Ashish Rajan: [00:00:00] Can I just use Claude code to build an ai? So today,

Ariful Huq: I think the bolt-on approach is tough. Like if you're really looking for good outcomes, you really need to think about an approach starting from first principles with the data. And it's, well more than just logs and event data, it's config code context, it's bringing it all together.

I think it's going well beyond what SIEMs are capable of.

Ashish Rajan: If the future is like more AI coming into more parts of security, should people start rethinking how they build SOC teams?

Ariful Huq: I really think the future is where security engineers become full stack. You're not an analyst. Like, look, your best analyst doesn't want to be the guy that's just doing investigations.

Ashish Rajan: Every time someone tells me the statement that I can just use Claude code and build my own AI SOC. These days I just laugh because I think there's a lot more involved in doing this. Look at all the vibe coding examples that are out there. So for this particular conversation I have Ariful who is from Exaforce, we spoke about what does it actually take to build an AI SOCk and can I truly just use any ai, [00:01:00] it doesn't really matter, Claude code or any other favorite model of yours to build my own AI SOCk.

We spoke about some of the unspoken parts, which are not usually covered in a lot of marketing that Sam Altman may be doing about how easy it is with ai. What are some of the complexities around building this part? Now, if you're someone who's running a SOC team and probably feeling the pressure like everyone else around the world on, Hey, I want you to use more ai, this conversation will be one way to understand what parts of SOC are possible with AI and what parts are more probably a bit more complex in the kind of workforce you require to support that. And the reality is a lot more complex answers than slapping Claude code and calling it AI SOC. So I hope you enjoy this conversation. And if you know someone who is in the SOC team, or probably building a SOC team working around them, I would definitely share this episode with them because we went into the details of what's under the hood for building an AI SOC.

What are some of the challenges? Things you have to consider when you build this yourself and what kind of a team would you be building as we all move forward in this AI future. As always, if you're here for a second or third [00:02:00] time and have been finding the episodes valuable, I would really appreciate if you can take one second to just drop that follow or subscribe button on whichever platform, Apple's, Spotify, LinkedIn, YouTube, that you're listening or watching this.

It means that we get discovered by a lot more people and get to help a lot more people as well. So I appreciate you taking that quick second to do that. I hope you enjoy this conversation with Ariful and I'll talk to you soon. Peace. Hello, and welcome to another episode of Cloud Security podcast. I've got Ariful with me.

Hey man, thanks for coming on the show.

Ariful Huq: Of course. Uh, it's a pleasure. Long time. It's been

Ashish Rajan: a, I know, well, well, we've hung out quite a bit together and uh, I know a bit about you as well, so maybe to introduce yourself to the audience, your professional background, where are you these days?

Ariful Huq: Yeah. I, uh, started a company called Exaforce

Uh, about a couple years ago. Uh, prior to that I was at, uh, Palo Alto Networks, uh, in the Prisma Cloud team. And I ended up there because of an acquisition of my last startup Aporeto. We were one of the many acquisitions that Palo Alto Networks made. So as part of the Prism Cloud business, um, you know, kind of saw that grow quite [00:03:00] significantly. Um, prior to that, I, I did a, actually another startup and you know, I started my career at Juniper Networks in network, uh, switching routing and, and, and security. But yeah, uh, my latest, uh, sort of endeavor is ex of force. And we're building AI SOC, so essentially agent X SOC

Ashish Rajan: platform.

Ariful Huq: Yeah.

Ashish Rajan: Awesome. I think AI SOC is definitely the top of mind, at least the topic that I had in mind for this as well in, so in in the advisory work that I do with Fortune 500 and FTSE 100 companies, a lot of, lot of times when I talk about AI SOC common things that come up and maybe it's saw Sam Altman talking through these people, but can I just use Claude code, which is supposed to be super awesome advanced version of AI to build an ai. So today, considering you've done this yourself.

Ariful Huq: Yeah. Look, I think, um, you know, if you're, I, if the goal is to kind of vibe code, uh, your way into building a a, a SOC platform look, I think, I wanna start saying, start by saying that. I [00:04:00] think this, this technology is incredibly powerful.

Whether you think about Claude code or just cloud in general, right? Yeah. Um, I think, uh, these technologies are really, really powerful. I just meet. Me as a product person, um, I think it's given me superpowers. Things that I would've never imagined myself as a product person do. You know, for instance, just over the weekend, um, I'm coming up with some demo scenarios for a customer.

Um, you know, I would. I'm doing things like session hijacking so I can actually potentially demonstrate how we could detect it. Or even things like, you know, building integrations, like exploring APIs and that kind of stuff. Like these are things that, you know, typically me as a product manager, I wouldn't be doing, five, six years ago because we just didn't have the skill sets, right?

I mean, we come we don't have, all of us don't have a coding background, so, I wanna start by saying that, but I think to the heart of your question, which is. You know, can you really use this technology to build a SOC platform to build tooling? I think you can do some things, but at the end of the day, I think it boils down to, from a builder perspective, [00:05:00] I think it boils down to how much do you wanna manage yourself as well.

Like, if you're starting from scratch, starting from, like, if you think about a SOC. You gotta start from, you know, building a data platform and then you have to build a lot of things on top of it. If you're really starting from scratch, I would say you know, that's from a management perspective and resourcing perspective, that might not be worthwhile.

I think the second part of this is. How can we leverage LLMs to perform tasks in the SOC? That I think is interesting as well. That is sort of like, Hey, can we give SOC analysts superpowers to perform their tasks in, in the SOC? I think there's a lot of things to be done there.

