Home
Blog
Investigations
January 7, 2026
5
min read

2026 SOC Resolution: Stop Machine Speak. Level up Investigations with Natural Language

SOC analysts waste critical time translating investigations into complex query languages like SPL, KQL, and SQL instead of hunting threats. Natural language investigation platforms eliminate this cognitive burden, enabling analysts at all skill levels to conduct sophisticated investigations by simply asking questions. Pre-built investigative sequences should operationalize expert methodology across common use cases like impossible travel and suspicious activity analysis, standardizing excellence while breaking down data silos across endpoints, identity providers, and cloud environments. Question-based approaches create reinforcement learning feedback loops, continuously improving investigation quality through analyst validation. By removing syntax barriers, junior analysts gain advanced capabilities while senior investigators accelerate case closure. As alert volumes surpass human capacity in 2026, natural language interfaces become essential for SOC scalability. Modern security operations teams should expect tools that close complex cases in minutes through AI-assisted analysis and autonomous investigative flows, fundamentally transforming how they handle evolving threats.

AI
identity investigations
Security Operations
SOC of the future
James Therrien
Lead Content Strategist
In this article
H2 Title
H3 Title

Why Natural Language is the only interface that scales the human mind—and AI models

The clock has ticked over to a new year. The ball dropped, and the year 2026 is upon us.  While we were spending time with family and making resolutions, threats were evolving. Without a doubt, the threat landscape of 2026 is fast, AI-augmented, automated, and more fragmented than ever before.

For the last decade, we have asked our SOC analysts to fight this war with one hand tied behind their backs. We forced them to be machine linguists first and investigators second. We demanded they memorize SPL, KQL, SQL, and a dozen other proprietary syntaxes just to ask a simple question:

"Is this bad?"

Let’s make 2026 the year, when we put a stop to that. The most powerful interface for the modern SOC isn't a new dashboard or a code block. It is the question mark!?

Questions: The Human Way to Inquire

There is a reason the Socratic method has survived for 2,400 years: The human brain is wired for inquiry, not query.

Research into cognitive learning modalities consistently shows that Question Generation produces deeper cognitive engagement than passive consumption or rote translation. When an analyst must translate their suspicion into complex code—figuring out the correct JOIN query or timestamp format—their cognitive load shifts from intellectual analysis (investigation strategy) to implementation (syntax). They stop hunting the threat and start debugging the query.

Decades of educational psychology research, such as studies on the "Doer Effect" and active recall, demonstrate that humans retain information and solve problems faster when they ask questions rather than just passively reading logs or translating commands. By shifting the interface to Natural Language Query (NLQ), we remove that friction. We allow all SOC analysts to operate with the speed of thought.

"It's not enough to just provide the query. We need to ask those questions for them, driving deeper investigations... This significantly reduces the 'grunt work,' allowing human analysts to focus on higher-level analysis."
— Dov Yoran, Co-Founder & CEO, Command Zero

This notion of asking human questions lies at the heart of the Command Zero platform. The platform comes with a pre-built set of investigative questions that can be used by human analysts and AI agents to deliver the best analysis in a predictable, auditable and repeatable way. SOC teams can build their own custom questions and add custom data sources to fine tune the platform to their environment’s context and needs. Questions serve as building blocks for threat hunting and analysis. Chaining questions in desired sequences help operationalize expertise and ensure repeatability.

Operationalizing Expertise: Introducing Facets

To bridge the gap between simply "asking a question" and conducting a rigorous investigation, Command Zero provides Facets.

Facets are pre-engineered question sets for specific use cases that Command Zero makes available to your team. They solve the "blank page" problem that often paralyzes inexperienced analysts during a crisis. Instead of guessing where to start, an analyst can activate a specific Facet—such as "Suspicious PowerPoint Analysis" or "Impossible Travel Investigation"—and the system instantly populates the investigation with the critical questions a veteran hunter would ask. Facets ensure that expert methodology is baked into the tool, standardizing excellence across the SOC and ensuring no angle is overlooked.

Facets are useful for all analysts as no single analyst can be an expert in all data sources. Being able to level the playing field for everyone can lower the barrier of entry and deliver quality outcomes at every analysis.  

Sample Facet showing multiple questions asked to Microsoft Entra

Breaking the Silos: The Universal Translator

The modern enterprise IT and security can be best described as a Tower of Babel. Your endpoint data speaks one language; your Identity provider speaks another; your cloud logs speak a third. Historically, investigating a single thread across these silos required a Rosetta Stone of technical knowledge that took years to acquire.

This is why Tier 1 analysts escalate so often—they might simply not know the syntax to check the cloud logs.

Natural Language is the universal solvent for these silos.

When an analyst asks, "Did this user login from an unusual location?" they shouldn't need to know if the answer lies in Okta, Azure AD, or a firewall log. The Autonomous SOC architecture handles the translation, fetching the data from disparate sources and presenting the answer, not the raw logs. This allows a junior analyst to traverse the entire infrastructure with the confidence of a veteran architect.

