Aqsa Taylor: [00:00:00] AI can help, but it can also hurt without the right context.

Ashish Rajan: And people realize, "Oh, if I shut down a production machine, it's a bad thing for security, so I should not do that." I don't have the context.

Aqsa Taylor: We saw a credential stuffing attempt where there were, like, 309 authentication attempts across 14 accounts, where people joined as employees and they were not really legit employees, threat actors.

Aqsa Taylor: They could copy the contents and then share the copied file with external, and you would not see that as a shared event because you're seeing the main file. There's over 54 in the startup world, and then I'm not even counting all the traditional platforms who have pivoted to AI SOC. The messaging-

Ashish Rajan: I am actually employing people to build a product in my own company.

Ashish Rajan: Is that what I'm going towards?

Aqsa Taylor: That's the level of, uh, attacks that we're seeing with AI in the mix. You need to make sure that you're equipping your defenders, your team, with the same advantage that the attackers have.

Ashish Rajan: Vibe hunting. Yes, you heard that right. [00:01:00] Threat hunting has now evolved to vibe hunting, and a lot of people who have been addressing the AI SOC problem, at least how you can augment the SOC world with AI, whether it's cloud challenges or your email challenges or everything day-to-day that a SOC team deals with.

Ashish Rajan: I had a conversation with Aqsa Taylor from Exaforce, and we spoke about vibe hunting and how much detection and threat hunting has changed, the four pillars that people think about when they think about adding AI to their SOC and what that would look like, and how far you can actually go with an AI SOC today, and what are some of the questions you should be thinking about as you build the AI SOC capability in your organization, whether in your team.

Ashish Rajan: All that and a lot more in this podcast episode. As always, if you have been tuning into the podcast platform for a second and third time and have been finding it valuable, I would really appreciate if you take a quick second to drop a follow, subscribe whichever podcast platform you're listening or watching this on.

Ashish Rajan: We're on Apple, Spotify, YouTube, LinkedIn. I really appreciate the time you're taking to hit the subscribe button. [00:02:00] Means a lot because we're almost close to 200K subscribers across all our platforms, so really wanting to hit that number and really appreciate your support in helping us get that. I hope you enjoy this conversation with Aqsa, and a huge shout-out to Exaforce for sponsoring this particular episode of the podcast.

Ashish Rajan: Talk to you soon. Peace. Hello and welcome to another episode. I've got Aqsa with me. Hey, Aqsa, thank you for coming on the show.

Aqsa Taylor: Thank you very much for having me, Ashish.

Ashish Rajan: I am... Well, I was gonna start with, uh, with a question straight away, but maybe a great place to start would be if you can just share a bit about yourself, your pr- professional background.

Aqsa Taylor: Sure. I'm, uh, Aqsa Taylor, chief security evangelist at Exaforce. Prior to this, I was chief research officer at an analytics firm called SACR with Francis Odum, and I wrote a lot about cloud security research and security operations research, operating SecOps platforms like SDPPs and SIEMs and AI SOC categories.

Aqsa Taylor: And before that, I spent a considerable amount of time in product management leading Twistlock, which was acquired by Palo [00:03:00] Alto Networks, Prisma Cloud, agentless scanning, and all of those workloads. So excited to be here today.

Ashish Rajan: And, uh, well, glad to have you. Uh, I was gonna say, how did you end up on the whole vibe hunting world then?

Ashish Rajan: What was the, what's the vibe hunting so we can describe to the audience first?

Aqsa Taylor: Yes. So vibe hunting did not come from marketing. Actually,

Aqsa Taylor: it came from our SOC team. So I cannot take credit for that term because it wasn't me. But what happened was the, uh, Iran Striker attack happened, and we have our own SOC team. We have our MDR team, and we run our own platform for our SOC as well. So then I was looking at the channels and the MDR team, they were actively, threat hunting, uh, and seeing if anyone's impacted from our customers, from our own environment and all of that.

Aqsa Taylor: And they did it so fast, and then they had these reports, and then they were like, "Okay, here's, here's the entire, like, end-to-end report of what we did, what we are and all, [00:04:00] and here's all the IOCs, and we're like, automatically, uh, using automation agents to threat hunt as new IOCs are updated." And I said, "I wanna learn more about this.

Aqsa Taylor: How'd you guys do it?" 'Cause I know that in our organization, this would take you hours and multiple team members and maybe even days to produce these in-depth reports. And so that's when I got introduced to how they were using Exaforce, the AI SOC platform, and Claude to finish this end-to-end flow. So that's what inspired me, and that's when they said, "Oh yeah, we're vibe hunting, like vibe coding."

Aqsa Taylor: And so it became... I was like, "Ah, vibe hunting. I like that."

Aqsa Taylor: Yes. So that's, that's essentially it. If you're using AI for code development, it's vibe coding. If you're using AI for threat hunting in SOC, vibe hunting.

Ashish Rajan: Uh, and so for context for people, what was the Iran striker thing? Like, w- and just to... It doesn't have to be a deep analysis of it. It's a high level.

