Home
Blog
Investigations
October 24, 2024
7
min read

An interview with Eric Hulse: Insights from recent Command Zero engagements

In this interview, we dive deep into the world of cybersecurity investigations with Eric Hulse, Head of Research at Command Zero. Eric shares invaluable insights from some of the recent customer engagements, explaining how Command Zero is revolutionizing the way security teams operate, from drastically reducing investigation times to empowering analysts at all levels. He reveals how the platform can integrate with common tools like Microsoft Entra ID, Okta, Office 365, CrowdStrike, Proofpoint and other data sources in as little as 15 minutes. He also covers how it's helping teams tackle the overwhelming volume of alerts and incidents. Eric talks about Command Zero's unique approach to AI implementation, moving beyond simple chatbots to provide context-rich, actionable insights. From streamlining HR-led investigations to providing comprehensive identity visibility across multiple platforms, Eric illustrates how the platform is addressing the industry-wide challenge of doing more with less in cybersecurity.

Product
research
investigations
Eric Hulse
Director of Security Research
In this article
H2 Title
H3 Title

Q: As you engage with customers, what is the main driver for their interest in a platform like Command Zero? What problems are they trying to solve?

Eric: Each customer has different problems they're trying to resolve, but there are some common themes:

  1. Dealing with the deluge of alerts and incidents: The sheer volume of data is overwhelming for many SOC teams.
  1. Handling nuanced investigations: These go beyond what can be easily automated or applied to a simple playbook.
  1. Lack of knowledge about newer data sources: Teams often struggle with how to investigate unfamiliar systems like AWS deployments or GitHub.
  1. Doing more with less: This is a universal goal across all our customers.

Q: What should customers expect as they set up Command Zero in their environments?

Eric: Each customer environment is exceptionally different in terms of tech stacks, architecture and configuration, but there are commonalities with vendors and technologies they all have, like email.  

One of the biggest advantages of our platform is its ease of use and quick setup. We've designed our integrations to require minimal configuration steps. For most integrations, you only need an API token or perform an application consent. We've eliminated the need for complex setups like deploying virtual machines or extensive log parsing. It's as simple as inputting your credentials, consenting to read-only permissions, and you're ready to go.

Q: Let's go with a hypothetical customer environment with Entra ID, Office 365, CrowdStrike, and Proofpoint. How long does it take to integrate Command Zero and start the first investigations?

Eric: Assuming all the necessary permissions are in place, you could be up and running in probably less than 30 minutes, realistically closer to 15 minutes. In fact, it will probably take you longer to gather your credentials and grab your MFA token to log into those individual products than it will to actually configure the integrations in Command Zero.

Q: Any interesting anecdotal feedback from customers after they've seen Command Zero in action?

Eric: One of the biggest issues we address, which is common across all clients regardless of their size or industry, is the constant context switching between different consoles. This leads to errors in copying and pasting, missing key leads, or going down the wrong investigation path.

We had a particularly striking example with a customer investigating a departing user. They told us it had taken them about 50 minutes the previous night to gather the necessary information across four different products about this user. We then walked them through the same investigation using Command Zero. By entering the user's name, executing one of our pre-built facets, and adding two questions, we completed the entire investigation in just 2 minutes, with another 2-3 minutes for data analysis and report generation. In total, we accomplished in 4-5 minutes what had previously taken them 50 minutes, and we uncovered 90% of what they had found manually plus additional insights.

Q: What value do reporting and timeline generation features deliver for customers?

Eric: The timeline feature saves an enormous amount of time by eliminating the need to constantly refer back to notes. It provides a graphical presentation of the investigation's progress and subsequent actions.

Our summarization capabilities, available in three forms - artifact summary, facet summarization, and overall report summarization - make a significant difference. In recent releases, we've fine-tuned our verdicting capability, which now very accurately portrays whether an incident is a false positive or if the severity should be adjusted based on the added context.

We've received a lot of positive feedback on how the reporting lays out observations in a different format, presenting it in bullet form with correlated pieces. This effectively reduces complex data (like dozens of JSON artifacts with hundreds of lines each) down to four bullet points, emphasizing the critical elements that analysts should focus on.

Q: How does Command Zero help junior and senior analysts with every day tasks?

Eric: For senior analysts, the platform saves a significant amount of time. They no longer need to constantly oversee or guide less experienced analysts. It also empowers junior team members to gather information independently, making it readily available for senior team members to review.

Senior analysts particularly appreciate the artifact summarization feature, especially when dealing with unfamiliar data sources like AWS. This enables them to rapidly understand and contextualize information without needing deep background knowledge on that particular data source.

Junior analysts often express excitement at the types of questions they can ask and the capabilities they can access. Command Zero empowers them to facilitate Tier 1, Tier 2, and sometimes even Tier 3 level questions and capabilities. This not only acts as a force multiplier but also as a force enabler, facilitating progression, learning, and skill advancement in a way that's often challenging to achieve in traditional organizational structures.