So yeah, that's my, you know, kind of perspective. '

Ashish Rajan: cause I guess to your point, there is a whole AI for security and security for AI conversation here as well. Where, to your point, if the SOC team wanted to bolt on AI into an existing workflow for, uh, security operation, then yes, you can go far. I don't know what that far would be, but at, but on the other side, if you're using AI for security to, from [00:06:00] a scaling perspective to, Hey, I only have, I don't know, I'm a head of SOC or a director here.

I only get budget for five people. I wonder what, what would've happened if I had just enough budget for 10 more, 20 more, 30 more, whatever that number may be. I think that's kind of where the, the amplification of AI is a great sales pitch at that point in time from Sam Altman, like, oh, you guys can do anything.

He's been pitching the whole one person billion dollar company. Or that maybe to kind of bring it to ground level, considering you've done this. What is involved in, you kind of mentioned a few words that you mentioned, the data lake you mentioned, 'cause a lot of people who are probably in the thick of it, like especially if you work as a SOC analyst, all you see is a SIEM.

You get some threat intel feed and I'm like, I can bolt some AI on top of this and should be enough. Is that like a, I don't know, to your, I mean to your point, is that vibe coding still or am I getting closer?

Ariful Huq: Yeah, look, I think there are aspects that you can certainly bolt on. Uh, you can certainly build tooling.

You can [00:07:00] certainly do some level of scripting, right? Yep. Yeah. I think the way I think about this as a, I was actually drawing some analogies 'cause I was explaining this to somebody. With the autonomous vehicle market, if you kind of think about Tesla, Waymo, these companies, uh, they're not building bolt-on autonomous vehicles.

They have taken the journey of actually building an autonomous vehicle. Now granted, like for instance, if you look at Waymo, they've got a Jaguar car, but they've, built the infrastructure into the car. Yeah. Tesla obviously has taken a much more kind of vertically integrated approach. But all that to say, they're spending r and d in kind of building the, the underlying infrastructure the cameras and everything.

And then they're doing the data collection, they're doing the training, and then they're building the autonomous. Now you can see that, that, they're probably the ones that are making the most progress. And these are incredibly difficult problems to solve, right? So they, I think there, you can draw some analogies there because.

You know, when you take a bolt on approach, you don't own a lot of things. You have to rely on things that are, you know, [00:08:00] given to you. So, I really think if you are, if you're trying to think about solving this problem, you gotta think about first principles. And you, you, you mentioned this during the conversation, so like, you gotta start with the data, right?

So how do I bring all of this data together? Yeah. And I think, you know, in our industry specifically, when it comes to operations. We've thought about data primarily from events logs, but I really think that, the, to kind of solve this problem of whether you think about alert fatigue, building better detections, better triage, you really need to give context and it's, well, more than just logs and event data, it's config.

Code context is bringing it all together, right? So I think that's critical to solve and it's, I think it's going well beyond what SIEMs are capable of. Actually. You still need the SIEM capability, but it's actually, you need to go a step beyond, right? 'cause SIEMs have legacy SIEMs have typically just been based on logs and events.

Um, so you start with the data and then obviously you've [00:09:00] got a lot of the the tasks that you perform in, in the, in the SOC. And I think to build an AI natives. Kind of SOC you need to think about what is, how do you think about. Tasks. Every task that you have in the SOC, how do you build it in an AI native way?

So let me give you a few examples. Start with detections, right? Because hey, you know, you need to have detection coverage within the SOC. So, uh, if you start with detections you know, you still need statistical modeling, those sorts of things to do anomaly based detections. And they've been, historically they've been noisy, right?

Yeah. But. I think what's happening is with AI capability today, where, you know, if you think about ai, SOC and AI analysts, this notion of being able to triage every alert becomes a possibility. So you can leverage things like anomaly detection, where you can be liberal in terms of the number of signals you.

You look at and you can throw, machine at the problem to triage all of these alerts and only surface [00:10:00] what really requires human attention. And that can be based on context that you have context, that you feed it like, you know, potentially how your business operates, right? So that's one example From a detection perspective, you think about triage investigations, response.

I think every single one of these layers. Has an AI native way to operate. You know, if you think about triage, it's being able to automatically triage alerts and only escalate what you need. And, but again, you have to give the agent context, right? Yeah. Because you wanna remove the guesswork, right?

So you can give your predictable outcomes, right? Investigations you need to co-pilot experience because let's, it, let's face it, right? Like if you are doing an investigation. You really need, uh, a way to get started. And you know, today, like if you if you're trying to query for something, it's incredibly difficult, right?

You have to go build these queries. So you need a copilot experience there. And then from a response perspective, it's not just about building playbooks, but how do you think about agent ways to solve multi-step kind of response [00:11:00] workflows, right? These are not. Static steps 1, 2, 3, 4.

They can be very dynamic in nature. Long answer, but I think it's, I think the bolt-on approach is tough. Like if you're really looking for good outcomes, you really need to think about an approach starting from first principles with the data and how do you build AI native capabilities into every single task that you perform.

Ashish Rajan: I, I think a few points over there, which you called out, which is really interesting. I love the analogy for traditionally, we have always relied on whatever your SIEM provider is. Most organization with SOC, even with managed SOC, they all have some form of SIEM provider that integrates into some parts or all parts of your, at least crown jewel.

So there is that notion that, oh, okay, if there's an event, uh, and probably surrounding joke in the industry as well, send me all the logs. And that usually just means I send me all the events, debug logs, everything log, and it gets into this costly affair. Cost is just a big thing in stock in general, but to what you said about the detection piece as well, which usually takes a long [00:12:00] time.

