Brute force attacks remain a critical threat in 2025, with 80 billion credentials compromised from stealer logs in a single year. Despite modern security controls, credential stuffing attacks succeed because users reuse passwords across services—and threat actors have unprecedented access to breach databases. Security teams struggle to detect these attacks because failed login attempts blend into normal activity, lacking the context to distinguish legitimate user errors from active reconnaissance. In this post, we explore how credential-based attacks exploit password reuse at scale, why traditional security stacks miss these patterns, and what security operations teams can do to investigate and respond effectively. Learn how to correlate authentication logs with breach exposure data, identify high-risk accounts under attack, and implement structured investigation workflows that transform credential threat hunting from manual, time-intensive analysis into standardized, repeatable processes accessible to tier-2+ analysts across your security team.

When Chinese state-sponsored group GTG-1002 weaponized AI to attack thirty organizations simultaneously—with AI handling 80-90% of tactical operations—it exposed a critical gap in cybersecurity: offensive automation has scaled dramatically while defensive investigation remains human-paced. This blog examines how AI-augmented security investigations address the fundamental mismatch between AI-driven attack scale and traditional incident response capabilities. Command Zero's approach leverages LLM advancements to transform security investigations through question-driven frameworks that execute across multiple data sources simultaneously. Rather than replacing analysts, AI augmentation eliminates mechanical query work, enabling security teams to investigate thirty incidents with the same thoroughness as one. As threat actors increasingly weaponize AI for cyberattacks, defenders need investigation tools that match offensive automation's scale and speed. Learn how AI-augmented investigation helps SOC teams respond to sophisticated threats at machine speed while maintaining human expertise where it matters most—strategic analysis and decision-making.

A recent Reddit thread from a drowning L1 SOC analyst exposes the systemic crisis breaking modern security operations. Facing thousands of daily alerts with 90%+ false positives, the analyst's plea: "Is this normal?" reveals five critical failures plaguing SOCs: process vacuums without structured detection engineering, knowledge capture crises where expert insights remain trapped in individual analysts' heads, immature tool implementations requiring years of tuning investment, broken tier structures failing to transfer expertise, and chaotic customer relationship management. This isn't just one analyst's struggle—it's an industry-wide pattern where organizations drown junior talent in alert fatigue while real threats slip through undetected. The root cause isn't technical—it's a knowledge problem. Mature SOCs solve this through captured investigative methodologies, formal tuning processes, and scalable expertise transfer. Without addressing knowledge capture and structured workflows, organizations will continue churning through analysts while their security posture deteriorates. The solution requires acknowledging that SIEM deployments need continuous engineering investment and that senior analysts' expertise must be systematically captured and scaled.

During my twenty-plus years defending networks—from the Air Force to government contractor work to my current role in security research—I've watched exceptional analysts burn out from a systemic problem we refuse to address. Security Operations Centers face a fundamental challenge: analysts trapped downstream processing endless alert queues while upstream systemic issues multiply unchecked. This post examines the operational reality I've witnessed across countless customer engagements: talented security professionals drowning not from lack of skill, but from structural inefficiencies in our detection systems. What we find in practice is that elite SOC teams differentiate themselves through continuous tuning discipline and strategic pattern analysis. Key operational insights include: implementing systematic feedback loops that reduced alert volumes by 40% while improving detection rates, creating protected time for upstream analysis work, and recognizing that strategic thinking requires cognitive space—not perpetual crisis mode. For security leaders seeking sustainable, high-performance operations beyond reactive firefighting.

After three decades building security software and leading multiple successful exits, I can tell you with certainty: AI in Security Operations Centers isn't a future consideration—it's an urgent present-day requirement. As Command Zero's CPO, I'm witnessing threat actors already wielding AI-powered capabilities to breach defenses faster than human analysts can respond. In my recent conversation with analyst Shelly Kramer, we explored the perfect storm facing modern SOCs—overwhelming alert volumes, critical skills shortages, and expanding attack surfaces—and why AI represents the only viable path forward. Organizations implementing AI are achieving 70% faster time-to-triage, transforming investigations from hours to minutes while elevating junior analysts to productive contributors within weeks. Through a practical crawl-walk-run framework, I outline how security leaders can integrate AI capabilities while preserving existing SIEM investments and empowering their teams. The choice isn't between human analysts and AI—it's achieving harmony between them to create security operations that are faster, more consistent, and more effective than either could achieve alone.

