security-trust

Security and Trust

Many organizations have legitimate questions about AI-driven solutions. At SOCFirst, we believe these concerns are not just valid—they’re essential. We built our solution with accuracy, explainability, and data privacy in mind, so you can feel confident in integrating our AI SOC analyst into your security operations.

Architecture

The SOCFirst AI solution is an autonomous AI system that is pre-trained to replicate the work of a Tier 1 SOC analyst. The main components are:

  • A dedicated cloud tenant hosted in Google Cloud
  • An optional connector for the purpose of reaching your Google Cloud

Security

Network Security
 
Each SOCFirst AI SaaS tenant runs in its own isolated Google Cloud subnet. Security groups and network restrict which access is allowed. Anything not specified is denied by default. Currently all API calls initiated from the SOCFirst AI solution, either directly from the Google Cloud
 

Platform Authentication and User Roles

Securely manage user access via Google SSO, or SAML IDP integration.

User permissions align to three user roles available in the SOCFirst AI solution:

  • Administrator: Capable of all activities, including user management
  • Member: Capable of all activities, excluding user management
  • Restricted Read Only: Read-only access with no ad-hoc capabilities

Data Privacy

implements a number of measures to ensure the confidentiality of customer data. 

Single-tenant architecture
The SOCFirst AI platform is built following a single-tenant architecture in Google Cloud. This assures a physical segmentation between all customers so there is no chance of data commingling. 
No training on your data
Your data is not used to train our models, either at SOCFirst or our sub-processors. In addition, SOCFirst AI has zero-data-retention agreements in place with our LLM providers to not store customer data.

SOCFirst AI uses the same security tools and IT systems to perform investigations as human analysts do to retrieve alerts, scan content, and query data. 

Alert and data source categories used by SOCFirst AI include:

  • Cloud service providers
  • Email systems
  • Endpoint detection and response
  • Identity 
  • Network security products
  • Productivity 
  • SIEM 
  • Ticketing systems
  • Vulnerability management

You have control over what types of access you provide to the SOCFirst AI solution. We default to read-only access. In some cases you may want to add write access, such as when writing to ticketing systems. 

We operate with least privilege regarding customer environments and data, supported by strict internal policies for data access, handling, and usage. SOCFirst AI fully supports EU data residency to meet GDPR data transfer requirements.

Accuracy and Explainability

The SOCFirst AI solution is engineered with a specific focus on:

  • Explainability so that humans can easily verify decisions and the criteria on which they were made
  • Data lineage to provide an audit trail, giving users confidence in SOCFirst AI’s evidence-based analysis
  • Guardrails to protect against hallucinations
  • Continuous internal sandbox/lab testing and validation
Avoiding Hallucinations
 

SOCFirst AI uses multiple independent agents (expert modules) that limit the scope of what is being asked of each individual agent and avoid hallucinations. Users will commonly add facts to context memory such as:

  • Expert knowledge: Each expert module combines LLM reasoning capability with expertise, derived from authoritative sources such as product documentation.
  • Up-to-date information: Expert modules have access to up-to-date information by accessing internal systems, security tools, threat intelligence, and public tools such as the WHOIS and NVD databases.
  • Specificity: When an alert is received, SOCFirst AI will strategize and plan the investigation, assigning specific tasks to expert modules pre-trained to complete that type of task.