So that's where the co-pilot piece comes in as well. I'm a new threat hunter. I want to be able to find out, I don't know, not just cloud, like I've never, I've always worked at AWS, I have no idea how Azure works or GCP works. Now I'm gonna, now the organization has decided, hey, SOC is gonna take care of all the alerts coming out of Azure and GCP and all of that.

Yeah. What, and to your point, it's almost like each stage as you refer to it, I'm like, yeah, I guess it's like to quote unquote AI SOC is a lot more than just, Hey, I can look, I can triage. Right. Because I feel like there's a lot of, what people may be thinking about when they think about bolting on clot code or whatever it do.

And that's my quote unquote agent SOCk. It's not technically, it's not the full picture. It's just like, oh, you're just doing one part. There's like so much more to this than like, hey, to your point about does this team have the right information, do you have all the data and the context require from all the integration point?

I mean what's SaaS we like? I don't know. Is that, 'cause I mean we have only spoken about like [00:13:00] traditional infrastructure. There's like these days nothing is traditional with ai. There's so much more SaaS and everything else as well, right?

Ariful Huq: Yeah. I mean I think in. With most enterprises today.

Um, actually this is a fact. So in our organization, uh, if we look at, we, obviously we use our own technology. We're building AI platform, we're using it to protect ourselves. Yeah. So it gives us some interesting data points that, you know, I'm learning over time. One of them is our IAS and SaaS logs.

Actually our IAS logs, specifically public cloud, right? Yeah. A hundred x the volume of everything else. And it is, it's astronomical. It really is. Because just so much data exists, right? Yeah. And so we know, to your point, when you say, evolution of ISAs, how this is impacting the SOC, I think if you think about just from a data perspective, it is putting tremendous pressure on, architectures choices that you have made in the past to evolving, to leveraging.

The same technology and tooling for cloud and, and, and SaaS. Yeah,

Ashish Rajan: [00:14:00] I, I think I was gonna, because I mean, obviously, uh, you guys got, uh, awarded that AWS award for part startup as well and one of the more popular services on Amazon. First of all, congratulations on it and thank you. Good on you for you guys for winning that.

I was gonna say from a AWS building, an AI. Capability in AWS usually lands on the whole Amazon Bedrock thing. And I think, um, before all of this, we were talking about the whole, how you guys have been talking about bedrock and what are some of the best practices around, uh, especially now that Amazon is also recognizing that, hey, you're doing more AI on AWS what, what has your, your experience been on building and what some of the best practices probably you can share on building AI capability on Amazon Bedrock.

Ariful Huq: Yeah, look, I, I think it's bedrock is incredibly beneficial for when you start building an AWS because a, it's a service that exists in AWS so to Native service, you can leverage it. So it, it, and actually from a customer perspective, uh, because the service is hosted within AWS infrastructure, all your data stays within AWS infrastructure as [00:15:00] well, which is quite beneficial.

Right. You know, especially when you're starting to build you know, AI technology, data, data, residency, sovereignty, all that sort of, question comes into play. And I think there's some advantages there in terms of bedrock being hosted in AWS so I think there's, those are the, I would say, you know.

Easy decisions. Like, okay, great, like we're building, let's start with the service that's already available. Uh, but it's not just about bedrock, right? Yeah. If you're trying to build a robust agent system it goes well beyond the capabilities of what bedrock offers. Like some simple examples, right? So if you're.

If you're building an agent to system, um, you have a number of agents you are trying to handle things like, okay, uh, if these agents, uh, have retry mechanisms, say for instance tasks that these agents perform are to reach out to third party systems or to individuals, uh, whatever it may be you know, building retries, that's a very, very simple example.

But some things that you have to think about. So, you know, most people have started with things like Inogen framework, like Lang Chain [00:16:00] and others that they've used on top of, you know, technologies like Bedrock. We've looked at these technologies. We actually had to, at the end of the day, our engineering team, this is more of an engineering conversation.

Uh, they have decided that some of it is open source, some of it is built in-house because yeah, uh, just kind of building this enterprise technology required us to do that. So yes, I talked about retries, like even things like, you know, asynchronous processing. Like say for instance, you perform a set of task you know, your, your agent is reaching out.

Do you want to do it sequentially or do you want to do it in an asynchronous way so you can perform these tasks in a, in a, in a short time span? Perhaps one of the tasks is taking longer than the other, right? Yeah. So there's a lot of sort of things that we have to take into account. Upgrades, you're upgrading software, your agents are off doing something.

Are they all gonna, you know, retry? Are they all going to, you know, restart? Like you have to handle all these scenarios. So I think there's quite a bit of work that we have to do. Just, we obviously Bedrock allowed us to get started really quickly. Yeah. Which is the benefit of cloud, right? Uh, but then there's all this other infrastructure that you have to build.[00:17:00]

Ashish Rajan: Is, is there something, 'cause because I, I, you know, I think obviously building in bedrock and you're obviously you guys are building an agent AI stock capability on Amazon. Obviously there's a lot more moving parts than just building on a bedrock. And, you know, I wanna use the same analogy as what we're talking about.

Claude code is just like bolt on Claude code to bedrock and you have AI capability. In terms of people who are skeptical on the whole, Hey, I could do that with siem. 'cause, uh, I think. I I, is this wrong to kind of imagine that, hey, that a sea provider that I have been using for a while, 'cause you mentioned the part earlier about events and the different kinds of logging.

So in an agentic SOC kind of world that people are trying to build that capability on their own. What kind of data people should be looking for. So should they be looking still, looking at event, or not looking at events at all? 'cause I guess I imagine as you guys are building this capability, building this yourself, you would've had some learning about what works, what doesn't work.

'cause you kind of, it's a big claim to kind of say that, hey, SIEM's not good enough anymore.