Aqsa Taylor: Yeah. They they were looking... There was an, a [00:05:00] nationwide actor that was targeting certain health institutions, and when it first came out, there were some news articles that covered it, and there were particular endpoints and IoCs- Yeah

Aqsa Taylor: that they put together, and we had to... But the news was coming in waves, so there were newer endpoints that were being added and to the list of IoCs and stuff. So the difficult part was you, if you, in a traditional world, you would have to follow these articles, follow these research repo- uh, blogs or, you know, Substack or whatever to update these IoCs, update with these new endpoints and see if you have any any ins or check your logs and query your SIEM platform.

Aqsa Taylor: But in a tradition- in a vibe hunting world with platform like Exaforce, you were able to create automation agents that will do that for you automatically. So you would just point it to like, "Hey, these are some trusted sources," and as soon as there is new information on those trusted sources, you automatically add that to your detection logic, and you're now [00:06:00] looking for those IoCs continuously without a person having to dedicate his time.

Aqsa Taylor: But at the same time, while you're doing that, also checking your entire exposure window across your environment to see, like, if there is any resources that are at higher risk. So that kind of information doesn't come from just events. That kind of information comes from configuration and posture and context.

Aqsa Taylor: So we were mixing these two things. One is the events flowing in, if there are any access points or any requests coming in. But on the other side, there was also this posture information coming in the mix. So we were, we were adding both of these contexts to show that, "Hey, this is what your environment looks like.

Aqsa Taylor: You may not have events, but here are some exposure windows that you need to take care of." So that's what having AI in the mix helps you helps you finish. So you may have a hypothesis on your own, but to do the actual threat hunting and to validate that is, is difficult if [00:07:00] you're just doing it manually and in a traditional way.

Ashish Rajan: I appreciate you sharing that the insight because when you mentioned the vibe hunting part and, uh, I thought of it more like how is that different to, say, threat hunting or detection engineering?

Ashish Rajan: It's not the-- like, as in, is it a combination of AI SOC and a Claude that's making this vibe hunting different from threat hunting and... Well, I'm saying a lot of hunting now. Threat hunting, detection, how is this different? Let's just say that.

Aqsa Taylor: It's just a fun word at the end of it, right?

Aqsa Taylor: Like you- Yeah ... you wanna differentiate how much the extent of AI that you're using in your, in your traditional process. So when you say vibe coding you know, your, your skill levels are, are still there, but you're using AI to make it faster and easier, so you can maybe push commits from your phone and such.

Aqsa Taylor: So- Yeah ... threat hunting, it's a similar concept with vibe hunting. It's not that we're taking away from your traditional knowledge of threat hunting, but we're [00:08:00] equipping you now with tools that make your, um, traditional journey faster and efficient and something that you can rely on with higher confidence as well.

Aqsa Taylor: So not just using an open source tool that may hallucinate, but using something that has your business context already and can make those explanations for you.

Ashish Rajan: Sure. And I guess your point is the combination of having the right kind of data and using the AI capability with it to be able to respond quicker as well.

Ashish Rajan: That, I mean, 'cause I guess to your point the way I th- looked at threat hunting or detection engineering, it had this laborious process of me having a hypothesis that, uh, just take the the Striker example you were sharing earlier. I have a hypothesis, this is how it's working. I have to go down multiple rabbit holes to figure out what that is and to what you said earlier, it takes a army of people to even get to an understanding and then get to the technical detail of it, and then to make a report from it.

Ashish Rajan: But AI just kinda helps you speed up [00:09:00] a lot of that process, uh, especially if you have the context and the right kind of information. Whereas something like detection engineering or threat hunting just builds on the hypothesis. Without AI, it's basically like what we have known and loved as traditional threat hunting before.

Aqsa Taylor: Yeah. And I think we should be careful here because AI can help, but it can also hurt without the right context.

Ashish Rajan: Ooh.

Aqsa Taylor: So if you are using AI for like, like a lap- wrapper around your events and you're just like, "Hey, tell me what's like pri- high priority," as an example, it may go off of severities or scores from your existing tooling.

Aqsa Taylor: But if it doesn't have the right context, and I keep going back to context, and I can give an example, Sure ... from a recent attack as well. But before that, if it doesn't have the right data to make that decision, then you're, you could miss an important alert in between false positives, right? Because it's just going off of event prioritization and not taking that semantic [00:10:00] knowledge layer into account.

Aqsa Taylor: Now, a recent example is also the Hackerbot Claw attack campaign, right? Mm-hmm. In that we saw that it wasn't a code vulnerability that was exploited, it was pull requests, which is not typically something that you would be alerted on. You would see like repo vulnerabilities through a scanner or such, but tracking, hey, this version change request that came in is it malicious?

Aqsa Taylor: Is there a malicious payload that is a part of it? That's the level of detection that we need in today's world. That's the level of attacks that we're seeing with AI in the mix with Hackerbot Claw attack campaign. And in that particular example, there was one instance where whoever is using Claude to auto merge these requests, uh, the payload was able to manipulate Claude instructions, and so the README file was updated and such.

Aqsa Taylor: Like what it really means is that if you're using AI in the mix to make- Mm-hmm ... your process easier, there is still a risk that you have to be aware [00:11:00] of. It's not just making things faster, but accuracy and the explanation behind things, all of that matters. So even before we move into AI, I think the data model on which the AI runs is so important to be able to then trust the AI agents

Ashish Rajan: Interesting.