Microsoft 365 Exchange Online's Direct Send feature has become a critical vulnerability exploited by threat actors for phishing and business email compromise campaigns. This legitimate operational feature bypasses standard email authentication protocols (DKIM, SPF, DMARC), enabling adversaries to send spoofed messages that appear to originate from trusted internal sources. The primary challenge isn't detection—it's investigation complexity. Security operations teams face extensive context switching across Office 365, identity providers, EDR systems, and network infrastructure, often requiring 90+ minutes per incident. Traditional SIEM platforms struggle with these cross-system investigations, particularly for analysts lacking specialized Exchange Online expertise. Command Zero's Custom Questions feature transforms Direct Send investigations from hours to minutes by codifying expert investigative knowledge into automated workflows. This approach enables tier-2 analysts to conduct comprehensive investigations spanning email routing, identity context, and endpoint telemetry without manual correlation—turning investigation bottlenecks into organizational strengths while building institutional knowledge for long-term security resilience.

Business Email Compromise (BEC) attacks in 2025 have evolved into sophisticated campaigns that exploit Microsoft 365 collaboration tools and organizational trust relationships. Modern attackers use OAuth application abuse, mail flow manipulation, and SharePoint phishing to bypass MFA and establish persistent access. Traditional SOC investigations struggle with fragmented data sources across Microsoft Entra ID, Exchange Online, and SharePoint—requiring complex KQL queries and Graph API expertise that delays incident response. Command Zero's investigation framework solves this by providing pre-built questions that automatically query relevant data sources and map to BEC attack patterns. This approach enables tier-2 analysts to investigate at specialist level without memorizing API endpoints or query languages. Combined with defensive controls like disabling user OAuth consent, implementing phishing-resistant MFA, and monitoring suspicious mail flow patterns, organizations can transform their BEC response from reactive firefighting to proactive threat hunting.

Shadow identities represent a critical security blind spot, with 80% of enterprise SaaS logins invisible to IT and security teams. Unlike shadow IT, which focuses on unauthorized applications, shadow identities are unmanaged user accounts, service principals, OAuth tokens, and API keys that exist outside your identity provider. These hidden credentials create three major risks: security blind spots from unmonitored authentication, compliance violations from untracked data access, and forensic black holes during incident investigations. Security teams need systematic discovery of application registrations, service principals, personal access tokens, and third-party integrations across their infrastructure. Command Zero provides the visibility and investigation capabilities to identify shadow identities across Microsoft Entra, Okta, GitHub, AWS, and other systems, enabling rapid correlation of identity activity during security incidents when response time is critical.

The promise of AI agents in security operations hinges on a deceptively simple question: Can AI SOC agents reliably make the same judgment calls as your most experienced analysts? Surprisingly, the answer depends more on business context and less on model sophistication or training data of these agents.AI agents in security operations require more than sophisticated algorithms—they need business context to make informed decisions. In this post, we explore how business context transforms SOC efficiency by enabling agents to understand VPN topology, user roles, asset attributes, and historical patterns within your specific environment. Command Zero's early deployments of business context support show significant alert reduction from endpoint, Microsoft Entra, and Okta systems. Discover why current, accurate business context is the foundation that separates autonomous security operations from sophisticated technology making uninformed decisions.

Attackers exploit Microsoft Teams through sophisticated vishing campaigns that traditional security tools fail to detect. Command Zero addresses this critical gap with a comprehensive investigation playbook featuring 20+ specialized queries designed to expose attack patterns across email, communications, and endpoint telemetry simultaneously. Security teams face compressed investigation windows—typically hours between initial email bombing and ransomware deployment. Our systematic four-stage approach enables rapid threat identification: detecting email bombing campaigns within 30 minutes, exposing external Teams calls and social engineering attempts within 2 hours, assessing system compromise through remote access tool analysis within 4 hours, and completing full campaign correlation within 24 hours. This intelligence-driven methodology transforms reactive incident response into proactive threat hunting, delivering actionable insights that enable immediate containment while building long-term defensive capabilities. Organizations gain comprehensive visibility into coordinated attacks that blur technical exploitation with psychological manipulation—empowering security operations to detect, analyze, and neutralize threats before catastrophic impact.

