Why SIEMs and data lakes do not deliver the optimal experience for security investigations

Centralized data systems like SIEMs and data lakes excel at detection, reporting and compliance, but fall short for complex security investigations. These tools weren’t designed for dynamic workflows, forcing analysts to write complex queries and manually retrieve data, wasting critical time during incidents. Command Zero redefines investigative workflows by combining automation with expert-driven AI capabilities. The platform automates routine tasks, summarizes complex artifacts, and proactively suggests next steps, enabling analysts to focus on high-impact activities like root cause analysis and risk mitigation. For example, a Tier 1 analyst investigating phishing campaigns can bypass hours of manual log retrieval and cross-referencing thanks to automated processes that deliver actionable insights. Unlike generic chatbots or tier-1 focused agentic AI, Command Zero’s LLM implementation supplements analysts by bridging knowledge gaps and enhancing decision-making across all experience levels. This pragmatic approach empowers security teams to work smarter, reducing noise and inefficiencies while delivering faster, clearer results for both analysts and executives.

Introduction

Centralized data stores, like SIEMs and data lakes, are excellent at aggregating information for detection, but they fall short when it comes to investigations. These tools weren’t designed with investigative workflows in mind, and trying to use them for this purpose often leads to inefficiencies that slow analysts down when time is critical.

Security analysts face a fundamental daily challenge: they're oversubscribed, constantly distracted by incoming alerts, messages, and cases, yet expected to focus on high-priority incidents that require deep investigation. The traditional approach forces them to become part-time security engineers, spending valuable time crafting complex queries instead of analyzing security threats.

Why centralized data stores struggle with investigations

SIEMs, security data lakes and similar platforms are optimized for alert generation, not dynamic exploration. Investigations require analysts to pivot quickly between data sources, uncover patterns, and drill down into specific areas—all tasks that centralized systems make unnecessarily complex.

Take SIEMs as an example. Analysts often need to write intricate queries in proprietary languages like KQL to retrieve relevant data. This process is cumbersome and error-prone, especially during live incidents where speed and accuracy are paramount. If an investigation reveals a false positive or narrows in scope early on, the analyst may have already wasted hours navigating a system that wasn’t built for the task.

Consider this common scenario: A Tier 1 analyst receives an alert about suspicious activity in AWS. Despite having Azure expertise, they now face hours of research followed by extensive consultations with system administrators just to retrieve basic data points. This creates a bottleneck where technical query knowledge becomes a prerequisite for effective security analysis.

When investigating a potential incident, analysts often need to:

Learn specialized query languages for each data source

Craft complex queries across multiple systems

Manually retrieve and correlate data from disparate sources

Communicate findings using inconsistent formats

These operational inefficiencies prevent analysts from focusing on their primary responsibility: determining whether security risks exist and what actions to take.

Another challenge is access to diverse data sources. For instance, investigating a GitHub Enterprise-related incident might require pulling logs from GitHub’s API—a task that could involve multiple steps and coordination with administrators. Centralized systems rarely streamline these workflows, leaving analysts stuck performing manual tasks that should be automated.

Analysts are overwhelmed by noise every day

Security operations centers (SOCs) are inundated with alerts, cases, and requests from leadership. Analysts often spend more time managing tools than solving problems. This fragmentation of attention leads to inefficiencies and missed opportunities to address high-impact threats.

For example, a Tier-1 analyst investigating a phishing campaign might spend hours piecing together email logs manually, cross-referencing them with identity data, and crafting reports for leadership—all while juggling other cases and incoming alerts. The result is wasted time on repetitive tasks instead of focusing on identifying root causes or assessing risk.

Using AI as an enabler: Supplementing analysts instead of replacing them

AI in security operations often comes with unrealistic expectations—promises of fully autonomous investigations or “magic” solutions that replace human expertise. The reality is far more practical: AI should supplement analysts by automating routine tasks and providing actionable insights that enhance decision-making.

At Command Zero, we’ve taken a pragmatic approach to AI implementation:

Automation: Routine tasks like retrieving logs or scoping alerts are automated to save analysts time and reduce friction during investigations.

Summarization: Large language models (LLMs) distill complex artifacts into concise summaries tailored to the analyst’s experience level—whether they’re Tier 1 or Tier 3 experts.

Proactive Suggestions: The platform highlights overlooked areas or recommends next steps based on expert-driven best practices, ensuring investigations stay thorough without relying on analysts to ask the “perfect” questions upfront.

This implementation philosophy centers on supplementation rather than replacement. The goal isn't to remove analysts from the equation but to enhance their capabilities and efficiency.