Ariful Huq: Yeah. [00:18:00] Yeah, it is. Uh, you know, and it's, it's not, not to say that we are, you know, it's a ding against any of the SIEM providers. I think, you know, I was just thinking about this even last night, like, it's an evolution of technology.

How did SIEMs evolve? How did SIEMs even get started? They started, uh, it, you know, Splunk got started as a log analytics platform, and then they built an, a security application on top of that because the logs were there. Right. But I think to, let's come back to your question. Yes, there's incredible learning that we've had.

And you know, I'll start with the simple stuff. Like when you're thinking about, like even in our journey, right, in our first year of building exo force, uh, we actually started with like, we started the company at in 2023, so, you know, height of inflated expectations as far as what these technologies could do, right?

Uh, so we're like, okay, let's get detections from third party sources and let's leverage EL lamps to go triage them. And the results that we're getting, unpredictable, not, you know, precise and not to what we were, we were thinking we would get. Yeah, and it's, it, it really boiled down to again, what you just said, the data.

Right. [00:19:00] So let's unpeel that a little bit. What does it really mean? So we, when you think about, you know. I'll give you a simple example. Uh, let's say you are trying to troubleshoot something. Um, let's start with the detection, right? Uh, if you have a detection, say you're trying to do insider threat, right?

Um, and one of the behaviors, insider the threat is somebody potentially without edit permissions to a file copying those files and then, uh, making them public. Uh, now imagine yourself trying to build a detection for that. You just have to think about, okay, there's an event. Yeah, potentially making it public, but I need config information on the resource and I need permission information to figure out does this person have added permissions?

And then, you know, does he make it one example, right? You think about many other examples in terms of cloud infrastructure. Um, you're trying to troubleshoot something. Uh, somebody made you know, say somebody called your S3 bucket and it was anomalous, right? Yeah. Okay, who is this [00:20:00] somebody? Uh, what, what, what who spun up this S3 bucket?

What was in this S3 bucket? Yeah. What bucket, what specific keys were accessed? So, um, I think the sum of it is we feel in order to really solve these problems it's a combination of, again, logs, events, yeah. Config data code, context. And you have to kind of bring it all together so you can really, what you can do is you can give LLMs the right context.

You can remove the guesswork. Like even if you think about me and you, right? If I asked, if you asked me a question, it's really vague and you are like, directionally, I want I'm thinking he's gonna give me this answer, but my thought process is just gonna go, like, it's gonna, there's many different ways it could go, right?

So the answer I'm gonna, I'm gonna give you and potentially between two different people, we're very different. But if you remove the guesswork and you gave me, you know, some level of preciseness and you gave me some reasoning, freedom. You'd probably get a decent answer even between two people, right?

Yeah. Yeah. And that's exactly what [00:21:00] we're trying to do with these LLMs. We try to remove the guesswork by giving it the context, which again, includes all of this data. Hopefully that that gives you an appreciation of sort. It does.

Ashish Rajan: But what about like, obviously there's a lot of people who have.

Uh, we, we were at a panel. We, so I was part of a panel yesterday called for AI security and how to build AI security in an enterprise and regulated a regulated environment. One of the questions we came, came across was, uh, we, I think the moderator ask the crowd, who here is not using AI today?

Instead of asking who's using AI for 'cause imagine like four or five years ago. That answer, I was like, no one would've Like, what? Who uses ai? Like what are you Crazy. But every, and the response as expect no one raised a hand that no one's using, not using ai. And I find kind of feel the same here in a way where a lot of people have gone down the path of AI in some way, shape, or form.

So when we say data lake, they're probably already thinking that. Oh, I mean, yeah. Yeah. Our said, um. You don't need to have like a SIEM. But [00:22:00] I have that data platform thing that gives me, uh, security, orchestration, everything all built, all I need to have some threat detection. Now I know that I need the four kinds of logs.

As long as I have that information, I should be able to do that. Now, uh, was there any learning there in that data lake world as well that you kind of, 'cause I imagine you guys would've to, to, as you said, for lack of a better word, you're drinking your own champagne, so you are also building your own data lake as well.

What, what was like, what was that like? Yeah.

Ariful Huq: Look, I think, yeah, there's, there's tremendous monitoring. And actually, to be honest, like some of it came after because there were some decisions that the engineering team made and we were like, oh, I don't know why they made that decision, but we were like, oh yeah, it's because they actually wanted to solve this problem in a very, very scalable way.

So, yeah. I can peel the onion a little bit. Like I think. If you think about most people today, if you're thinking about building a data lake, maybe you're considering something like Snowflake or something like that. Like, okay, let's put all this data in Snowflake. Let's run a bunch of queries, right? Yeah.

Um, I think there's a little bit of an order rotation there, to be quite honest, and I'll tell you why. It's because. Vendors like Snowflake, they'll charge you [00:23:00] based on processing. Storage. Cost in Snowflake is actually not something that you should really worry about too much. They actually charge, which is a great business model for them, right?

Because you're doing work, so you're gonna get charged for it. Yeah. Now, imagine you're building a SIEM on top of Snowflake. So every time you run a query, every time you do a detection, anything you do. You're gonna get charged for it. So there, there are some very interesting dynamics here, right?

So, so for us when we thought about kind of solving this problem, we had to think about, okay, how can we decouple ourselves where we can leverage this technology? Snowflake is incredibly valuable for us. It plays a really critical part. But at the same time, when I'm trying to solve this problem in a scalable way, where.

I need hot and cold storage. I need to think about hot very differently. I don't have to go back to Snowflake, right? So we had to come up with a, a kind of a, a different database architecture where hot data stays in memory really fast, in querying, uh, in, in memory querying for for this data.