Microsoft Teams has recently emerged as a critical attack vector for sophisticated ransomware campaigns, with threat actors weaponizing enterprise communication platforms through coordinated vishing operations. This strategic analysis examines the three-stage attack methodology—email flooding, social engineering via Teams calls, and remote access tool deployment—that has enabled groups like Black Basta, Storm-1811, and Midnight Blizzard to achieve unprecedented operational success. Recent intelligence reveals over 15 documented incidents in three months, with attack frequency accelerating significantly. The exploitation centers on default Microsoft Teams configurations that permit external communications, creating opportunities for attackers to impersonate IT support during manufactured crises. Command Zero's post-Black Hat platform enhancements deliver comprehensive investigative capabilities across Microsoft Teams, Entra, and Graph environments, providing security teams with advanced detection and response tools. Organizations must implement systematic defense frameworks combining technical infrastructure controls with human-centric security operations to address this paradigmatic shift in adversarial methodology that blurs traditional boundaries between technical exploitation and social engineering mastery.

After three years of AI implementations in security operations, the evidence is clear: artificial intelligence transforms SOC analysts into "super analysts" rather than replacing them. While AI excels at pattern recognition and data correlation, human analysts provide irreplaceable context, creative problem-solving, and ethical decision-making that automated systems cannot match. Command Zero's research across 352 cybersecurity professionals reveals that 88% of organizations face operational challenges from staff shortages—yet the solution lies in amplification, not replacement. Human analysts understand business context behind security alerts, conduct complex investigations requiring detective work, and manage stakeholder communications with emotional intelligence. The most sophisticated threats leverage human creativity through social engineering and novel attack vectors, demanding equally creative defensive strategies. By 2027-2028, AI-augmented security operations will become standard practice, but organizations recognizing AI as augmentation rather than replacement will emerge significantly stronger. The future belongs to human analysts empowered with AI superpowers, defining the next generation of cybersecurity excellence.

During my two decades defending networks and investigating threats, I've never witnessed transformation this profound. AI is revolutionizing security operations unlike any other tectonic shift has done before. Here’s why: Traditional SOCs are drowning—analysts face hundreds to thousands of daily alerts, investigating just 4%. The cognitive capacity crisis has reached breaking point. But AI isn't just better tooling; it's the emergence of truly intelligent defense systems that think, learn, and adapt at machine speed. While humans burn out correlating thousands of data points, investigating repetitive alert types and doing the same thing day in day out. AI can process more workload and never tire. The organizations embracing AI SOC today will dominate tomorrow's threat landscape. Those waiting for "perfect" solutions will defend against advanced threats with yesterday's capabilities. This isn't evolution—it's revolution.

Scattered Spider is back in 2025, targeting UK retailers, US aerospace, and airlines with smarter, more convincing social engineering. What sets them apart? Native English fluency, deep cloud skills (AWS, Azure, Google Cloud), and precise targeting—they research each sector’s IT and help desk operations to blend in and avoid detection. Their playbook has moved from SIM swapping to enterprise ransomware and selling access, using AI-powered phishing and voice cloning to bypass MFA and trick support staff. Traditional security tools often miss them because their techniques generate low-priority alerts and look like normal admin activity. Security teams need to step up human verification, monitor for subtle cloud activity changes, and use behavior analytics to spot unusual patterns. Command Zero’s platform automates these checks, helping SOCs catch threats like Scattered Spider early—before attackers can do real damage.

Security Operations Centers are evolving from traditional three-tier analyst structures to more flexible, outcome-driven models. This comprehensive guide explores the benefits and challenges of tiered vs. tierless SOC approaches, examining how MDRs and MSPs are reshaping traditional hierarchies. Learn why tier one erosion is accelerating, how tierless models enable end-to-end case ownership, and the trade-offs between specialist expertise and operational flexibility. Discover how AI is transforming SOC operations by automating repetitive tasks and democratizing knowledge across analyst teams. Whether you're considering restructuring your SOC, evaluating outsourcing options, or implementing AI-powered investigations, this analysis provides actionable insights for security leaders. Expert perspective from 24+ years of industry experience covers practical considerations for organizations of all sizes, from compliance requirements to budget constraints.