Ashish Rajan: Wait, so 'cause I was gonna go ahead and go make an assumption there that, or if I am a SOC analyst with an, a Claude subscription, let's just say a max plan. I don't even know, enterprise plan, just say that. Well, that would've been good enough for me to kind of recreate and like I don't even know how far can we go?

Ashish Rajan: 'Cause I think you m- raised a good point about the context piece, where I may assume that I have access to Jira or I have access to a, I don't know, a Splunk SIEM provider, all of that or Databricks or whatever you wanna call it. Like some kind of data source. I'll just say that. And I, I, I believe the information is kind of accurate, but I think what you said is interesting that, hey, you may have access to [00:12:00] the SIEM, you may have access to Jira, but the way I may use, say, something like GitHub is just not what I would assume is a misuse until you kind of know the deeper context of it.

Ashish Rajan: L- am I getting that right?

Aqsa Taylor: Yes. And in fact, we have a substack where people like practitioners can share their stories. And I have an article from an MDR person who say, "Hey, how I hunted team PCB using Claude."

Aqsa Taylor: But it's not a full solution. Yeah. If you're looking for just smaller scripts, automation, something that you could do on your own if you had that context, but you do it, you just wanted to do it faster, you could use Claude. But remember that Claude only working based on of data that you are feeding it.

Aqsa Taylor: So if there is new information coming in they are based on the data that you give. Yeah. And then they are performing, uh, whatever scripts and stuff that you're doing. In a proactive model, the data is like a living [00:13:00] graph. So I'll give a small example, like North Korean APT, right? Where people joined as employees and they were not really legit employees, street actors.

Aqsa Taylor: And they're doing things that may seem normal, but they... But it's suspicious, like maybe, you know, copying files in Google Workspaces, downloading and all. But how do you catch that activity? Like, who's copying your sensitive files in Google Drive? If they have access to that folder, that's what you would see in a normal, like, event.

Aqsa Taylor: Like, okay, they have access, they have these permissions. Yeah. But what are they doing with those permissions? They could copy the contents and then share the copied file with external, and you would not see that as a shared event because you're seeing the main file. So information like that is so critical in making these making these decisions, but oftentimes this information is not available in a traditional platform.

Aqsa Taylor: So that's where you face these issues where [00:14:00] you're relying on your upstream providers to give you some events that you can then triage. But in a proactive model, you're not waiting for those events to pop up. You're actively, proactively looking for things like this that could end up being a risk to your organization.

Ashish Rajan: and I'm curious, what was the TeamPCP thing as well? 'Cause I think we obviously mentioned the HackerBotClaw was more driven from a GitHub Claude, uh, merge. What was the TeamPCP one? 'Cause they seem to have done a few.

Aqsa Taylor: That one, right. All right. Uh, that was a supply chain attack. Again, GitHub in the mix, uh, NPM package, and this is a very, uh, well-used package with a lot of downloads and such.

Aqsa Taylor: So this again goes back to how are your SaaS detections in a traditional platform? You are getting events from your EDRs and all of those, but now we're looking at attack types that may look very normal looking activity or, or, you know, so you need that visibility even from your code [00:15:00] repositories, from your GitHub applications, and you need all of that.

Aqsa Taylor: Typically, this would live in your CNAPP platform, in- Yeah ... your CDL platform or so. But bringing that more towards the right where you have your AI SOC platform or SIEM platform or whatever you call AI SOC, I think it's such a broad term now. SIEM is also probably AI SOC. SOAR is probably also AI SOC. But we'll get to that later.

Aqsa Taylor: But bringing those to the place where your SOC analysts are threat hunting and looking for these looking for these signs is so important because then, only then you can have full visibility. And a lot of times this kind of stuff is not visible in a traditional platform.

Ashish Rajan: And do you find that the-- So to your point, 'cause we kind of have touched on quite a few things now.

Ashish Rajan: We've touched on the supply chain with, uh, the NPM packages you spoke about. We also touched on the GitHub actions. We also touched on the, the North Korean, uh, employee, fake employees who look like real employees but not really fake employees. Sorry, are really fake employees. W- I feel like [00:16:00] it's funny, uh, g- uh, the, the-- Before I walked into this conversation, I wanted to kind of look at as based on the newer models that are coming up, like we have now, I don't know, it feels like every few months we are releasing a-- We are hearing a newer model come out, the more powerful they get.

Ashish Rajan: Mythos even isn't even out yet. So having access to a powerful frontier model does not change any of this talking about the fact that the supply chain is a problem, uh, which I may not see normally as myself as a human or GitHub actions as a thing I may not see as a human, um, or the, the North Korean fake employee that I-- that is there as well,

Ashish Rajan: which looks like normal to me, but it's clearly not d- normal because their behavior is different. Would having access to a more advanced model change make that easier? Or that doesn't change the fact that we still require all the context around it?

Aqsa Taylor: As a defender, having access to advanced models, definitely a pro because then your agents are helping you [00:17:00] see things that you may not see, like you mentioned earlier.

Ashish Rajan: Yeah.

Aqsa Taylor: But at the same time I think we're not saying let's replace all your team with agents. All we're saying is let's amplify, so you're focusing on approving the response actions, as an example. Or you're focusing on hey, there is, there's this news that came out about this new vulnerability or attack- Mm-hmm

Aqsa Taylor: and I wanna know if I'm liable to it, if I'm susceptible to it, and you're not waiting for stitching that information across different platforms. You're not waiting for writing those queries and making sure those queries are covering everything. So those are the parts where something that's novel, something that has that context, something that's faster can help you.