Q: How does Command Zero's approach to implementing AI differ from other approaches in the industry?

Eric: Unlike many in the industry who are implementing AI as a bolt-on chatbot, we're taking a different approach. We're utilizing AI to empower analysts to continue their investigations by providing options and supporting data. We've recently added context to explain why specific answers, reports, synopses, or verdicts were generated, essentially "showing our homework."

We recognize that chatbots, while useful, require a certain level of knowledge and experience to interact effectively. This can be a problem, especially for less experienced team members. Our approach focuses on using AI for reporting, question summarization, question suggestions, and even content production on the back end, which then goes through a human-in-the-middle approach before it's implemented.

Q: What are the core use cases or investigation types for customers?

Eric: We excel in several common use cases:

  1. HR-Driven investigations: This includes data loss prevention cases or instances of users inappropriately accessing or removing files. These investigations also include watch lists (high risk users, flight risk, suspected compromised accounts) and are highly impactful.  
  1. Identity visibility: We provide comprehensive visibility into identity across multiple integrations. We can map identities across various platforms (SharePoint, GitHub, AWS, email, etc.) and tie activities back to specific identities.
  1. Device-identity association: We can look up the identity associated with a device, or vice versa. Combining these associations with MFA and user activity yield valuable information.
  1. Phishing and BEC investigations: We help facilitate investigations into various types of phishing alerts, such as malicious URLs detected in emails or URLs removed after delivery. Our facets and curated question sets make it easy to verify incidents, determine their scope, and assess their impact. Business email compromise (BEC) continues to be a driver for many investigations.  

Call to action

Eric’s recent observations during customer engagements demonstrate the power of Command Zero in streamlining investigations, providing comprehensive visibility, and enabling more efficient and effective security operations.  

We highly encourage Security Operations teams to book a demo with our team to see how Command Zero can help transform threat hunting and investigations.  

--

Editor’s note: We’re experimenting with a new format for this post. We’ve combined a Microsoft Teams interview between Eric and me (Erdem), genAI capabilities and good old editing by humans to create it. Overall, the ideas in the conversation are still organic (human ideas). GenAI helped us generate the transcript for this interview, convert the raw transcript to a clean-ish draft and we took over from there. As a result, we’ve saved hours on building this post.

Eric Hulse
Director of Security Research

Continue reading

Investigations
Highlight

Beyond the APT Chase: Why You May Be Hunting the Wrong Things (And How to Fix It)

There is a critical visibility gap where operational anomalies go unnoticed because teams cannot distinguish signal from noise. The piece positions Command Zero’s "Business Context" and "Table Filters" as the essential solution, enabling the encoding of institutional knowledge directly into investigations. By transforming manual noise reduction into persistent baseline enforcement, the platform facilitates a practical progression to innovative hunting maturity (HMM3).
Eric Hulse
Feb 13, 2026
7
min read
Investigations
Highlight

The "Tierless" SOC: What Happens When Junior Analysts Disappear?

The cybersecurity industry faces a paradox: AI is successfully automating "tier-1" grunt work, but in doing so, it is destroying the foundational apprenticeship that trains senior analysts. Historically, junior analysts built vital pattern recognition by triaging thousands of routine alerts. Without this "manual" phase, a "missing middle" has emerged—juniors are now expected to handle complex investigations without the environmental context or investigative intuition usually gained through repetition. To bridge this gap, SOCs must shift to an "Apprentice-in-the-Loop" model. By using expert-built, executable Questions, Command Zero codifies senior-level methodology into a guided framework. This allows juniors to "sit shotgun" with expert thinking on real cases from day one. Instead of grinding through false positives, the next generation of analysts will develop through structured, AI-augmented exposure, democratizing high-level expertise and accelerating career growth in a tierless environment.
Eric Hulse
Jan 13, 2026
6
min read
Investigations
Highlight

2026 SOC Resolution: Stop Machine Speak. Level up Investigations with Natural Language

SOC analysts waste critical time translating investigations into complex query languages like SPL, KQL, and SQL instead of hunting threats. Natural language investigation platforms eliminate this cognitive burden, enabling analysts at all skill levels to conduct sophisticated investigations by simply asking questions. Pre-built investigative sequences should operationalize expert methodology across common use cases like impossible travel and suspicious activity analysis, standardizing excellence while breaking down data silos across endpoints, identity providers, and cloud environments. Question-based approaches create reinforcement learning feedback loops, continuously improving investigation quality through analyst validation. By removing syntax barriers, junior analysts gain advanced capabilities while senior investigators accelerate case closure. As alert volumes surpass human capacity in 2026, natural language interfaces become essential for SOC scalability. Modern security operations teams should expect tools that close complex cases in minutes through AI-assisted analysis and autonomous investigative flows, fundamentally transforming how they handle evolving threats.
James Therrien
Jan 7, 2026
5
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All