security-trust
Security and Trust
Many organizations have legitimate questions about AI-driven solutions. At SOCFirst, we believe these concerns are not just valid—they’re essential. We built our solution with accuracy, explainability, and data privacy in mind, so you can feel confident in integrating our AI SOC analyst into your security operations.
Architecture
The SOCFirst AI solution is an autonomous AI system that is pre-trained to replicate the work of a Tier 1 SOC analyst. The main components are:
- A dedicated cloud tenant hosted in Google Cloud
- An optional connector for the purpose of reaching your Google Cloud
Security
Platform Authentication and User Roles
Securely manage user access via Google SSO, or SAML IDP integration.
User permissions align to three user roles available in the SOCFirst AI solution:
- Administrator: Capable of all activities, including user management
- Member: Capable of all activities, excluding user management
- Restricted Read Only: Read-only access with no ad-hoc capabilities
Data Privacy
implements a number of measures to ensure the confidentiality of customer data.
SOCFirst AI uses the same security tools and IT systems to perform investigations as human analysts do to retrieve alerts, scan content, and query data.
Alert and data source categories used by SOCFirst AI include:
- Cloud service providers
- Email systems
- Endpoint detection and response
- Identity
- Network security products
- Productivity
- SIEM
- Ticketing systems
- Vulnerability management
You have control over what types of access you provide to the SOCFirst AI solution. We default to read-only access. In some cases you may want to add write access, such as when writing to ticketing systems.
We operate with least privilege regarding customer environments and data, supported by strict internal policies for data access, handling, and usage. SOCFirst AI fully supports EU data residency to meet GDPR data transfer requirements.
Accuracy and Explainability
The SOCFirst AI solution is engineered with a specific focus on:
- Explainability so that humans can easily verify decisions and the criteria on which they were made
- Data lineage to provide an audit trail, giving users confidence in SOCFirst AI’s evidence-based analysis
- Guardrails to protect against hallucinations
- Continuous internal sandbox/lab testing and validation
SOCFirst AI uses multiple independent agents (expert modules) that limit the scope of what is being asked of each individual agent and avoid hallucinations. Users will commonly add facts to context memory such as:
- Expert knowledge: Each expert module combines LLM reasoning capability with expertise, derived from authoritative sources such as product documentation.
- Up-to-date information: Expert modules have access to up-to-date information by accessing internal systems, security tools, threat intelligence, and public tools such as the WHOIS and NVD databases.
- Specificity: When an alert is received, SOCFirst AI will strategize and plan the investigation, assigning specific tasks to expert modules pre-trained to complete that type of task.