Aqsa Taylor: But at the same time, if you have no clue at all, and if you can't judge if the output from this model is correct or not, then there's a problem. So I think there is still a level of skill that's required so that you can make the call [00:18:00] and judge whether the AI platform you're using is capable of giving you that high confidence results.

Ashish Rajan: And I think to your point, high confidence result can only come in when you have the right context.

Aqsa Taylor: Yes. So I go back to this because it's... So many people talk about AI and LLMs and, and everyone is AI SOC. And it's, it's fine. Maybe we all are AI SOC, but let me ask you, Ashish, what are the three big things you hear when you hear AI SOC?

Aqsa Taylor: What are the words that come to your mind?

Ashish Rajan: Oh, uh, I would say one of them is level one SOC is uplifted in the sense that the triage activity of that is pretty much done. The other thing that I hear quite often is that now your level one can elevate to level two. I'm still yet to see a proof of it, but apparently that's what being said.

Ashish Rajan: And the third one that I keep hearing is that there are 50 plus vendors in this particular space, which one do I take? So, uh, those are the [00:19:00] three things that I keep hearing. Uh, in terms of no one's talking about confidence score, so this is a good thing to actually talk about confidence score.

Aqsa Taylor: Yes. So that is right, and that is what the practitioners are hearing as well, that every traditional platform that has AI is now AI SOC, and there are more than 50, I think there's over 54 in the startup world- Wow

Aqsa Taylor: in AI SOC. And then I'm not even counting all the traditional platforms who have pivoted to AI SOC messaging more recently. But the idea that AI can be used for false positive reduction and triaging is fine, but that's limitation. I think we should look beyond that. If we're just looking for triaging and all, like yes, there's a lot of platforms that will do it, and they will use the AI as an LLM orchestrator to get you those, uh, priorities.

Aqsa Taylor: But where defenders really need help with AI and where AI can give a lot more is level two threat [00:20:00] investigation. I know you're- you want to see it. Maybe you should take this Impossible challenge. Yeah. But what's important is how do you get that level two knowledge? How do you get that experience that a, a level two analyst would have to make those calls?

Aqsa Taylor: And that's where we tie back to what kind of data is this AI model depending on to make those prioritizations. So if we look across the four pillars: detection, investigation, triaging, response. Let's start with triage, right? Easy. Yeah. Most platforms can do it. You've heard this too, because they're just looking at events that are coming from upstream providers and then adding some layer of enrichment to it, some normalization, and then showing you, like, what's important.

Ashish Rajan: Yep.

Aqsa Taylor: Done. Detections. We just talked about examples like HackerBot Claw and TeamPCP NPM supply chain attacks and things like that where, where a client file was modified by TeamPCP. Now, these kinds of things require additional level of detection layer than [00:21:00] like a traditional platform can probably provide you.

Aqsa Taylor: That means you're not just depending on your upstream providers for those detections, but you immediately have a model that can look up and actively provide these detections in addition to the upstream provider events. So that's where I think AI platforms, if y- with the right context, can look beyond what is available to you.

Aqsa Taylor: And then like SaaS applications, GitHub, Okta, Google Workspace, Slack, these platforms or, or even your HR, HRIS system. These platform dr- platforms are typically like considered a completely different category. But for attackers, it doesn't matter, it's a way in. So your SOC analyst should need visibility like, "Hey, what are..."

Aqsa Taylor: An employee that was just hired, it's not just the baseline behavior of this employee that he's matching, but also the baseline behavior of his peers within the same team. Is he doing something different from what his peers would do? Even though that may not be an anomaly for his ano- his particular [00:22:00] baseline, but it's, it's an anomaly for the team, so you still need to investigate it further.

Aqsa Taylor: So things like that, that identity mapping, those relationships need to be a part of those detections that you see. Investigation, right? So again, threat hunting and not just querying. So looking proactively at creating automation agents or things like that, that are acting like your threat hunters, your mini...

Aqsa Taylor: maybe your threat hunter minions or so, that are dividing these actions between them to look, proactively look for threats instead of waiting for the events, uh, or when there is a new attack, waiting for some other platform to provide information or events to then prioritize and triage. And then the response, right?

Aqsa Taylor: This is such a conflicting concept or pillar because people are like, "No, there is no autonomous SOC. There's no autonomy. No, we can't have response at all." But I actually have customer testimonials, and, and these were recorded in during [00:23:00] RSA panel, where people said like, "This is how we use the response agents, and it's made our life easier."

Aqsa Taylor: And yes you have... You get that confidence only if the other three layers have built up your trust. And so that's where I believe that 2026 is heading, is that we're going to see people move beyond the level one, level two triaging, and people adapt more and more of the layer later levels. And yeah, that's what I believe we're heading towards.

Ashish Rajan: What, what does that look like for... 'Cause I know obviously there are vendors who are dedicated on the whole detection engineering as a space. There'll be people who are just doing the, "Hey, we are, we are the runtime people," for lack of a better word as well. 'Cause I al- when I, when you say that, I'm like what's the point of having them when you have a, an AI SOC that covers all the four pillars?