Real-World applications: Faster insights and better communication

The impact of this approach is clear in real-world scenarios. Imagine an analyst investigating suspicious activity in AWS who isn’t familiar with its intricacies because they’ve primarily worked in Azure environments. Instead of spending hours learning AWS-specific nuances or crafting queries manually, Command Zero automates these processes and provides summarized findings tailored to their needs.

Even executives benefit from this streamlined workflow. Reports generated by the platform avoid technical jargon, making it easier for leadership to understand key findings without endless clarification cycles.

Moving Beyond Centralized Data Repositories

Centralized data repositories will always play a role in detection workflows, but they aren’t the answer for investigations. By combining automation with expert-driven AI capabilities, we can eliminate inefficiencies and empower analysts to focus on what matters most—mitigating risk and protecting the organization.

The future of security operations isn't about replacing human expertise with artificial intelligence. It's about creating symbiotic relationships where technology handles repetitive tasks while augmenting human decision-making capabilities.

As we continue developing these capabilities, our focus remains firmly on delivering practical value today rather than promising hypothetical benefits tomorrow. By anchoring our approach in pragmatic solutions to real-world challenges, we're helping security teams maximize their impact with existing resources.

The most effective AI implementations in security aren't those that attempt to replace analysts, but those that make analysts better at what they already do.

Book a demo with our team to see how Command Zero can complement your SIEM and data lake - supercharging tier-2+ analysis for your organization.

Investigations

Highlight

The 51-Second Problem: Why SOCs Can't Keep Pace with Machine-Speed Adversaries

Adversaries achieved 51-second breakout times in 2024—faster than most SOCs can triage an alert. While top-performing teams reach Mean Time to Detect of 30 minutes to 4 hours, typical investigations take 90+ minutes before response coordination begins. By then, attackers have already moved laterally and established persistence. The bottleneck isn't analyst speed—it's investigation architecture. Analysts spend 60-70% of investigation time on mechanical tasks: translating questions into queries, context-switching between tools, manually correlating findings across systems, and maintaining investigation state. No amount of training can compress human-paced investigation processes to match machine-speed attacks. The solution requires eliminating mechanical work through investigation patterns that execute at machine speed, allowing analysts to focus on judgment and decision-making. Organizations achieving investigation velocity improvements aren't just deploying better technology—they're consolidating workflows, capturing expert methodologies in executable patterns, and redesigning SOC architecture for the threat landscape they actually face.

Eric Hulse

Dec 3, 2025

•

min read

Investigations

Highlight

Anthropic's GTG-1002 disclosure: When AI Becomes a Cyber Weapon of Mass Destruction, Investigation Capabilities Must Scale

When Chinese state-sponsored group GTG-1002 weaponized AI to attack thirty organizations simultaneously—with AI handling 80-90% of tactical operations—it exposed a critical gap in cybersecurity: offensive automation has scaled dramatically while defensive investigation remains human-paced. This blog examines how AI-augmented security investigations address the fundamental mismatch between AI-driven attack scale and traditional incident response capabilities. Command Zero's approach leverages LLM advancements to transform security investigations through question-driven frameworks that execute across multiple data sources simultaneously. Rather than replacing analysts, AI augmentation eliminates mechanical query work, enabling security teams to investigate thirty incidents with the same thoroughness as one. As threat actors increasingly weaponize AI for cyberattacks, defenders need investigation tools that match offensive automation's scale and speed. Learn how AI-augmented investigation helps SOC teams respond to sophisticated threats at machine speed while maintaining human expertise where it matters most—strategic analysis and decision-making.

Eric Hulse

Nov 18, 2025

•

min read

Investigations

Highlight

Breaking the SOC Alert Fatigue Cycle: Why Speed Metrics Are Killing Quality

Security operations centers face a critical crisis: alert fatigue is overwhelming analysts and creating dangerous investigation gaps. Traditional SOC metrics like MTTR and MTTI incentivize speed over thoroughness, forcing analysts into narrow investigation scopes that miss connected threats across enterprise environments. The fundamental challenge lies in systemic operational constraints. Analysts validate alerts, implement basic containment measures, and close cases without investigating broader attack scope—leaving lateral movement and data exfiltration undetected. This assembly-line approach creates a backlog of unresolved threats that eventually culminate in headline-grabbing breaches. Modern AI technology offers a transformative solution by correlating disparate data sources across endpoint logs, identity systems, cloud platforms, and network traffic in minutes rather than hours. Command Zero's platform automatically establishes comprehensive investigation scope, checking for related activity across AWS, Azure, identity providers, and SaaS applications when alerts trigger. The strategic approach acknowledges organizational reality: rather than eliminating established performance metrics, advanced technology empowers analysts to investigate comprehensively within existing time constraints, delivering higher-quality outcomes while maintaining operational efficiency in today's complex threat landscape.

Alfred Huger

Jun 11, 2025

•

min read