Home
Blog
AI
January 15, 2025
7
min read

Revolutionizing cybersecurity investigations with expert questions and AI

Command Zero is transforming cybersecurity investigations with an AI-powered, question-based approach. By emulating expert analysts' thought processes, it guides users through complex cases, leveraging diverse data sources and embedded knowledge. This novel approach enhances collaboration, streamlines investigations, and adapts to evolving threats, offering a more efficient and effective alternative to traditional query-based methods and AI chatbots. In this post, we’re covering why we’re taking a question-based approach to build the platform, the benefits and how it compares with alternative methods.

AI
investigations
Dean De Beer
Cofounder & CTO
In this article
H2 Title
H3 Title

Introduction

Command Zero is pioneering a revolutionary approach to investigations. By harnessing the power of AI and expert knowledge, we've created a platform that investigates like a seasoned security responder. Our question-based system doesn't just provide answers; it guides analysts through complex investigations with the precision and insight of an expert. This innovative approach is transforming how security professionals tackle the most challenging enterprise cases/incidents.

Why investigate with questions?

Our original vision for Command Zero was to emulate the thought process of a seasoned security responder. We quickly realized that experienced analysts approach problems by asking a series of expert questions when given access to data. This questioning process often leads to more questions, mirroring how security professionals think and tackle complex issues.

Evolving tech stacks, threats and investigation scopes

Modern tech stacks, threat vectors and threat volume have expanded logarithmically in the cloud/AI era. Consequently, investigations no longer focus solely on the security stack. During a complex investigation, analysts often need to pivot from security logs to various other data sources, including:

  • SharePoint for insider threat investigations
  • GitHub for developer activity analysis
  • AWS access logs for cloud security
  • Okta and other identity providers for authentication insights

This diversity of data sources presents a challenge for analysts: staying abreast of new platforms and understanding the nuances within each.

Embedding expert knowledge

By creating a question-based system, we've embedded years of accumulated investigative and technical knowledge from our research and content development teams. This approach allows us to:

  • Make expert insights easily accessible to all users
  • Help analysts quickly gain understanding of unfamiliar data sources or log types
  • Package questions together to give analysts a significant advantage without extensive ramp-up time.

Guiding the investigation with expert content and AI

Command Zero doesn't just provide questions; it guides the user through the investigative process. Each question in our platform goes through a rigorous creation and validation process, generating critical metadata:

  1. Intent: The purpose behind asking the question in a security context
  1. Context: The security-related background for presenting the question

This metadata allows our system to propose next steps, suggest areas to investigate, and offer relevant questions based on the user's needs and available data.

The AI implementation delivers AI-assisted investigations and autonomous investigation flows. LLMs are used for the selection of relevant questions and pre-built investigation flows (facets) within investigations, natural language-based investigation guidance, interpretation of data, summarization, reporting and delivering verdicts.  

Advantages of leading with questions

Our question-based approach offers several key benefits:

Key benefits

  1. Guided Investigations: Users are led through a "guided tour" rather than having to understand and navigate the path themselves. The encoded knowledge in the platform, coupled with automation and AI capabilities deliver the best AI-assisted investigation experience available.  
  1. Controlled Inputs and Outputs: LLMs are run in structured patterns and LLM outputs are validated continuously. These practices minimize the potential for model hallucinations or incorrect verdicts while leveraging AI.
  1. Cost and Speed Optimization: By controlling the investigation flow and balancing traditional techniques and LLMs, the duration and computational costs are optimized.
  1. Pre-Enriched Data: The platform enriches data before presenting it to the large language models, reducing iterations and improving efficiency.

Adaptability and continuous improvement

The Command Zero platform is designed to evolve based on user interactions:

  • The investigation path adapts based on newly produced data.
  • User inputs, such as annotations, comments, labels, and tags, influence the system's guidance.
  • Our approach allows for dynamic adjustments to inputs and outputs, optimizing for the most effective investigation outcomes.
  • The Command Zero Security Research team publishes new questions every Wednesday for all of our users. Most questions are built based on customer requests and use cases. When a question is built, it is made available to all Command Zero users, benefiting the entire community of analysts on the platform.  

For example, a new investigation about Jack Black starts with:  

  • The user’s credentials, permissions, devices and high-level access information across systems. This is especially helpful in complex environments with thousands of users, multiple identity providers and isolated systems.
  • Previous notes and tags about the user,
  • Previous investigations where Jack was involved.  