Ashish Rajan: Or i- is there a space for them as well?

Aqsa Taylor: Yeah. You're asking me... You wanna create trouble for [00:24:00] me actually.

Ashish Rajan: No, I'm just curious 'cause you know, obviously we have... Obviously people who are lis- listening or watching are, you know, they, they obviously are w- in an enterprise, large company. They probably already have like a CSPM provider.

Ashish Rajan: They probably already have like a, a... What's the word for So someone already doing detection as a role in the organization, right? Or, and obviously now there are the AI dete- detection engineering using AI players as well in the market. There's the SOAR platforms in the market as well, which is a SOAR topic that no one wants to talk about.

Ashish Rajan: 'Cause the, the response thing is an interesting one, because people tried doing that in the cloud space long time ago, and it f- it lasted for a hot second, and people realized, "Oh, if I shut down a production machine, it's a bad thing for security, so I should not do that because I don't have the context."

Ashish Rajan: Now, obviously, I don't know how much of that has changed now. It sounds like it has changed quite a bit. I'm curious as to where do you see people who probably are listening or watching this going, [00:25:00] "Okay maybe SOAR was a dream. Is that a reality today? And does my detection engineering has more capability with AI than they had before?"

Ashish Rajan: Like, I think where are we going with this? 'Cause ob- the reason I ask is because people are obviously have a AI remit that they're looking at, and they're trying to f- see which one should I be aiming my budget at. Uh, but I already have a team of detection engineers. I already have a team of SOC people.

Ashish Rajan: I already... So this probably would help them clarify what among the four pillars, like how far people can get with AI especially if they have the right context, and how should they look at this in this AI world?

Aqsa Taylor: Yes. So for SMBs, small to mid enterprises, you're probably dealing with lean teams and you have, and your data keeps increasing. So for them it's easy. You know that you have a platform and plus MDR service. Um, a lot of... I think the winning model is AI SOC plus AI SOC MDR or AI MDR and AI SOC, because then you have, you get the best of both worlds. [00:26:00] So you have that. For larger enterprises who say, "We have dedicated teams, and they do this, this," the larger enterprises also have this problem of silos.

Aqsa Taylor: So you have, like you said, your CNAPP or your cloud team, your DevSecOps teams, they have the breadth of context on your attack chains analysis in the cloud world, and then there is a translation layer. And I was just talking to a pr- um, someone, a CISO of a large enterprise recently, and this is what he was saying as well, that we need more convergence between the left and right.

Aqsa Taylor: We need more convergence. Mm-hmm. We have, like, this huge SOC team, but they don't have the cloud context as much as my cloud engineers and the cloud DevSecOps peoples do. So we're trying to bridge that ourselves. We're trying to, like, bring that context of configuration or risk or exposure, whatever that is.

Aqsa Taylor: And I think that's where a platform that can automatically bridge it for you can help your SOC teams provide, uh... Get the same level of expertise that, uh, they would they would see from [00:27:00] other roles. So your detection engineers, when they're creating these detections, now they have a context of like, hey, GitHub or Posture or vulnerabilities and things like that, that typically they may not they may not be considering in their logic.

Aqsa Taylor: So it emphasizes on the upleveling of their existing skills, so they're not wasting their time in trying to figure things out, going blind, but they are actually working on solving bigger problems. Like, okay if there is a new, new attack that is discovered and I need to write a detection for it, they come up with a hypothesis and then they're able to do it with natural language, but get enough context across all layers and not just some events coming from SIEM, but across all layers, configuration, identity, location, all of that together to say, "Hey here's what needs to happen."

Aqsa Taylor: And then they need to make the calls because they have that expertise to make the calls. So I think that's where wherever people are in their journey, whether they don't have a SIEM, they can [00:28:00] still use a platform like this with the four pillars 'cause they may not to invest in something in multiple tools and multiple platforms 'cause they're a smaller linear team.

Aqsa Taylor: Mm-hmm. But people who are on the other side where they have a large team and many roles and many different silos and people dealing with different parts of the data now have a place where all of that comes in together. Their work is not between like trying to understand from other teams where things are and exceptions and ticket handling, and they're upleveling their work.

Ashish Rajan: And i- is SOAR easier now than what it used to be in terms of the response pillar?

Aqsa Taylor: Uh, SOAR and the whole like, hey, automation playbooks versus like AI, like what is different and all that. Mm-hmm. I think it's like a SOAR subject, like you said. Yeah. But it's why... I mean, if you look at the end user goal here, which is like responding to whatever attack is happening I think that capability in itself [00:29:00] can be brought in, into- Mm-hmm

Aqsa Taylor: something that already has the other pillars. Because the other pillars provide the foundation for the response, and so you're kind of tracking the entire chain in one platform and not depending on multiple places or hops between multiple tools. Plus, I'll give an example. Recently, we saw a credential stuffing attempt where there were like 390 authentication attempts across 14 accounts.

Aqsa Taylor: So it was like a pray, spray and pray approach, where an attacker is trying to alert fatigue you with authentication attempts. So you will hit yes on one MFA, and then they try to do a lateral movement from there. So the response in that sense is like revoking your session tokens, revoking your authentication, and then containing the blast radius, right?

