Everyone's racing to build "AI-first" SecOps. We deliberately didn't. We’ll get to the details, but for now let’s start with a couple of questions:
Should a SOC analyst build their own disposable checklist every time they investigate an alert, or would you build playbooks for consistent, thorough investigation across the whole SOC?
You'd build the playbooks.
Following those playbooks, should that analyst perform every investigation step manually, or would you use automation to collect and present the evidence they need to reach a verdict as quickly as possible?
You'd automate the repetitive, manual steps.
If using human reasoning to build and manually execute a plan every time is inconsistent, slow, and expensive, then using an AI agent's reasoning for the same task is inconsistent, slow, and expensive.
A lot of companies are shortcutting the basics because an AI agent, like a capable human, can improvise around the gaps. It will reason through missing deterministic logic the same way a smart analyst works around a missing playbook. It looks great in a demo, but it breaks down at scale in production. That shortcut buys them time to market, but it isn't sustainable. “AI-first” leaves you with the same challenges as “human-first.” They're just hidden behind subsidized tokens and a faceless SaaS delivery model.
We're aggressively AI-forward at Critical Start. We're just deliberate about where AI sits in the stack. We already built a deterministic-first platform with Cyber Operations Risk & Response (CORR). The goal has always been to accelerate and amplify our SOC analysts by codifying their knowledge into playbooks and automation. But deterministic systems still have spillover (the edge cases and novel alerts no existing rule covers). They also need to be fed new rules, and they need continuous validation.
SOC AI is intentionally not a shift to AI-first, because the right layer for AI is rarely first. Instead of spending human effort to handle spillover, write new rules, or validate the rules we already have, we use AI with targeted human validation. It's a force multiplier for rapidly enriching the deterministic systems that belong in the first layer.
We do all of this without a jarring separation between conversational AI and deterministic automation. Whether you're working with an LLM or with output derived from automation, you're doing it in one modern, conversational interface, talking to an agent. It will feel like AI even when it's something better.
We didn't build it this way to be different. We built it this way because it's the only sustainable model. Many of the “AI-first” SecOps platforms are an integrations framework and a set of prompts. As the cost of tokens rises and customers notice the inconsistencies and the plan drift, those platforms will need to shoehorn in a deterministic layer. That won't be easy, and it won't be seamless.
SOC AI is more than a set of agents. It's a template for how agentic SecOps platforms have to be built. I'm looking forward to seeing others adopt the model, even if they get there a little late.