Security operations centers face a critical crisis: alert fatigue is overwhelming analysts and creating dangerous investigation gaps. Traditional SOC metrics like MTTR and MTTI incentivize speed over thoroughness, forcing analysts into narrow investigation scopes that miss connected threats across enterprise environments. The fundamental challenge lies in systemic operational constraints. Analysts validate alerts, implement basic containment measures, and close cases without investigating broader attack scope—leaving lateral movement and data exfiltration undetected. This assembly-line approach creates a backlog of unresolved threats that eventually culminate in headline-grabbing breaches. Modern AI technology offers a transformative solution by correlating disparate data sources across endpoint logs, identity systems, cloud platforms, and network traffic in minutes rather than hours. Command Zero's platform automatically establishes comprehensive investigation scope, checking for related activity across AWS, Azure, identity providers, and SaaS applications when alerts trigger. The strategic approach acknowledges organizational reality: rather than eliminating established performance metrics, advanced technology empowers analysts to investigate comprehensively within existing time constraints, delivering higher-quality outcomes while maintaining operational efficiency in today's complex threat landscape.

The AI revolution in security operations is here, but marketing promises far exceed current reality. After three decades building security software, the ground truth is clear: AI's value lies in augmentation, not replacement of SOC analysts. Real success comes from proven use cases. Large language models excel at unplaybooked investigations—where tier-2+ analysts struggle most without existing playbooks. AI removes investigative drudgery like log correlation and data extrapolation, keeping analysts cognitively focused instead of context-switching between mundane tasks. The most problematic messaging focuses on "time to resolve" and "replacing tier-1 analysts." Optimizing purely for speed creates dangerous tunnel vision. Risk reduction through thoroughness should be the primary goal—making the same mistake faster benefits no one. Successful adoption requires slotting AI into existing workflows, not overnight transformations. SOCs won't abandon tens of millions in infrastructure for new automation platforms. By 2025-end, adoption becomes mainstream. By 2027-2028, AI for SOC will be standard practice. Organizations understanding AI as augmentation—not replacement—will emerge significantly stronger in cybersecurity's biggest transformation since firewalls.

The integration between Command Zero and Okta Identity Threat Protection (ITP) delivers a transformative solution for security operations teams facing evolving identity-based threats. This powerful partnership connects Okta's real-time identity risk signals with Command Zero's comprehensive investigation capabilities, creating a unified workflow that dramatically enhances threat response. Security teams gain the ability to instantly launch investigations from Okta alerts, correlate identity events across their security stack, leverage automated investigation workflows, and access comprehensive user risk profiles. The integration transforms how organizations respond to identity threats—including phishing, credential stuffing, and session hijacking—which the 2025 Verizon DBIR identifies as central to 22% of breaches. By operationalizing Okta ITP within Command Zero's platform, security teams accelerate response times, investigate complete user journeys, and implement targeted remediation based on comprehensive intelligence. This integration serves as a force multiplier for SecOps teams, reducing mean time to respond while providing the contextual insights needed to counter modern identity-based attacks efficiently.

AI agents are becoming increasingly specialized and numerous, creating an urgent need for standardized methods of discovery and collaboration. Without a standardized protocol that enables secure discovery, communication and collaboration; every agent integration remains a custom project, preventing the seamless ecosystem of AI assistants that could efficiently combine their unique capabilities to solve complex problems. Agent Communication & Discovery Protocol (ACDP) is a proposed standard protocol that allows AI agents to discover and collaborate with each other. While Anthropic's Model Context Protocol (MCP) has become the standard for application context, ACDP addresses how agents can autonomously find each other and work together across different providers. The protocol leverages existing technologies: DNS for discovery (using SRV and TXT records), HTTPS for secure communication, and a hybrid approach combining central registries with peer-to-peer awareness. This creates a resilient network where agents can advertise capabilities, find peers with complementary skills, and collaborate securely. ACDP supports both public ecosystems and private deployments (for enterprises, healthcare, and government), with appropriate security measures including authentication, authorization, and network isolation. It also integrates with MCP for tool discovery, as demonstrated through security and healthcare use cases.