Aqsa Taylor: Yeah. But how do you see that if you don't have good identity mapping in the platform where you are working? So ITDR, ISPM, all those platforms have [00:30:00] that piece of information. But if you're relying on hopping between your threat hunting platform to your ITDR to your I... You're kind of hopping again, and then you're coming to put your response in SOAR.

Aqsa Taylor: So but if you have one place where like, "Hey, this was a credential stuffing attack. This was a detection rule. This is how it happened. These are high-risk users based on them clicking on phishing emails in the past."

Ashish Rajan: Yeah. "

Aqsa Taylor: So, so here's what the impact radius looks like if they get compromised and the sensitive files that they have access to.

Aqsa Taylor: And in the past 24 hours, these are the people they've shared the sensitive files fro- with." So now you know that, hey, high-risk users, credential stuffing attempt. If they clicked on MFA, that would show up as well, like successful login, and then the lateral movement from there, plus the SaaS, uh, visibility on what they're doing with sensitive files.

Aqsa Taylor: So just this end-to-end flow would probably require you multiple tools or multiple users in the mix. Mm-hmm. But if you have one platform that went from [00:31:00] detection all the way to revoking those sessions it's your entire chain, entire kill chain.

Ashish Rajan: I think that's actually, that's a good point because I almost wonder for people who are now uplifting their SOC team, especially now that we are in almost in the middle of the year now.

Ashish Rajan: A lot of people have been kind of working towards it. Some people may have ma-made some bad decisions on, uh, AI SOC or may, uh, maybe even had a look at doing it themselves. I'm curious for people who, who are leaders of these SecOps teams or CISOs who are thinking about uplifting their SOC team, right? Um, what's the right way to approach this?

Ashish Rajan: To, to what you said, maybe starting off with four pillars sounds great as a goal. What are some of the easy wins that they can start off with? And perhaps should they be experimenting with something like a Claude or a OpenAI themselves first to get a hang of it? 'Cause is there some part that even if they had an AI SOC, they would need to be doing themselves with the AI piece?

Ashish Rajan: Like Ashu where do you see are some of the quick wins they can have today, and what should [00:32:00] they think about from like a, like a staged progress perspective to get to that, "Hey, now I can start." Maybe the goal becomes the four pillars are covered by AI, where my team is now more uplifted rather than replaced by AI agents.

Aqsa Taylor: So for people who have access to platforms like Claude or, they're not going with proper AI SOC platforms and they wanna do this yourself, you have to make sure you have the right visibility into what you're introducing to your team. Do you even know, like, what data is flowing? Who has what identities?

Aqsa Taylor: Like, there's a whole level of a whole layer of visibility that you need to deal with. So I don't know if it's easier for you to maybe use a platform where you have full visibility and audits for it, like an AI SOC platform or do it yourself. So that's one decision that you would have to make. But the second one- Yeah

Aqsa Taylor: would be, I'd say there is a level of explainability that comes from using [00:33:00] a platform that is dedicated to doing this versus trying to use a general purpose platform for these operations. And so if you want to at least see the benefits of it, you should start with your level one triaging, uh, on top of your existing SIEM platform with a proper AI SOC platform.

Aqsa Taylor: And I will recommend that over, like, trying to do this yourself because then if you're trying to do this yourself, you are still spending time in providing that context across various tools and doing it yourself, and you're stitching things together, and then you're making sure it's not hallucinating, and you're spending all that time.

Aqsa Taylor: So instead, why not

Ashish Rajan: use a- But, but Aqsa, I have all these smart engineers, like, they, they know what they're doing. Like, and I'm obviously, I'm-- By the way, I'm, I'm fully supportive of what you're saying 'cause I've seen scenarios where people have gone down that path, spent six months doing it and come back.

Ashish Rajan: But I, I joke about this because I'm pretty sure someone in the audience, as you said that, like- Yeah ... [00:34:00] "Aqsa, I've got smart engineers. I mean, they would know this." So, so I-I'll, I'll be curious as to, uh- Yeah ... to what you said before.

Aqsa Taylor: Wasn't there an instance where the agent deleted the entire database?

Ashish Rajan: I mean- But sure ...

Aqsa Taylor: that,

Ashish Rajan: that they don't have the

Ashish Rajan: smart engineers as I do, Aqsa. That's the, the reality of it. No, um, I mean, I, I joke about this, but I, I'm, the point I w- I wanted to make compar- Bring across and I think as you've hit this on the nail as well I, I think my hypothesis so far has just been the fact that initially a-as much as the models have progressed quite a bit and it gives the peop- it gives people the feeling that, "Hey, I could do this myself."

Ashish Rajan: I think it's like the reality is way far ahead. Like, I mean, w- I-- it's almost like if I'm... Just to put into perspective, I had a conversation with a CISO which was the CISO for a financial organization, and their argument was: Am I going to show that I am building this AI SOC platform? I'll just say whatever, AI insert category, security category platform inside the organization, [00:35:00] and we are maintaining it.

Ashish Rajan: I am actually employing people to build a product in my own company. Is that what I'm going towards? So that, that's to plant that idea in the minds of people who may be thinking that, "Okay, I can still do this." I just wanna put that like-- I don't know if you agree with me on this, but if you don't agree, that's totally fine as well.