Then cold storage, we leverage a combination of, uh, snowflake plus [00:24:00] iceberg, which can work on top of S3 for historical data. Right? Yeah. So that, those are some choices we made. And, but again, even if I step back a little bit, why did we even make these choices? Because at the end of the day, like there's trade-offs you end up making in terms of cost.

Versus, you know, how much data, and I think these are choices people have to make today. Right? Yeah. You know, to your, to your earlier point, SIEMs have existed for some time. Um, why should we even rethink some of these things? The things that we are hearing from some of our customers you know, a lot of our customers they start with the, they have an existing SIEM.

They leverage us as a technology alongside of SIEM. Yeah. But one of the things that we're learning from some of these customers, I'll give you two examples. One is. An existing customer has a SIEM. They start to send all of their cloud data into their SIEM, and they realize that the symbol is just growing astronomically, and then they're like, you know what?

This architecture isn't working for us. I need an augmentation technology because at least for the foreseeable future, I can save. A significant amount of money by just removing that those [00:25:00] cloud logs away from my existing SIEM and they've leveraged our technology. Just, do some of those things.

That's one example. Another example is, it is a flip side. A customer who, who was scared, they didn't want to put their cloud logs, in their SIEM they put it all in S3 and they were using Athena 50 to one hour, 50 minutes to one hour to run queries in Athena. Wow. Right. That's the pain that they're running into because they wanna save money.

They wanna put all these logs in their, uh, in their sip, right? So then obviously they actually, in this case, they actually, this customer had a EG agreed to issue, which we helped them with. We onboarded all their logs into, um, our system did a lot of the work for them. It helped 'em through this problem, but.

All that to say, these are some of the choices that people have to make. These are the choices we had to make, right? Like cost versus performance and some, innovation that we've done here. Like being able to think about in-memory data for hot querying of data as well as cold storage for historical purposes.

Ashish Rajan: I think one thing I'm taking away from this is that siem, or sorry, security [00:26:00] operation as a field is constantly processing. It's a, it's almost like, I mean, we talk about real time so much in, uh, SOC so to your point about if you have a data lake, like, I'm just gonna use a snowflake example. The places where people say, oh, having a data lake is quite expensive.

And because I'm hearing a lot of security will say that Snowflake expensive is because, to your point, I, I didn't realize this, but because the constant processing.

Ariful Huq: Correct.

Ashish Rajan: It's not the data, it's like live feed is coming in. I want runtime data right now. Exactly. That's being processed every second.

So no wonder it's costing so much to do that, whereas on the,

Ariful Huq: The real time data processing is the critical thing here. Yeah.

Ashish Rajan: Yeah. 'cause I mean, security operation as a, as a team field, whatever you call it. It relies on the whole runtime security. It wants it to be more real time. As real time. If it happens right now, that very second, I want to find out and I'm like, oh yeah, I didn't even think I guess to your point on the flip, when [00:27:00] engineering and other people use it, they're not using it for constant processing.

They're like, applications running fine. I'm like, oh, there's very different approach. And I think maybe. This is where the, maybe the data lake is a, is a very different conversation. I wonder if it expands onto some of the other, uh, like the detection and stuff as well, where I'm trying to build some detection.

'Cause I, I also find detection coverage as a whole. And obviously you need to be a certain stage of an organization to be getting new detection, but detection, coverage as a whole, uh, as as a whole seems to have some blindside as well. A lot of SIEMs may not have integrations to everything. And I, I, I wonder if you had some thoughts there as well as you guys were building all those capabilities.

Ariful Huq: Yeah, and I, you know, it's, it's again, incredible learnings, right? And I would say in detections, what we are seeing most organizations is specifically, you know, you brought up the whole point of sas, right? How is SaaS impacting the SOC? I think like, you know, think about GitHub, think about OpenAI snowflake.

Google Workspace. These are [00:28:00] incredibly important data sources, critical data, you know, is sitting in these data sources, but actually none of them that I mentioned, if I'm, if I am correct, none of them have native detection capabilities. GitHub has no native threat detection capabilities, right?

So you, if you have a personal access token, SSH key you know, somebody takes it, it's compromised. You know, you, you got, you gotta have your own detections to go figure those sorts of things out, right? So what we realized is there's an opportunity for us to help these organizations with detection coverage specifically when it comes to these sources.

Like, so for like endpoint email, it's a solved problem, right? For that we actually don't go try to build detections for endpoint email because hey, CrowdStrike sent on one, they're doing a really good job. Let's go ahead and use that right email. We got a dozen solutions, so we focused on SaaS. But I think to come to your point.

Let's think, think about the example of SIEM and, you know, how could you have used a SIEM, uh, versus some of the things that we're doing. I think it really boils down to domain specific [00:29:00] understanding of data, because if you're trying to build detections, you really need to understand these data platforms, right?

You almost, you can think about, you know, GWS has, it has its own intricacies. GitHub has its own intricacies. You need to understand the events. The resources are in every single one of these data sources. And by building that domain specific knowledge, which, you know, I, I, the way I categorize this is you build domain specific knowledge by not looking at just the auto log data, but the config, the resources and everything, right?

And in GitHub it's actually code context as well. By building this knowledge, you can build very good detections, right? Yeah. And it's still very difficult, right? You have to understand, these. In the case of GitHub, you have to understand personal access tokens and all these things. And then you have to figure out how could we detect potential anomalies.

So now you have to build statistical models on top of these things, right? And then you have to figure out what is potential anomalous. So we have actually invested a great amount of time doing this work 'cause we think it's valuable and we have the data to do [00:30:00] that for you, right? If you try to go do this in a SIEM.

