TalksAWS re:Invent 2025 - From collecting tools to an autonomous SOC (SEC206)

AWS re:Invent 2025 - From collecting tools to an autonomous SOC (SEC206)

Autonomous Security Operations Center (SOC): From Tool Collection to AI-Driven Efficiency

Current Challenges in Security Operations

  • Security analysts face an unsustainable workload, having to triage and investigate endless alerts manually
  • Organizations struggle to keep up with the pace of attacks, as adversaries leverage AI and automation to scale their efforts

The AI-Powered Autonomous SOC

Leveraging AI and Automation

  • Sentinel One's "Purple AI" provides human-level reasoning and automation capabilities within the Singularity platform
  • Integrates with Sentinel One's automation platform to orchestrate actions on the analyst's behalf
  • Utilizes proprietary machine learning models (e.g., "Ultraviolet") for malware detection and broad threat intelligence

Maturity Model for Autonomous Security

  • Level 0: Manual rule-based detections and investigations
  • Level 1: Automated playbooks and AI-assisted automation
  • Level 2 (current): Partial autonomy with AI-driven triage, investigation, and response
  • Level 3 (future): High autonomy, with analysts as "mission commanders" overseeing AI agents

Key Autonomous SOC Capabilities

  1. Data Ingestion and Enrichment:

    • Observo AI helps pull in the right data at the right time, with 80% noise reduction and 100x faster than legacy SIMs
    • Sentinel One's high-performance query engine enables real-time analysis and response

  2. Automated Triage and Investigation:

    • Purple AI performs dynamic, agent-based reasoning to surface and investigate potential threats
    • Leverages hyperautomation workflows to enrich incidents and recommend actions

  3. Proactive Risk Management:

    • Purple AI can create detection rules and recommend actions to address identified risks
    • Enables a more proactive security posture, moving beyond just reactive incident response

Business Impact and Efficiency Gains

  • 60% increase in detection efficiency
  • 40% faster triage and investigation
  • 55% improvement in response and remediation capabilities

Empowering Developers and Security Teams

  • Sentinel One's Purple AI MCP server is open-source, allowing users to build their own autonomous agents and workflows
  • Demonstrations like "Mortal vs. Machine" and AWS Game Day showcase the power of AI-driven security operations

Key Takeaways

  • Adversaries are increasingly leveraging AI and automation to scale their attacks, outpacing traditional security approaches
  • Sentinel One's autonomous SOC model aims to empower security teams by automating repetitive tasks and enabling more strategic, proactive security
  • The combination of AI-driven triage, investigation, and response can significantly improve security operations efficiency and effectiveness
  • Sentinel One provides open-source tools and platforms to enable security teams and developers to build their own autonomous security solutions

Your Digital Journey deserves a great story.

Build one with us.

Cookies Icon

This website stores cookies on your computer.

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.