Ashish Rajan: But I thought I, it's worthwhile calling that out before people had that in their mind. So I'll, I'll let you continue, and you can totally disagree with what I, my hypothesis is. My hypothesis so far in all the conversations we've had on Cloud Security Podcast or AI Security Podcast has been the fact that people who are Trying to build a- AI for security X in their own organization by themselves, they themselves have the challenge of it's like having an open source software library that you provide to the internet, and then you have to maintain it, lifecycle it, decommission it, add more integration, do the whole lifecycle of it, which is not something that most organizations want to do.

Ashish Rajan: [00:36:00] I think it's a great side project- Yeah ... but it's not a project that you just push into production, if that makes sense, because that's where you land on someone else. And I was saying that you could totally disagree with my hypothesis there, Aqsa, but, um, I- Yeah,

Aqsa Taylor: I agree.

Ashish Rajan: So

Aqsa Taylor: That's in... That's right.

Aqsa Taylor: Like you're... Now bring that concept to SOC, and it's the same thing. Yeah. Like can you use Claude for some of those actions? Sure, and you can check out our substack. There's examples of how to do it and in some ways it can make your life easier, yes. But in the broader picture, in the longer term, uh, how much effort you spend in doing, trying to build it all yourself and trying to build these things yourself, yes, you can argue that, "Hey, I'll have my projects.

Aqsa Taylor: I'll create my own agents and I'll help, you know, I'll provide them context over time." But it still takes time, and it still takes effort, and it still takes a lot more scrutiny on the [00:37:00] accuracy part that we talked about before- Yeah ... in order to increase those confidence scores. So it's almost like you're changing the effort, but you're still putting effort.

Aqsa Taylor: So if you're trying to up level or reduce the effort, then you should go with something that is dedicated for this cause, and they have dedicated engineers building it to make your life easier so that you don't have to build it yourself.

Ashish Rajan: Yep. And to going back to what you were saying earlier, start with the triage, level one triage first-

Aqsa Taylor: Yes

Ashish Rajan: As the area you wanna tackle. You don't wanna tackle the other pillars, but start there. And why the level one triage as the first I guess, stepping stone to go into that journey of AI-ifying their SOC?

Aqsa Taylor: It... I would say actually a little bit differently, not just that start from level one, but start from data.

Aqsa Taylor: Ask the right questions to your AI SOC platform. If the platform is just meant for taking the events from existing... Maybe that's the stage you are in. Maybe [00:38:00] you already have all the tools in place, you have a SIEM platform, and you're looking for just some triaging, then that's great. You can... A lot of AI SOC platforms do that.

Aqsa Taylor: But when they do that, what data s- what data points are they taking into account to give you that confidence that, hey, these, this platform will give me the right reduction in false positives because it not just looks at my events, but it looks at config, it looks at identity, it looks at code, it looks at everything else while making that decision.

Aqsa Taylor: So I think that's an important part and question to ask whether... whenever you're going to select a platform for your, of your choice. And then the second thing is, is it a proactive platform that if something happens it's not waiting on the upstream providers to provide the detections and the events, but it also has its own detections to immediately trigger and help you proactively protect your environment?

Aqsa Taylor: 'Cause at the end of the day, it doesn't matter what category you put in, SIEM, AI SOCs, or [00:39:00] you have a need, you want to keep up with the AI enabled attacks, not AI attacks, attacks that are much faster, scaling faster, and they're happening at large scales, then you need to make sure that you have, you're equipping your defenders, your team, with the same advantage that the attackers have.

Aqsa Taylor: And that's what everything else flows down from. That means you have the visibility, you have the context, and you have a plan, and you can respond in time

Ashish Rajan: I, I'm gonna ask the question that the skeptics may be also asking as well. We're talking about confidence. How do I trust the confidence that a AI SOC provider gives me on, say...

Ashish Rajan: You know how the whole life of a SOC analyst or a SOC person is spent going through hundreds of alerts, and sometimes they just spend the entire day. And I've had teams where someone I know who basically went through almost 50 or 60 false positives and then landed on one kind of positive, I wanna say, [00:40:00] not even f- like a true fa- uh, true positive went down the rabbit hole, figured out it was still a false positive.

Ashish Rajan: And in a scenario like that the reason why people go through all of that in their mind is because I don't know which one could be a real vulnerability, right? It could be a SEV 1. How does one get the same level of confidence that, hey, if a, say, if an AI SOC has gone through my level one triage of all these hundreds of logs that came in, and I'm sure the volume is a lot more larger in larger companies, how do you kinda give the confidence to the end user for this is how, this is why we believe that these are false positive and you should focus on these five?

Aqsa Taylor: Yes. So how open the platform is in explaining, uh, the explainability and transparency, and how easily you can also put your own business context input to it. So an example is, let's say I have an email from a well-known provider that's not [00:41:00] spam, but I'm tired of seeing it come because it's spammy to me, so I report it.

Aqsa Taylor: Okay, that's not technically a true positive because it's a well-known domain. It passed all the checks. It's not really a threat or a phishing attempt. So in a normal sense, the platform would say like, "Hey, this, this looks like a false positive. This is not a threat at all." I might just say, "Look for me I wanna make an exception.