Command Zero has been named one of the Top 10 Finalists for the prestigious RSAC 2025 Innovation Sandbox contest. This recognition represents a significant milestone in our journey to revolutionize Security Operations. Command Zero addresses the critical bottleneck in security operations: Tier-2+ investigations. The platform combines encoded expert knowledge, advanced LLMs, and intuitive UX to empower tier-2 and tier-3 analysts. Already deployed across dozens of enterprises, Command Zero delivers measurable benefits: reducing investigation time from days to minutes, ensuring consistent outcomes, enabling collaborative investigations, and building institutional knowledge. The platform's federated data model constructs clear threat narratives, significantly reducing response times and allowing security teams to overcome administrative drag while confidently investigating complex environments.

Centralized data systems like SIEMs and data lakes excel at detection, reporting and compliance, but fall short for complex security investigations. These tools weren’t designed for dynamic workflows, forcing analysts to write complex queries and manually retrieve data, wasting critical time during incidents. Command Zero redefines investigative workflows by combining automation with expert-driven AI capabilities. The platform automates routine tasks, summarizes complex artifacts, and proactively suggests next steps, enabling analysts to focus on high-impact activities like root cause analysis and risk mitigation. For example, a Tier 1 analyst investigating phishing campaigns can bypass hours of manual log retrieval and cross-referencing thanks to automated processes that deliver actionable insights. Unlike generic chatbots or tier-1 focused agentic AI, Command Zero’s LLM implementation supplements analysts by bridging knowledge gaps and enhancing decision-making across all experience levels. This pragmatic approach empowers security teams to work smarter, reducing noise and inefficiencies while delivering faster, clearer results for both analysts and executives.

Entra risky sign-ins—suspicious login activities that can often indicate account compromise. We examine the sophisticated detection mechanisms that identify authentication anomalies, from impossible travel scenarios to password spray attacks, and reveal the critical investigation challenges security analysts face. The post showcases how Command Zero's integrated platform transforms these investigations through cross-product visibility, facet-based investigation frameworks, and identity correlation capabilities. By combining an encoded knowledge base with expert language models and strategic automation, security teams can dramatically accelerate threat response times, standardize investigation quality, and gain comprehensive visibility across fragmented technology stacks—ultimately transforming how organizations detect and respond to potential identity compromises.

Control validation addresses a critical vulnerability in modern security operations—the gap between deployed security measures and their actual effectiveness. This post explores how tactical drift occurs when security controls appear compliant but fail in practice due to system updates, infrastructure changes, and oversight. Security teams face overwhelming volume, knowledge barriers, and process complexity that prevent effective validation. Command Zero transforms this landscape by democratizing expertise, connecting cross-system data, and accelerating investigations through AI-powered tools. Organizations without robust control validation operate with a false sense of security, leaving critical vulnerabilities exposed. The most dangerous security gaps aren't those you're monitoring—they're the control failures hiding in plain sight that you haven't validated.

Locked accounts, often overlooked in security operations, can be crucial indicators of larger security threats. This blog post explores why these common occurrences matter and how they serve as early warning signs for potential issues like brute force attempts, credential stuffing, insider threats, and misconfigured systems. The post also covers how Command Zero streamlines investigations by offering visual analysis, unified data sources, and automated timeline generation. By centralizing the process and leveraging advanced tools, security teams can more efficiently identify and respond to potential threats. The future of threat hunting lies in automation and autonomous investigations, pushing the boundaries of what's possible in cybersecurity.

As software development accelerates through DevOps processes, GitHub repositories have become both invaluable intellectual property stores and potential attack vectors. Threat actors increasingly exploit these environments through sophisticated techniques—from hijacking GitHub Actions for cryptocurrency mining to poisoning open-source libraries with backdoors. Security analysts face significant challenges when investigating GitHub activities: logs designed for developers rather than security teams, uncertainty about effective investigation approaches, and overwhelming noise from normal development activities. Command Zero addresses these challenges through an innovative platform that transforms complex investigations into accessible questions, enables seamless pivoting between data sources, and accelerates investigations through AI-powered analysis. By democratizing GitHub security expertise, Command Zero empowers every analyst to conduct sophisticated investigations without specialized knowledge—closing critical security gaps in the DevOps pipeline and establishing comprehensive visibility across interconnected systems.