I think you would need a very strong, big data detection engineering team to just go to this. And not all teams will even give you the capabilities to go build anomaly detection. The way I'm thinking about this, right? Like, 'cause it's hard for you to just build rule-based detections for some of these things, right?

Because none of these things are just like, okay, step one, this happens, step two, this happens. Okay, fire. Like no, it's, it's much more complex, right?

Ashish Rajan: Yeah. And I guess the, the important. The key point over there is that having that understanding of, like, I'm thinking even with, from a GitHub perspective as well, people who may have have the fortune of having an enterprise license or GitHub advanced security, even then.

That, assuming that's still limited capability in terms of what it offers and where, how far it can go. 'cause detection is not just about to what you said, uh, maybe a key was compromised, but it has gone ahead and gone into a cloud environment. Something has happened there. You're trying to pull these four or five different strings together to make [00:31:00] some sense of what is happening here or where did this originate to, to even get to the point that there was a secret left in GitHub that caused it.

Yes. It, it's, it's a long key, long kill chain you're trying to follow to get to that point. And I think it, it's worthwhile calling out. 'cause I'm unlike the, the more I am trying to kind of unravel or unwrap this thing for people about the idea of I can just slap a CLO code and make, build, I talk before or least spoke about so many capabilities that you have to build across.

And I'm thinking more for people who are obviously leading these team, building these teams who have been. Who have a lot of pressure from their higher ups to go, Hey, I use ai. Don't tell, don't talk to me if you're not using ai. Find a way to figure out a AI into this kind of a thing as well. One of the things, and as you kind of touched on this, is the whole hallucinating with the whole answers.

Like, and you kind of said, Hey, use your context. That kind of is a great part. The other part is, and being such a critical part of the organization where we were talking about runtime, you know, realtime [00:32:00] alerts coming in. It's quite important to be able to identify the true positive really quickly and be able to jump on it straight away, which brings up the question of trust and transparency as well.

And in an AI world where we all, I mean, it's like a running joke. It's like the whole. Amazon S3 bucket public joke is the same joke with AI that's like, oh, it's gonna gimme a different answer. Like, you don't want a different answer for the same problem three times. 'cause I'm like, is this a false positive?

Yes. And you ask five minutes later, maybe it is like, what do you think? I'm like, I don't know. You tell me. You have the context. I have this argument with ai how do you find people solve that trust and transparency thing in this?

Ariful Huq: Yeah, look, I think there's no easy answer, right? There's no like magic pixie dust and great you have like, trust in the system.

I think trust comes in a number of ways. And we've learned that obviously it comes with transparency. So you provide every aspect of the decision that you make. So the agent, the decisions, make the [00:33:00] data that it relies on, um, and being able to provide all of that. In your not having to say, Hey, if you wanna know the answer to this, go back to some other data platform, run a bunch of queries, get that data, and then try to correlate.

Yeah, that's really tough, right? That's when you're asking people to do work, do context switching and that kind of stuff. So you have to provide all of the data, all of the relevant questions you've answered to Green, to get that transparency right. That's, I think, transparency is an aspect. I think more than that, it is also the question of like this false positive versus true positive.

How do you measure this? How do you how do you make it better? Right. Yeah. How do you make it better over time? Uh, you know, to start with, we as an organization, we had a dedicated team. We started as a small team, but their entire goal was to look through these detections and figure out as a human, uh, see, hey, is this really a true positive versus this false positive?

And we started labeling. We start figuring, okay, we could make these improvements, we could do that. We could answer these additional questions. That's how we started this, [00:34:00] and what we realized over time is. For some time, like, and again, going back to the example of autonomous vehicles, you didn't see way more vehicles drive autonomously for quite some time.

You saw them with somebody inside the vehicle. Yes, that's right. Yeah. That's, so that's the phase that we are in, in the SOC. I, in my opinion, where you still need some, you know, you need people to be driving. Right. We started with that. So we, when we went to customers, we would have a team of people review these things and, and they would be able to figure out, okay, what is potentially mislabeled or something of that nature.

Uh, and what we decided was we were gonna grow that as an MDR team. Okay? So it's a managed detection and response team that helps customers with better outcomes, but it's also helping us build a better product, right? So we invest. So that's one way we help people gain trust, and also for us to build better technology, right?

The second aspect of this is how do you keep continuously learning to get better results? And so that is historical data that you have, like so detections that you [00:35:00] fired in the past. If you ca classify these detections as something that is, you know, false positive, how do you maintain that information and how do you use that information for future outcomes?

So you have to solve that problem. And lastly, it's about context of your environment. We call it business context. So if I go into an organization, can you give me information about your organization that really helps the system understand your business? It can be knowledge bases, it can be what we, you know, you can define it as a prompt in the system, right?

And it really helps the system sort of every time it goes through and troubleshoots it, leverage this, leverages these answers. It's a long-winded answer, but I, I really wanted to, 'cause I, I get this question from customers as well and I like the answer is there's no easy answer, right? Like, it's, it's a combination of all these things that we end up doing that helps us, get better results over time.

I.

Ashish Rajan: If the future is like more AI coming into more parts of security, uh, should people start rethinking [00:36:00] how they build SOC teams and architect this thing as well?

Ariful Huq: Yeah, it's a, it's a good question and I think this is where, it's been, it is really good learning for us when. Kind of taking what we built going into the market.

Right. Uh, I really think, you know, having heard this from a few customers that we're working with now, that I would, would consider, you know, these growth stage companies that, just like what you just said, it's like, Hey, if I, if I were rethinking this how should I think about it? Right? Yeah. And I was kind of asking them the same question, and I think the, the answer is like, Hey, you know, I built a SOCk in the past where I bought a SIEM.