So, analysts get a head start with all historical and current context about the user. The platform suggests which questions or facets (pre-built investigation templates) to run and then suggests follow-up questions based on the responses to these questions. Based on the learnings from this investigation, analysts can save their investigation flow as a facet and re-use it in similar investigations to save time and improve consistency.  

Consistency and repeatability

Every analyst has a different background and way of thinking, resulting in different investigation flows for similar cases. This makes it difficult to standardize investigation flows and make sure all necessary questions are being asked for each investigation.  

Command Zero helps standardize the investigation sequence for similar cases, so all analysts go through predictable flows that reflect the best practices. On top of these flows, every analyst can easily go deeper into branches of the investigation that they are interested in. This approach offers a good combination of consistency and repeatability, while encouraging individual curiosity and strengths for each analyst.

Collaboration and knowledge sharing

The Command Zero platform is designed with collaboration in mind:

  • Multiple analysts can work on a single investigation.
  • The sequence of questions and events is readily available to all analysts.
  • Case handoffs and escalations are streamlined, as the entire investigative history is preserved.
  • Steps and findings can be easily shared among team members. This creates opportunities for peer reviews, coaching and learning from past investigations.  

How a question-based investigation compares with alternative methods

There are significant benefits to a question-based investigation model. Here is how Command Zero’s approach compare with alternative approaches to investigations:  

Command Zero vs. AI Chatbots

While AI-powered SecOps chatbots are making waves in the industry, our approach differs significantly:

  • User Knowledge: Chatbots require users to know what they need and how to articulate that need for the chatbot and the underlying LLMs to understand. Depending on an analyst’s background, the input they provide will be different, and the output of chatbots will vary, causing drifts in investigations. For example, a BEC investigation can be handled in completely different ways by two analysts with different backgrounds. Command Zero minimizes this requirement with an encoded knowledgebase right out of the box.
  • Structured Input: Chatbots receive any user input and try to make sense of them, resulting in hyperbole and non-deterministic results. Command Zero phrases questions in a way that's easily consumable by our model, incorporating context, intent, and associated investigation data.
  • Cross-Data Source Relationships: Chatbots require multiple prompts to switch between data sources, potentially drifting with each step. Command Zero provides a more structured approach where questions can be chained together, allowing for powerful investigations across multiple data sources in a predictable way.

For example, an analyst with a networking background will prompt an AI chatbot very differently compared to an analyst with an endpoint background. Their experiences and verdicts will vary significantly based on how they prompt the chatbot.  

Command Zero vs. Query-Based Approaches

Our question-based approach offers several advantages over traditional query-based methods:

  1. No Query Language Expertise Required: Users don't need to understand complex query languages or data structures for each data source. Similarly, this means that an analyst can create investigation sequences during an investigation, rather than relying on a security content/engineering team to build these components for later use.  
  1. Broader Data Access: Users can access data sources using a federated data model, gaining a level of data coverage that may not be available in centralized security stores like Splunk. For example, an investigation may be triggered by a SIEM/SOAR alert, but not all information that analysts need to reach a verdict may be collected in centralized data stores. So, analysts may need to individually collect data from EDR, multiple SaaS applications and file sharing services.  
  1. Immediate Scope/Impact Identification: During investigations, analysts can pull a broader scope of logs or context from data sources, going beyond what might be typically pushed to centralized. This helps define the impact radius and severity of cases in seconds rather than hours.  

For example, an analyst may be proficient in KQL and gather data from systems using this method, but they may not be able dig deep into resources that require Lucene or SPL. Similarly, analysts may limit data collection to centralized data repositories if they don’t have the technical expertise and the access to collect data from individual resources directly.  