Email remains at the heart of most security investigations, from phishing alerts, insider threats to business email compromise (BEC for both internal and third-party emails) incidents. While many teams focus solely on whether a malicious link was clicked, the real challenge lies in understanding email activities and other user behaviors in the big picture - what users do after an incident occurs. This post explores how email credentials represent full user identities and why this makes them prime targets for attackers. Using real examples, like the case of an Acme Corp administrator with extensive system access, we demonstrate how attackers can easily identify and target high-value accounts through LinkedIn and other public sources. Traditional email investigations face significant challenges: time-consuming manual correlation, complex access requirements across multiple systems, and difficulty in assessing the full blast radius of compromised accounts. Command Zero addresses these challenges through unified data analysis, AI-guided investigations, automated timeline analysis, and intelligent narrative building. The post concludes by emphasizing that email investigations can't be treated as checkbox exercises - they require sophisticated tools that can handle complex data correlation while guiding investigators toward meaningful conclusions. This approach transforms email investigations from time-consuming manual processes into rapid, comprehensive analyses that any investigator can conduct effectively.

Generative AI is revolutionizing software development, but it also brings unique security challenges for enterprises. This blog post explores the Cloud Security Alliance's guidance on securing LLM-backed systems and how Command Zero implements these controls. Key principles include controlling authorization, validating outputs, and staying aware of evolving threats. Essential system components like orchestration layers and vectorized databases require specialized security measures. The post emphasizes the importance of comprehensive security approaches for LLM-backed systems, focusing on authentication, input/output control, and careful management of system interactions to mitigate risks and ensure safe AI integration in software development.

Operationalizing threat intelligence is critical for security operations teams, but comes with challenges like consistency, volume, and actionability. Command Zero simplifies this process by enabling teams to quickly act on atomic and behavioral threat indicators, automate investigations, and centralize workflows. Real-world examples of operationalizing threat intel include investigating exposed S3 buckets, assessing credential compromises, and validating keylogger alerts—all in minutes. By reducing console switching and streamlining collaboration, Command Zero helps SOC analysts work faster and more efficiently. This post covers the importance of operationalizing threat intelligence and how Command Zero transforms threat intelligence operationalization, making it easier to prove or disprove threats and stay ahead of attackers.

Password spray attacks remain a persistent threat to enterprise environments, serving as a crucial barometer of an organization's security health. These attacks, while common, offer valuable insights into an organization's authentication posture and prompt important questions about targeted identities, potential unnoticed breaches, and possible data leaks from previous breaches. Traditional investigation methods pose challenges when it comes to analyzing password spray: Time constraints, multiple system navigation and potentially superficial investigations. Command Zero transforms password spray investigations by: increasing efficiency and automation, ensuring comprehensive analysis and transparent reporting.

Command Zero is transforming cybersecurity investigations with an AI-powered, question-based approach. By emulating expert analysts' thought processes, it guides users through complex cases, leveraging diverse data sources and embedded knowledge. This novel approach enhances collaboration, streamlines investigations, and adapts to evolving threats, offering a more efficient and effective alternative to traditional query-based methods and AI chatbots. In this post, we’re covering why we’re taking a question-based approach to build the platform, the benefits and how it compares with alternative methods.

Disclaimer: This is not yet another 2025 predictions post where the author states the obvious (or the outrageous). Instead, we cover three frequently asked questions about Command Zero, what these questions taught us about 2024 and how they shaped our predictions for 2025. In this post, we will cover three frequently asked questions and responses: Who is Command Zero is for? How does Command Zero complement existing security operations investments? How is Command Zero similar to or different from AI-powered SOC analysts? AI-powered chatbots? We will also share our three predictions for 2025 based on these questions and observations. Happy holidays and we hope you enjoy this format!