I hired detection engineers, a hired analyst. And I know what it takes to go do that, right? Huge upfront. Investment in terms of capital headcount and potential value may not come for a little bit of time because yeah, when you're thinking about staffing and building tooling and operationalizing, it may take you more than more than a year, right?

So they're like, they're rethinking this process. They're like, how do I think about [00:37:00] this in the age of ai, right? How do I think about an AI native platform that can augment my small team and my small team is not a team of analysts. My small team is a team of what I I'm starting to realize is full stack security engineers.

These are engineers that perform all of the other security engineering tasks, but they are, they, they're leveraging technology to help them on the operation side, remove all of the mundane work, remove the things that you typically have to end up doing, but you're actually doing the real high quality work in terms of actual threats and things that you want to go look at.

Right? So I really think the, the future is. Security engineers become full stack. You're not an analyst. Like, look, your best analyst doesn't want to be the guy that's just looking at investigation, doing investigations. Your best analyst is probably somebody who's incredibly valuable for the organization in many other ways, right?

So how do you use that person to do other things within the organization? Obviously you can leverage technology like this. And I, I think the other thing that I thought [00:38:00] about is specifically like even for myself, right? Like you wanna be a builder. So if you're in the SOC, leverage AI to be a builder and a better defender, right?

Not do the mundane tasks. So I think these are things that I see, security leaders think about, right? When they hire individuals, at least the, the organizations we're working with, they're where they're rethinking this. They're not hiring analysts. They're hiring individuals that, that can perform all these tasks, right?

Because they're gonna leverage a combination of human talent and ai.

Ashish Rajan: Do you, so do you think that, uh. Place where SOC is going in 2026 is a lot more engineers, like secure engineers who are a lot more full stack or maybe a bit more experienced in. It's not I guess to your point, after a certain point, the, I wouldn't wanna say level 100, level one, but more like the initial bits of true positive, false positive, that that.

Thing that people used to hate about security operation, analyst job and find, trying to [00:39:00] identify a true positive or a false positive in the middle of the night is probably even worse 'cause you're like 24 7 on as well. Correct. Um, and especially when you have an AI agent which can do that, I almost feel like, uh, I can see why there is this excitement for a lot of security operations teams to feel that, hey, maybe I can AI agent this thing and I don't have to be awake at 3:00 AM.

And a lot of that kind of, this conversation kind of came out of that thing where I want people to love their job, but at the same time I also realize there's a reason why the SOC analyst tenure is so small, because no one wants to be a night shift person for the yesterday life. Like as exciting as it may sound.

So for people who are kind of reimagining this to what you said about looking at engineers. Who are, I guess I, I guess I'm, what I'm going with this is that what kind of people should they be hiring? Is it a full stack engineer as well? Because obviously you have, obviously you have bigger goals 'cause you're building the product yourself.

But on the other, on the flip side, a lot of people, that's just a function in their organization. [00:40:00] So should they be still considering a full secure engineer who kind of is like cross? I don't know. I obviously cannot be an AppSec person. Well, I don't know. It'll be really amazing if like a so person, AppSec person, everything combines into one.

But what kind of people should they be hiring for in that new world?

Ariful Huq: Yeah. Look, I think, uh. The, I think it is going to be my, the way I see this is it's a com, it's a talent that is cross-functional in nature, at least in these small organizations. The way I'm seeing it, um, I don't see in a lot of these small organizations, you have dedicated analysts.

And I'm, and we're working with a number of them right now. Yeah. Right. Uh, so these are organizations with, I would say ahead of security, maybe two to three people or even a bit more, maybe even three to four. Uh, yeah, but not a dedicated. Operations person, right? A person that, uh, and this is an individual.

They have engineering tasks and they have the operations tasks they're leveraging. So I think it's a, it's if, if you think about it, if you're a ciso, like you're start getting this off the ground you you're gonna get questioned on how much headcount you're gonna go [00:41:00] have to hire, right?

Mm-hmm. Uh, and so it boils down to how can I be much more efficient? Right? So, so, yeah. So my, my answer is yes. I think it is gonna be someone who has a combination of talent, and I think it gives the analysts. People that have been analysts in the past, the freedom to think about, I don't have to be just an analyst anymore.

I can be much more than that, right? So I don't, I'm not saying that, you know, just because you're an analyst, no. Your, your job is at, at stake. I, I think it's, and it's opportunity for you to actually do many of the things to leverage the talent that you have. Uh, in performing many other tasks that you typically weren't given the ability to perform?

Ashish Rajan: That's right. I think, uh, in all the conversations that I've had with multiple companies across Fortune 500 as well, it's the junior staff that have had the most, or not junior, but the people who have a bit of experience, like two to three years experience. They're the ones who are. Getting the most value from all these AI tools because they kind of know something.

They have the drive that I want, that senior role, but I've been in the industry for a couple of years and I wanna be able to go to that next level. [00:42:00] And to your point, maybe it's from a analyst role to a senior analyst or a principal analyst role. And I think you know, the questions to ask, you don't wanna bother your senior person.

So these, that's definitely a great opportunity for them to go down the path of, I can obviously talk about, uh, this whole agentic world for a long time. But I also wanted to ask you, that's the tech questions I had. I've got some fun questions for you as well. I've got three fun questions, which is the first one being, what do you spend most time on when you're not trying to solve agent AI problems in the world?