Command Zero vs. AI SOC analysts

Command Zero’s focus is on tier-2 and tier-3 case investigations (aka escalated cases), so the focus is fundamentally different compared to AI SOC analysts, which primarily focus on alert triage and tier-1 tasks. That stated, we frequently get questions on how we compare with these solutions:  

  1. AI SOC analysts are designed to tackle triaging and simple tier-1 cases. They are great at these simple tasks, yet they break when faced with complex cases that require deep reasoning.  
  1. They don’t provide a transparent and auditable flow for their decision making. Hallucinations are unpredictable and out of control by design. Having a human in the loop to check for them can be expensive,  
  1. Agentic approaches are often serial in implementation and agents calling tools, parsing and incorporating tool output, will be slow by design. These solutions demo well in controlled environments but will face performance challenges in real-life situations.  
  1. Agentic approaches can become expensive to run depending on the level of interaction between agents, data and tools

Command Zero selectively uses LLMs for structured decision-making processes, eliminating most of the issues stemming from agentic LLM implementations. The platform comes with embedded technical and investigation expertise in the form of questions and facets. The AI implementation delivers AI-assisted investigations and autonomous investigation flows. LLMs are used for the selection of relevant questions and pre-built investigation flows (facets) within investigations, natural language-based investigation guidance, interpretation of data, summarization, reporting and delivering verdicts. There are structured controls in place to eliminate hallucinations and non-deterministic results.

Conclusion

By leveraging questions as the foundation of our platform, Command Zero is revolutionizing the way security investigations are conducted. Analysts benefit from a guided, collaborative, and efficient approach to investigations that adapts to their needs to run complex cases to the ground. Thanks to a question-based approach, analysts can complete investigations in minutes instead of hours, collaborate and learn from each other and build institutional knowledge with each investigation.

Check out our platform page to learn more about Command Zero’s question-based approach to investigations.  

Dean De Beer
Cofounder & CTO

Continue reading

AI
Highlight

Beyond Replacement: How AI Creates Super Analysts

After three years of AI implementations in security operations, the evidence is clear: artificial intelligence transforms SOC analysts into "super analysts" rather than replacing them. While AI excels at pattern recognition and data correlation, human analysts provide irreplaceable context, creative problem-solving, and ethical decision-making that automated systems cannot match. Command Zero's research across 352 cybersecurity professionals reveals that 88% of organizations face operational challenges from staff shortages—yet the solution lies in amplification, not replacement. Human analysts understand business context behind security alerts, conduct complex investigations requiring detective work, and manage stakeholder communications with emotional intelligence. The most sophisticated threats leverage human creativity through social engineering and novel attack vectors, demanding equally creative defensive strategies. By 2027-2028, AI-augmented security operations will become standard practice, but organizations recognizing AI as augmentation rather than replacement will emerge significantly stronger. The future belongs to human analysts empowered with AI superpowers, defining the next generation of cybersecurity excellence.
Eric Hulse
Jul 24, 2025
4
min read
AI
Highlight

The AI SOC Revolution: From Disparate Tools to Intelligent Defense

During my two decades defending networks and investigating threats, I've never witnessed transformation this profound. AI is revolutionizing security operations unlike any other tectonic shift has done before. Here’s why: Traditional SOCs are drowning—analysts face hundreds to thousands of daily alerts, investigating just 4%. The cognitive capacity crisis has reached breaking point. But AI isn't just better tooling; it's the emergence of truly intelligent defense systems that think, learn, and adapt at machine speed. While humans burn out correlating thousands of data points, investigating repetitive alert types and doing the same thing day in day out. AI can process more workload and never tire. The organizations embracing AI SOC today will dominate tomorrow's threat landscape. Those waiting for "perfect" solutions will defend against advanced threats with yesterday's capabilities. This isn't evolution—it's revolution.
Eric Hulse
Jul 17, 2025
6
min read
AI
Highlight

The Evolution of SOC Structure: From Rigid Tiers to Flexible Operations

Security Operations Centers are evolving from traditional three-tier analyst structures to more flexible, outcome-driven models. This comprehensive guide explores the benefits and challenges of tiered vs. tierless SOC approaches, examining how MDRs and MSPs are reshaping traditional hierarchies. Learn why tier one erosion is accelerating, how tierless models enable end-to-end case ownership, and the trade-offs between specialist expertise and operational flexibility. Discover how AI is transforming SOC operations by automating repetitive tasks and democratizing knowledge across analyst teams. Whether you're considering restructuring your SOC, evaluating outsourcing options, or implementing AI-powered investigations, this analysis provides actionable insights for security leaders. Expert perspective from 24+ years of industry experience covers practical considerations for organizations of all sizes, from compliance requirements to budget constraints.
Eric Hulse
Jun 26, 2025
4
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All