Who it's for

Who this is for

  • Security teams evaluating AI in the SOC before committing.
  • Leaders who want a working demo, not a slide deck.
  • Teams that need a safe sandbox to measure agent quality.
Problems

Problems solved

  • No safe way to evaluate AI triage on realistic telemetry.
  • Unclear where humans must stay in the loop.
  • No baseline for agent accuracy and false-positive risk.
  • Hard to demonstrate value without a working prototype.
Scope

What I review / build

  • Stand up a sandbox with synthetic or sanitized telemetry.
  • Wire alert triage, IOC extraction, enrichment, and risk scoring.
  • Add human-approval gates and SOAR action recommendations.
  • Instrument audit logging end-to-end.
  • Provide a replay harness to measure quality per revision.
Deliverables

Deliverables

  • Working AI-SOC prototype in a sandbox.
  • Alert-to-audit workflow (triage → enrich → score → approve → recommend → log).
  • Replayable eval harness with accuracy metrics.
  • Architecture diagram and handover notes.
Process

Sample workflow

01

Sandbox setup

Stand up an isolated environment with synthetic or sanitized data.

02

Workflow build

Implement triage, enrichment, scoring, approval, and recommendation.

03

Instrumentation

Add audit logging and a replay harness for measuring quality.

04

Demo & readout

Walk the team through the prototype and the metrics it produces.

Controls

Security controls included

Scoped, sandboxed tool surfaceHuman approval on consequential stepsReplayable evals per revisionEnd-to-end audit logging
Typical effort
2–4 weeksfocused effort
Scoped around availability. Async-friendly.
How to start
Get in touchno sales call
This is work I do and write about in the open — reach out to compare notes or ask a question.
FAQ

Frequently asked questions.

Will this run on our production data?
No. The prototype runs on synthetic or sanitized telemetry in a sandbox. Production data and access require separate, written approval.
Is the goal a fully autonomous SOC?
No. The prototype keeps humans in the loop on consequential actions. The aim is measured assistance, not replacement.
How do we measure if it works?
The replay harness produces accuracy and false-positive metrics per agent revision so you can decide with data.
Let's talk

Want to talk it through?

Building or securing something similar? Tell me about your agent, stack, or SOC workflow — I'm happy to compare notes.