Ariful Huq: Oh, man, that's a, that's a tough one because when you're building a company, it's 24 by seven. But yeah, look, I do have other passions. I love running. It's my way of sort of like. Just zoning out a little bit. So, I. I, I'm kind of religious about running five to six days a week and so I do spend on the Saturday mornings, you know, going out for a long run and enjoying nature.

And I've got kids, so I've got a, I've got kids and a family, so I got spend, I have to spend some time with them. So, honestly, like that's really my life. Like, it's, it's building the company. It's [00:43:00] pursuing some passion that I have, which, you know, at this moment it's, it's been running. And obviously spending time with my family.

That's really fair. I mean to say, I'm not trying to dissuade any founders, but you know, that that is the reality.

Ashish Rajan: The balance is quite hard. Yeah. Fair. I mean, the second question is, what is something that you are proud of that is not on your social media? Yeah, I think it could be anything because like some people say family, some people say, I mean, obviously everyone has different kind of experience in their life, but whatever comes to top of mind.

Ariful Huq: I can't, it's a tough one for me to just think about off the top. Honestly, I'm not a big social media person, so I mean, my, my biggest thing is on LinkedIn so I'm not on Instagram. I'm not on Facebook. Actually. I'm not on Facebook.

Ashish Rajan: Well, you're already, you're already Gen Z, man, but so far moved on.

Sorry. I've moved on. You've moved on. I think you've moved on way before the, I mean, all the, uh, the boomers and the millennials are still hanging out or holding onto to Facebook as it's like that's a place to hang out. I mean, but I mean, it's, uh, [00:44:00] yeah. I mean, it's different for different people.

So I, I appreciate you that the final question I have for you is, what's your favorite restaurant or cuisine that you can share with us?

Ariful Huq: Yeah, I think, you know, I've traveled, I've had the fortune of traveling quite a bit. I really love Mediterranean cuisine. Oh, so I think, uh, one of my favorite food destinations in the world is actually Turkey.

So yeah, I, I really think the flavors and how it all comes together is amazing. So, yeah, I, I'm a big foodie by the way, so. We should definitely talk about food more.

Ashish Rajan: Yeah. We should hold dedicated episode on, I mean, I, I, at this point in time, I was being told after six years of getting everyone's food choices, I should just write a blog of like the, the favorite cybersecurity, the, the, the favorite food choices for most cybersecurity people.

Like I can run LLM over right now and figure out what the patterns are, the favorite restaurants as well. Um, but I, I think I agree on the whole, uh, Turkish food as well, because they had this, I remember. That was the only place that we were catching a flight from our, my wife and I were catching a flight from, I think [00:45:00] Portugal to um, oh, geez, Istanbul.

And people were having milk, like grownup adults for having milk. And I was trying to figure out why are they, oh, they're not having milk. Yeah. And I'm like, what's this? They're having ku, right. Adults are having, I'm like, I understand kids having milk. But then, I mean, and for people who kind of are from that region have gone there, they probably would know this.

It's like this. Because as a country, Turkey doesn't have a lot of vegetables and stuff, so that's, this is like their fiber, for lack of better word. It's like, not ka they call it, they call it something. It's like basically it's like a made drink that you have with food because you're eating so much meat and everything else, you need some fiber.

Uh, oh.

Ariful Huq: There's, they, they also have this alcohol, which is, is very milk. It's this, it's got a murky color. I don't know if you've had that. Yeah, I,

Ashish Rajan: I know I just can't remember the name of it. But essentially, for people obviously who listen in or tune in into food, I'll definitely recommend checking out this milk drink that adults have in, in Turkey.

I've had it. Yeah, yeah, yeah. Oh, yeah. I, I can't remember. Like, remember, it's a yogurt. It's a yogurt. It's actually, it's yogurt based. [00:46:00] Yeah. Yeah. It's not a smoothie. It's not, it's like a literal, it's hard to explain.

Ariful Huq: It's like, it's like lassi, but it's not sweet. It's uh, it's the salty version.

Ashish Rajan: Yeah, yeah, that's right.

I just can't remember the name of it. But essentially it's like that you just see adults having like grownup adults, like really older people and like, and I'm like, I just got so curious. I was asking the a, what is this thing that these people hang? Like, oh, you mean, oh, I clearly, I can't remember the name of it, but essentially Oh, like, oh yeah, that I'll have that.

And I'm like, to what you said, it's like, oh my God. Like it's de like it was definitely. It's gonna bother me for a while. But anyway, people who, uh, go get to this part of the episode and find out and they remember the thing, please leave it as comment. I'll remember it by then. But dude, uh, where can people find out a lot more about what you're doing and just to connect with you.

Ariful Huq: Yeah, uh, look, I'm on LinkedIn, so obviously you can look me up there. Company I'm building is exaforce.com. So, you know, feel free to visit us. Uh, we have product tours. We'd love to tell you more of what we're doing here.

Ashish Rajan: Yeah. Awesome man. And I'll put those links in the short. But thank you so much for joining in and thank you everyone for tuning in as well this [00:47:00] next time.

Thanks guys. Peace. Listening are watching this episode of Cloud Security Podcast. This was brought to you by Tech riot.io. If you are enjoying episodes on cloud security, you can find more episodes like these on Cloud Security Podcast tv, our website, or on SOCial media platforms like YouTube, LinkedIn, and Apple, Spotify.

In case you are interested in learning about AI security as well. To check out our sister podcast called AI Security Podcast, which is available on YouTube, LinkedIn, Spotify, apple as well, where we talk. To other CISOs and practitioners about what's the latest in the world of AI security. Finally, if you're after a newsletter, it just gives you top news and insight from all the experts we talk to at Cloud Security Podcast.

You can check that out on cloud security newsletter.com. I'll see you in the next episode,

please.

‍