What analysts consistently do during complex investigations makes the difference between consistent, thorough analyses and spinning their wheels in the sand. While sophisticated investigation processes require bespoke steps by definition, security operations teams need to standardize best practices where possible to save valuable cycles and deliver consistent outcomes. Command Zero delivers structure to help navigate complexity by delivering expertise via questions and facets. Facets are pre-built sequences for investigations, and they transform security analysis because: Analysts of any skill level can build them as needed without coding or scripting.

This post wraps up our blog series for Command Zero's recent research report. The report exposed critical cybersecurity investigation challenges across 15 industries. Key findings from 352 professional interviews reveal three major issues: Talent Gap: 88% report operational challenges from staff shortages Tool Limitations: Current security technologies like EDR/XDR, SIEM, and SOAR have significant drawbacks Process Inconsistencies: Investigations remain mostly manual and unstructured Command Zero’s recommendations for SecOps leaders include: Implementing unified investigation platforms Expanding investigation scopes beyond traditional alerts Leveraging automation Investing in skills training Improving team collaboration The research highlighted the value of transforming cyber investigations by keeping analysts central. This can be achieved by reducing manual work through strategic use of AI and automation. Command Zero offers an autonomous and AI-assisted platform to address these challenges.

The lack of standardization, documentation, and auditability in investigations (one of the three key findings in our latest research report) lead to inefficiencies, miscommunications, and loss of data. In this post, we provide recommendations to build detailed processes and communicate lessons learned to improve cyber investigations.

Despite the early and sincere focus on search/investigations, modern SIEM and SOAR capabilities have evolved to satisfy compliance/regulatory requirements. Today, these technologies do not provide dedicated investigation tools and the right user experience for an effective flow. In this post, we dive into findings from our research, discover sample use cases and recommend solutions to common issues for investigations.

In this interview, we dive deep into the world of cybersecurity investigations with Eric Hulse, Head of Research at Command Zero. Eric shares invaluable insights from some of the recent customer engagements, explaining how Command Zero is revolutionizing the way security teams operate, from drastically reducing investigation times to empowering analysts at all levels. He reveals how the platform can integrate with common tools like Microsoft Entra ID, Okta, Office 365, CrowdStrike, Proofpoint and other data sources in as little as 15 minutes. He also covers how it's helping teams tackle the overwhelming volume of alerts and incidents. Eric talks about Command Zero's unique approach to AI implementation, moving beyond simple chatbots to provide context-rich, actionable insights. From streamlining HR-led investigations to providing comprehensive identity visibility across multiple platforms, Eric illustrates how the platform is addressing the industry-wide challenge of doing more with less in cybersecurity.

Security Operations Centers (SOCs) struggle with uncertain security alerts, which create inefficiencies and analyst fatigue. The main challenge is the high volume of non-conclusive alerts that only indicate "interesting patterns" rather than definitive threats. Analysts must investigate numerous alerts daily, requiring extensive context-gathering about users and their behaviors. While playbooks can help with known attack patterns, they're difficult to maintain and can't keep pace with constantly evolving security threats. In this article, I’d like to highlight some of the common practical hurdles we observe with uncertain (aka non-conclusive, non-definitive) security alerts, and our recommendations to overcome them. The key is facilitating better decision-making through improved data collection, context building, and flexible investigation tools.

It is no surprise that a significant challenge for cyber teams is a pronounced skills shortage in the industry. The gap between the demand for experienced cybersecurity professionals and the available talent pool is widening for all cyber disciplines. This research indicates that this gap is even more acute for incident response and cyber investigations.

Command Zero published its first research report: “Top Challenges in Cyber Investigations & Recommendations for SecOps Leaders” on September 10, 2024. The report is based on 352 interviews with cyber leaders including CISOs, security VPs and incident responders. It sheds light on the primary challenges encountered in cyber investigations including those stemming from alerts, insider threats, incident response, and threat hunting activities. This blog post is the first post of a blog series covering the key findings, takeaways and recommendations from this report.

The integration of RAG-based question selection has significantly improved our cybersecurity investigation capabilities. By leveraging AI to intelligently select and prioritize investigative questions, we can initiate investigations and provide outcomes more swiftly and effectively. As we continue to refine this approach, we're excited about its potential to shape the future of AI-driven cybersecurity investigations. The synergy between human expertise and AI-powered guidance is proving to be a formidable tool in cyber investigations.

