"I don't write queries anymore. I just ask Exabot," says Mike Shannon, Guardant Health's Director of Security Engineering.
What an AI SOC platform does and how it differs from bolt-on AI
The report defines an AI SOC platform as one where "AI agents carry out the core work of the SOC (detection, triage, investigation, and response) by reasoning over correlated security data, under human oversight." That contrasts with bolt-on AI, which "summarizes alerts inside an existing SIEM while the underlying work stays manual." The key technical distinction is whether agents are agentic — performing the SOC lifecycle themselves — or merely annotating alerts produced by legacy tooling.
Predictability and the real-time knowledge graph
Predictability, the authors argue, is a data property more than a model property. An agent trusted to close alerts or take response actions needs contextual information — identity, resource, device configuration drift, and behavioral baselines — available before an alert fires. Platforms built for that level of trust maintain "a real-time knowledge graph, a continuously updated map of the identities, resources, configurations, and behavioral baselines in an environment and the relationships between them." By contrast, bolt-on AI "queries raw logs after an alert lands," which the report warns is why such conclusions "often fail to hold up under scrutiny."
The six capabilities to test during a proof of concept
The source lays out six specific capabilities buyers should validate in their environment or in a vendor demo. Each can be checked in a proof of concept:
- A real-time, correlated data foundation. Confirm identity, configuration, resource, and baseline data are correlated continuously (the knowledge-graph approach) rather than assembled from raw logs at query time. The report suggests picking an identity at random and verifying permissions, configuration drift, and behavioral baseline.
- Full-lifecycle agents. Ask the vendor to walk one incident end-to-end and watch whether context carries across detection, triage, investigation, and response — or whether it is re-gathered at each step.
- Evidence-backed, auditable verdicts. "Ask to see the evidence trail behind a verdict — every log line, correlation, and inference that produced it — and confirm your analysts can reproduce the finding from the same data." The authors state plainly: "A verdict you cannot audit is an opinion."
- Detection coverage beyond the SIEM. List the sources your stack leaves dark (high-volume cloud audit logs, GitHub, Google Workspace) and have the vendor show a detection and investigation that uses those sources.
- Staged autonomy with human oversight. The report cautions: "Full autonomy on day one is a warning sign, and so is a platform that never earns more than read-only access." Probe which actions start as recommendations, how evidence unlocks automatic execution, and whether thresholds are tunable per action type.
- Measurable outcomes. Define metrics before the POC — false-positive rate, mean time to investigate and respond — and measure results against your baseline. If you may later use the vendor's managed service, confirm that the managed service "uses the same product your team would operate."
Spotlight: Exaforce's Exabots and customer outcomes
The piece highlights Exaforce as an example of an agentic AI SOC platform built around the six capabilities. Exaforce's four Exabots are named and scoped: Exabot Detect for detection, Exabot Triage for Tier-3 depth triage, Exabot Investigate for threat hunting, and Exabot Respond to coordinate actions across the kill chain with human approval for irreversible steps. All four reason over "a unified real-time data platform that ingests and enriches logs and configuration across cloud, SaaS, identity, endpoint, and code."
The report cites measured customer outcomes: an "Invisible cut means time to investigate by 95%, taking investigations from hours or days to minutes." It also reports that Forcepoint replaced an MSSP with Exaforce MDR and "now holds a 14-minute mean time to respond on P0 incidents." The platform can be operated in-house or as Exaforce's MDR; "The architecture and the Exabots are identical either way; only who operates them changes." Guardant Health made Exaforce its primary SIEM and MDR.
What this means for technologists and procurement leaders
Technologists and security teams should test whether a candidate platform provides continuously correlated context and an auditable evidence trail before trusting automated responses. Procurement leaders should insist on measurable baselines for false positives and mean times to investigate and respond, and verify whether the managed service offering uses the same product the buyer would deploy.
Conclusion: the battle will be won on data, not frontier models
The report warns that "no platform, Exaforce included, makes the modern SOC a solved problem." It frames the coming phase as "AI against AI" and argues success will depend less on frontier models than on the completeness and timeliness of the data agents reason over. Buyers are advised to put the six capabilities in front of every vendor on a shortlist and to see, in a demo or POC, how vendors answer them; Exaforce's primer "What is an AI SOC?" is recommended as a grounding read by the piece.




