Introduction
As enterprises, mid-market, and SMB organizations alike turn to AI-based cybersecurity solutions to address the longstanding challenges in hiring, training, and retaining a security team, they’re overlooking one crucial issue as they begin replacing human-powered SOCs and legacy MDR providers with agentic cybersecurity.
Their security architecture and traditional security solutions aren’t built to scale with just any AI SOC solution.
Today’s InfoSec teams rely on ingesting data and telemetry from point-based security solutions (ex: endpoints, cloud workloads, and employee identities that these solutions are designed to protect) into a security information and event management platform (SIEM), which collects the raw logs and alerts, normalizes and analyzes it, and sends it to your AI SOC to inform its investigations, detections, and autonomous responses.
When you’re using a SIEM as your AI SOC’s unified source of truth for analysis and alerting, you might be able to get more value out of the box at first – after all, most SIEMs have a library of first party integrations with established security vendors - and some even have safeguards in place to prevent data duplication and save some money. However, these costs will only continue to grow as teams ingest more data to train their AI agents or for future auditability. But past the first 90 days of free or discounted data ingestion and retention, that value doesn’t stick around for long.
Economic Concerns Emerge for Security Team Leaders
Over the course of an annual or multi-year contract, organizations tend to face ongoing ingestion costs for all of their third-party data across all the attack surfaces a SIEM needs to address.
These businesses will also face rising data retention prices, which can force security teams into either limiting their retention periods or limiting how much data they retain for future investigations or to inform their AI-powered security, ultimately weakening long-term threat hunting or forensic investigations. (In the worst cases, security teams supporting businesses or orgs operating in heavily regulated sectors may be forced to eat the cost of ingestion and retention for the sake of fulfilling compliance requirements).
SIEM-Centric Architectures Also Create Pain Points for Practitioners
Cost concerns aside, security teams using the legacy SIEM approach will also face tactical pain points that will make it difficult to scale an AI SOC solution to all their use cases and alerting. For example, a major pain point in a SIEM-based security operations architecture is the rate limits imposed on queries. These limits restrict the frequency and volume of data retrieval, hindering the security team’s ability to perform real-time or near-real-time analysis during critical incidents. When AI SOC solutions cannot query data rapidly or extensively, it slows down response times, potentially allowing threats to escalate unnoticed. Alternatively, investigation depth and quality are compromised in order to avoid rate limits. These constraints are especially problematic in environments with high event volumes or when complex queries are necessary for deep investigation.
Scalability is also difficult to achieve if the SIEM does not store raw data. Without access to raw event data, security teams are forced to rely on pre-processed, normalized, or summarized information, which limits flexibility and detail during investigations. Scaling up the architecture to handle more data or diverse sources becomes challenging because enriching and correlating events at scale requires granular raw data. This lack of raw data hampers advanced analytics, machine learning applications, and custom threat detection rules, reducing the overall effectiveness of the security operations center as threats grow in complexity.
Moreover, legacy SIEMs don’t provide human and AI analysts with the data they need to properly investigate suspicious or malicious alerts. For example, a SIEM might not ingest a user’s MFA or SSO permissions, requiring manual intervention to access and contextualize that data.
And while it’s an age-old concern, it bears repeating – ultimately, an AI SOC solution will be supporting human stakeholders, and a SIEM-focused solution still runs the risk of creating more false positives and alert fatigue, causing longer mean times to detection and response and degraded capabilities.
Direct Integrations Are Ready for Primetime
Thankfully for practitioners and CISOs alike, there’s a better way. By integrating your attack surfaces and data sources directly with your agentic security platform, you can provide unfiltered logs and telemetry to inform your autonomous solution, without incurring the significant costs legacy solutions can incur. Moreover, this gives security practitioners the ability to specifically ingest the data that’s relevant to them (like a user’s Okta permissions).
Ultimately, an AI SOC solution enables security teams to scale without compromising their MTTR or the depth and quality of their investigations. In fact, the right agentic solution can give human analysts time back to work on more strategic projects or tackle new work by autonomously investigating these alerts and documenting how it reached its conclusions and responses.
While this architecture may extend an onboarding period by less than an hour in the short term, this gives an agentic solution the opportunity to learn directly from your data and directly gain actionable insights that you can use to tune the agents to your team’s specific needs.
Integrating data and alerting sources directly with a security operations platform offers a streamlined architecture where telemetry and stateful data flows in real time, without arbitrary query rate-limits or limits on the type of data or telemetry you can ingest. Raw telemetry, events, alerts, and context are all fair game. The main advantage is the removal of artificial limits or fees associated with data volume and query frequency, allowing security teams to operate more flexibly and thoroughly.
Best of all? Directly integrating your data sources with your agentic security solution doesn’t even have to necessarily eliminate the valuable context a SIEM can bring to the table – these direct integrations let you strategically choose what data is best suited for normalization and retention via your AI SOC, and what solutions would still benefit from the first-party SIEM integration - minimizing the legacy costs your team might need to pay.
However, this approach comes with certain trade-offs. Onboarding new data sources takes longer because the platform must be configured to process raw inputs natively, requiring more initial setup and customization effort. Additionally, there may be some discomfort with duplication of data in both a SIEM and an AI SOC solution.
The Kenzo Security Difference
At Kenzo Security, our customers trust us to provide instant time to value, offer deeper investigations at scale, and start preventing, detecting, and responding to threats immediately for every single alert even at scale.
The days of “90 day onboardings” being an industry standard or point of pride are officially over. Unlike legacy SIEM or XDR solutions, Kenzo offers full value from hour 1, and ensures you can configure integrations in 30 minutes or less.
Early AI security solutions claim to replace Tier 1 analysts – we care about providing real outcomes for your team. Kenzo’s Tier 2 SOC analyst agent can autonomously contextualize and recursively investigate reports, and make intelligent decisions based on risk levels.
Ready to embrace the future of security operations? Schedule a demo with Kenzo Security today.