Aqsa Taylor: Like wherever it is, I don't wanna see this again." And then the platform should be able to just change this entire logic from that one statement that you give. That's making your life easy versus you know, you having to open an MDR ticket and going back and forth on business context. And I'm not... I'm giving a very like silly example with email, but it could be any exception that you want to make- Mm-hmm

Aqsa Taylor: that's across against the industry standard or whatever. But imagine like if I have to do this every two months for every similar ticket, that's losing context. Now [00:42:00] you take it in a higher, in a larger sense, a knowledge graph, a semantic knowledge graph would take this data into its future and would make sure that you're not dealing with the similar issues or similar patterns to have to say the same thing over and over again, or to have to make those adjustments again.

Aqsa Taylor: So that's how having that semantic knowledge level, knowledge graph or real-time knowledge graph helps with increasing your confidence that, hey, I have a mixed responsibility here, where if I give an exception or con- uh, or if I give that additional business context in addition to what is already pulling across my entire environment, I'm able to see the reasoning, then, it increases how I want to do later on, what I want to do later on in investigation response and all.

Aqsa Taylor: The other part of it is what factors it's taking into account. So a user may travel a lot more than another user in the same team. So for him, traveling [00:43:00] and logging in from multiple locations within a month may be normal looking activity versus another user who's always at home and suddenly you see a spike in like logging in from UK and Japan or whatever else.

Ashish Rajan: Mm-hmm.

Aqsa Taylor: So also taking into account like peer-to-peer activity and that kind of behavior analytics in addition to that in addition to normal event or hey, logging, suspicious login, impossible travel, and those kind of alerts, that's additional context. Like this person's whole mapping versus this person's mapping, that identity graph, plus these events, plus this location analysis, plus the domai- the VPNs or whatever are in the mix in addition to it.

Aqsa Taylor: Taking all of that context and showing you in clear visibility that these are the reasons why these particular alerts were downgraded or upgraded into escalation is what would improve the confidence of these leaders. And which is why I go back to saying that don't just get an AI SOC platform for the sake of getting it because you're [00:44:00] alert fatigued, but what's more important is what factors it's taking into account, because otherwise it's like dealing with a traditional MDR where you're still going back and forth and giving it extra context, extra context every time.

Ashish Rajan: Yeah, a great answer, 'cause I think, uh, transparency is definitely the key, at least finding out how the AI came up with the conclusion that this is a false positive and seeing the, the entire workflow of it is definitely will build confidence over time as well. That's, that's all most of the questions that I had from a technical perspective.

Ashish Rajan: I've got three fun questions for you as well. Uh, first one being, what do you spend most time on when you're not trying to battle the, uh, all the AI SOC problems of the world, I guess?

Aqsa Taylor: I think I spend most time traveling and creating content right now.

Ashish Rajan: Yeah. Living the content life.

Aqsa Taylor: That's been my life, Gartner, content, posting, yeah.

Ashish Rajan: Oh, fair. And second question for you, what is something that you're proud of that is not on your social media? Ooh,

Aqsa Taylor: My family.

Ashish Rajan: Awesome. And [00:45:00] I mean, obviously, uh, you can, you can share the episode with them later on just to let them know that, "Hey," "I spoke about you folks." The final question I have is, what is your favorite cuisine or restaurant that you can share with us?

Aqsa Taylor: I wasn't prepared for this. I like Korean food, so-

Ashish Rajan: Korean barbecue, fried chicken ...

Aqsa Taylor: Korean barbecue.

Ashish Rajan: Oh, everything, like, uh, everything Korean.

Aqsa Taylor: I used to watch a lot of K-drama and I got-

Ashish Rajan: Oh, fair. Then, then life happened, I guess.

Aqsa Taylor: Yeah.

Ashish Rajan: Fair. No, I mean, uh, Korean food is obviously awesome as well, so thank you for sharing that.

Ashish Rajan: Where can people learn more about Exaforce and connect with you and learn more about the work you guys are doing?

Aqsa Taylor: There's three ways you can learn more about and keep in loop with, uh, ke-keep in touch with us. One is you can follow me on LinkedIn or connect with me, follow Li- Exaforce on LinkedIn follow our YouTube channel.

Aqsa Taylor: Uh, we also do a lot of, like, threat campaign breakdowns in our YouTube channel. It's soc... We have our It's SOC Easy podcast. And then if you wanna be a part of the community of practitioners, we have a [00:46:00] Substack where it's completely not Exaforce. It's just anybody who has learned something, who has detections that they wanna share.

Aqsa Taylor: If there's an attack campaign breakdown they wanna do, they are welcome to participate and share that knowledge with other practitioners.

Ashish Rajan: Awesome. I'll put those in the show notes as well, but thank you so much for joining on the show. Thank you for listening or watching this episode of Cloud Security Podcast.

Ashish Rajan: This was brought to you by techriot.io. If you are enjoying episodes on cloud security, you can find more episodes like these on cloudsecuritypodcast.tv, our website, or on social media platforms like YouTube, LinkedIn, and Apple, Spotify. In case you are interested in learning about AI security as well, do check out our sister podcast called AI Security Podcast, which is available on YouTube, LinkedIn, Spotify, Apple as well, where we talk to other CISOs and practitioners about what's the latest in the world of AI security.

Ashish Rajan: Finally, if you are after a newsletter, it just gives you top news and insight from all the experts we talk to at Cloud Security Podcast. You can check that out on cloudsecuritynewsletter.com. I'll see you next episode. Peace.

‍