The Feedback Loop: How Your Questions Improve Future Analysis

Here is the hidden advantage of the Natural Language approach that few are talking about: It is the most efficient way to capture institutional knowledge.

In a traditional SOC, when a senior analyst runs a brilliant, complex SQL query to catch a threat, that knowledge dies in the terminal history. It is rarely captured or reused. In a Question-Based environment, every interaction feeds the model.

  1. The Analyst asks a question: "Check for lateral movement via SMB."
  1. The platform executes the investigation: It retrieves the data and presents a verdict.
  1. The Analyst validates the result: They accept or reject the finding.
  1. Past investigations guide best practices: The platform learns from the investigation paths, questions asked and the analyst feedback about the verdict.  

This interaction creates a Reinforcement Learning from Human Feedback (RLHF) loop. The system learns which questions yield results in your specific environment. It learns that lateral movement in your network usually involves specific subnets or service accounts.

"We don't want to assume that a large language model is more intelligent than [analysts] are, because it isn't... We need to marry up autonomous decision making and user-led investigations to achieve outcomes you couldn't get before."
— Alfred Huger, Co-Founder & CPO, Command Zero

The 2026 Standard for AI SOC

We are entering a year where the volume of alerts will finally surpass the human capacity to query them manually. The legacy Tier 1 analyst of 2025—who spent their day triaging alerts and writing basic queries—is functionally extinct.

The Tier 1 Investigators of 2026 and beyond is different. Armed with natural language and guided by Facets, they can pivot across data silos, audit AI decisions, and close complex cases that previously required a Tier 3 escalation.

This year, let’s make a resolution to get the peak performance out of every analyst, junior or senior. Stop forcing them to speak machine. Let them ask questions. The truth is waiting to be uncovered in the answers.

Ready to Ask Better Questions?

Give your SOC team the power of controlled autonomous flows and AI-assisted analysis. Book a demo to see how Command Zero empowers your team to close complex cases in minutes—not days—by turning natural language into autonomous action.

James Therrien
Lead Content Strategist

Continue reading

Investigations
Highlight

Beyond the APT Chase: Why You May Be Hunting the Wrong Things (And How to Fix It)

There is a critical visibility gap where operational anomalies go unnoticed because teams cannot distinguish signal from noise. The piece positions Command Zero’s "Business Context" and "Table Filters" as the essential solution, enabling the encoding of institutional knowledge directly into investigations. By transforming manual noise reduction into persistent baseline enforcement, the platform facilitates a practical progression to innovative hunting maturity (HMM3).
Eric Hulse
Feb 13, 2026
7
min read
Investigations
Highlight

The "Tierless" SOC: What Happens When Junior Analysts Disappear?

The cybersecurity industry faces a paradox: AI is successfully automating "tier-1" grunt work, but in doing so, it is destroying the foundational apprenticeship that trains senior analysts. Historically, junior analysts built vital pattern recognition by triaging thousands of routine alerts. Without this "manual" phase, a "missing middle" has emerged—juniors are now expected to handle complex investigations without the environmental context or investigative intuition usually gained through repetition. To bridge this gap, SOCs must shift to an "Apprentice-in-the-Loop" model. By using expert-built, executable Questions, Command Zero codifies senior-level methodology into a guided framework. This allows juniors to "sit shotgun" with expert thinking on real cases from day one. Instead of grinding through false positives, the next generation of analysts will develop through structured, AI-augmented exposure, democratizing high-level expertise and accelerating career growth in a tierless environment.
Eric Hulse
Jan 13, 2026
6
min read
Investigations
Highlight

Investigating Service Principal Attacks with Graph API Activity Logs

Service principal attacks are escalating, with threat actors like Midnight Blizzard and Storm-0501 exploiting non-human identities to compromise enterprise environments. These attacks historically succeeded because reconnaissance activity—enumeration of users, groups, and roles—remained invisible to defenders through traditional directory audit logs. Microsoft's new GraphAPIAuditEvents table in Defender XDR Advanced Hunting changes this by capturing all Graph API requests, including reads, writes, and failures. This preview feature provides unprecedented visibility into service principal activity, enabling security teams to detect enumeration attempts, privilege escalation, and OAuth abuse before attackers execute their primary objectives. Leveraging Microsoft’s new GraphAPIAuditEvents, Command Zero automates the detection of previously invisible reconnaissance—such as permission enumeration—that legacy logs miss. By embedding expert knowledge into AI-assisted investigation frameworks, the platform correlates disparate data points (IPs, tokens, API calls) to expose complex attack chains. This transforms raw logs into finished investigations in minutes, enabling SOC teams to close the visibility gap and maximize productivity without sacrificing control or transparency.
Kiki Preteau
Dec 23, 2025
4
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All