applied gen AI for cybersecurity has been AI based alert investigations, AI based like red teaming or pen testing as well as AI based like software code review. But beyond that I do think there are tons of other opportunities to apply gen AI. This is where I know there are stealth startups working on those as well as some of them are like open source projects, for example grc, like Threat modeling and attack simulations. That is a very interesting space where imagine the future where the tabletop exercises are a lot more realistic and there are a lot dynamically created based on the contextual information in the organization. In addition to that, obviously every single security teams has too many security alerts. But beyond security alerts, I think every security org also has way more vulnerabilities whether it's IT software vulnerability or software vulnerabilities in their code base that they know what to do with. So that could be another great application of Genai. Beyond that, even adjacent to alert investigations like threat intelligence, threat hunting could also be very interesting use cases. At the end of the day, nobody enjoys, you know, watching Twitter feeds and reading blogs 24,7 but software doesn't mind doing that. It can go through a hundred blogs every minute. And that kind of ability to ingest net new threats, net new TTPs can can further accelerate the remediation and compensating controls from the security teams.
[11:21]
B
I always ask this question to almost all my sponsors, but is there something that your customers are doing with your product that you didn't initially anticipate or you're surprised now how they're using it?
[11:35]
A
From our side, not as much because we built a product for this specific use case like automating the initial alerts, triage and investigation. So overall how we are used, we haven't been really surprised.
[11:51]
B
But in terms of it's not really that creative. They're already on guardrails, right?
[11:55]
A
Yeah. But I do think in terms of use cases like how customers find our technology useful, I do think there are a couple interesting bits I could share. We have noticed for different customers and organizations see value of AI SoC analysts could differ. For example, we have run into organizations who have an internal SOC right now, but frankly they are not 247 at this moment. And we have a number of early adopters who used our technology to get to 24.7alert triage without hiring, you know, three additional people across two continents, which is kind of traditionally one way you get to 24. Seven is you hire five people across a couple of different continents and then you create this essentially on call rotation and. Yeah, and then for the larger organizations it's interesting where a lot of them were very surprised by how quickly our technology was able to complete the investigations and, and how they are really able to drastically reduce their MTTR with our technology because I think similar to all of us, like we don't read every single email the second they land in our inbox for most Security teams, they do not start investigating alerts immediately after alerts show up in the alert queue. Most of the time alerts are stuck in the alert queue for hours to the end. And with our technology given software, we are able to immediately start investigation within a couple of seconds and then within 10 minutes reach a definitive conclusion and either escalated the alert, dismissed it or automatically triggered some initial stop the bleeding containment actions. So for larger organizations we have, they have found that to be very appealing because no amount of hiring you could do can get you this kind of capability.
[14:03]
B
Out of curiosity, from onboarding to actually using your agent, how much does it take?
[14:07]
A
Great question. I'm glad you asked it. We actually recorded a speed to rent video showcasing how our technology can be deployed connected with the Microsoft ecosystem. So Defender, Sentinel, Exchange, as well as an on premise splunk instance actually end to end within five minutes because at the end of day our technology sits on top of customers existing security systems and all it needs are API access, whether it's API keys or read only service account credentials to existing security products.
[14:42]
B
Edward, from what you're describing and from other interviews I had, Dropzone doesn't look like the product that's gonna take jobs away. It's more like easing people as normal work routine. Like there's still a need for human interaction. But overall, do you see the market evolving towards something where agents could actually replace some of these cybersecurity jobs or you don't see that as something possible in the foreseeable future? What's your thoughts on this?
[15:14]
A
We definitely get asked a lot about this question. I do think the goal of the AI ultimately is to force multiply existing teams. And if we were to zoom out and put aside cybersecurity for a little bit, in the grand scheme of things, AI is going to substitute a lot of the, you can say entry level white collar jobs. But I do think cybersecurity is kind of a unique and interesting space where because frankly as defenders there are still a lot of room for improvement. And you can see that by just looking at how many years of free credit monitoring we are all receiving from all these big compromises and hacks and breaches. I do think cybersecurity is one of the unique verticals or industries where there is a win win proposition between the existing, you know, AI tech, between the AI technology as well as the human workforce. Because at the end of the day there are so much we all want to do and all of us like every single security team we run into, we always ask a question like, what would you do if you have 10 additional security engineers on your team? And we have never heard anybody say, I don't know what to do with them. I don't need 10 additional security engineers on the team. I think every single team will have a far longer project list that they currently has the budget and capacity for. And this is ultimately where we see Genai helping security is increasing the capacity and up leveling the existing engineers and analysts. And in fact, as part of this, and we're not just, you know, doing lip service to put people at ease, we recently actually announced and launched a free Chrome extension where security analysts can install on a browser. And the Chrome extension is called Coach, where it generates investigation guidance as well as other helpful metadata for the analysts as they are looking at security alerts. So it's kind of like Wasan or Sidekick, where as the analysts are looking at different security alerts in different security products, they can pop open Coach and have Coach provide a second opinion. What might have triggered this alert in the first place? What are some of the investigative pivots or steps that the analysts should be thinking about? And the reason we launched it as a free extension is we do believe the future of security does not involve AI replacing existing security engineers and analysts, but it's more about AI substituting, taking over the lower level tasks and up leveling see existing engineers and analysts to focus on more challenging projects as well as other initiatives.
[18:31]
B
Edward, that's a perfect way to end it. Thank you for your time today.
[18:35]
A
Awesome. Thank you.