Most conversations at Black Hat USA 2024 surfaced that we’re at an exciting juncture for cyber. Some of the incoming changes include expansion of cyber giants into adjacent segments, additional movement in SIEM and SOC automation segments and continued industry consolidation.

Black Hat USA 2024 provided a clear picture of where we stand as an industry and where we need to go. As we navigate these challenges, collaboration, innovation, and a renewed focus on resilience will be key to our collective success. Some key take aways from this event include the CrowdStrike incident and its impact on cyber, use of AI in cyber, election security, the privacy vs security dilemma and the increasing personal legal risks for CISOs.

Okta is one of the most used identity providers with various identity and access management solutions. Like other IDAM providers, Okta is a valuable resource for starting identity investigations. Impactful identity and authorization patterns including user password changes, password policies, multi-factor authentication (MFA) alerts and application consent grants can be reviewed on Okta during investigations. In this post, we’ll follow a potential account takeover flow starting from Okta alerts ingested by Command Zero. While we can expand any investigation to other data sources, I'll keep the focus on Okta to simplify this example flow.

Identity-based investigations are one of the most common analyses for security operations. These leads get under the spotlight because of an HR event (various watchlists or user’s last day), a potential compromise (as a result of business email compromise, phishing, password spray or other vectors) or suspicious behavior. Swiftly understanding who or what (for non-human users) these identities belong to, the historical context and recent behavior are key to conducting effective investigations. In this blog post, I’ll walk you through a sample watchlist investigation on Microsoft EntraID.

Our general philosophy towards AI is simple. We use LLMs to augment the capabilities of our platform. We structure our content (Questions, Facets, Metadata, Prompts, Answers, Relationships) to improve the quality of the models’ responses. As with developing any production-ready application, LLMs bring their own set of unique implementation challenges. For us, these challenges can be categorized as accuracy, latency, scalability and cost. All of which have an impact on the user experience.

For identifying Midnight Blizzard or any password spraying attack in your environment, there are multiple paths you can take with Command Zero: 1) Tracking unusual application consents 2)Tracking password spraying attempts 3)Tracking MFA failures 4) Tracking new or re-activated user accounts. As with all investigation flows, these flows can be saved as facets to drive speed and consistency across individual analysts or analyst teams.

Universal talent gap is a challenge we must operate with in cyber. To combat this, we need to shift from platforms for advanced users only to intrinsically skilled platforms that augment all users. Command Zero delivers the expert platform for cyber investigations. Expert investigative questions and investigative flows (facets in our terminology) are the investigative fuel of the Command Zero platform. By leveraging this expert content, all tier-2+ users (tier-2, tier-3, incident responders and threat hunters) can deliver expert outcomes every time.

Command Zero set out to solve the most significant bottleneck for security operations: investigations. There are a lot of solutions (like SIEM, SOAR, SOC automation, AI-powered SOC analysts) available tackling alert ingestion, filtering, correlation and tier-1 related tasks today. Still, investigating escalated cases relies on labor-intensive manual work by tier-2 and tier-3 analysts or incident responders. In this post, I’d like to share how Command Zero transforms the day-to-day experience for threat hunting and investigations.

What if we could create a team of investigators with the ability to collect and harvest the right information, to determine the scope and track investigations in real-time? Command Zero’s question-based investigative approach, combined with automation, ensures no detail is overlooked. This method makes expert knowledge accessible to all analysts. Discover how this empowers Tier-2+ analysts with expert system capabilities in our latest blog. It’s not enough to just provide the query. We need to ask those questions for them, driving deeper investigations and educating analysts continuously. This ensures they understand the process, reasoning, and outcomes, leading to better, repeatable techniques.

Today, Command Zero is coming out of stealth, ready to revolutionize security operations. Command Zero is the industry’s first autonomous & user-led cyber investigations platform. It is built to tackle the most significant bottleneck in security operations: investigations. Supercharging tier-2, and tier-3 analysts (the scarcest talent in security operations) is the most impactful project a CISO can take on. Command Zero is built to deliver this transformative project at scale.