The integration of Generative Artificial Intelligence into cybersecurity processes raises both enthusiasm and concerns. On the one hand, vendors promise 100% autonomous security operations centers (SOCs) capable of countering attacks without human intervention. On the other hand, information systems directors (ISDs) fear losing control of their infrastructure.
The central question is ethical and operational: should we let AI isolate a production server or block a management account on its own? At Akuity, we believe in a radically different approach: AI should not be a blind autopilot, but aCo-pilotultra-powerful in the service of human discernment.
The Danger of Blind Automation (Autonomous SOAR)
The idea of letting an algorithm fully manage incident response (Autonomous SOAR) is attractive on paper, because it reduces MTTR to zero. However, in the reality of business environments (IT and OT), this approach is extremely dangerous.
Let's imagine that the AI detects unusual behavior (an algorithmic anomaly) on the workstation of the Chief Executive Officer (CEO) just before a fundraising event, or on a server hosting the accounting software at the end of the month. If the SOAR is configured in 100% autonomous mode, it will order the network isolation of the machine without qualms, paralyzing a critical operation of the company.
If the anomaly turns out to be afalse positive(for example, a new legitimate update deployed by IT that modifies registry keys), the AI will have caused more business damage (internal denial of service) than the phantom threat it was intended to block. The risk of business disruption is too high.
The Akuity approach: Humans at the center, powered by AI
The Akuity SOC philosophy is based on absolute balance:the speed of the machine to understand, the wisdom of the human to decide.In our orchestrator, the Google Gemini AI does not have access to remediation buttons. It acts as a virtual level 3 (L3) analyst who chews the work of the level 1 (L1) operator, allowing him to make an informed decision in seconds.
1. Synthesis and Qualification (AI explains)
As soon as a complex alert comes back from Microsoft Defender, the AI translates the raw JSON file into natural language. It applies a “Double Discourse”: a detailed technical report and a clear summary for the Comex. If it considers that the alert closely resembles an internal maintenance script, it affixes the badge "Probable false positive", butshe doesn't close the ticket on her own. It is up to the analyst to read the recommendation and validate.
2. Contextual Chat (AI advises)
Interactive investigation is the heart of the Copilot approach. The “Discussion” tab (TicketChat.tsx) allows the analyst to converse with Gemini. It can ask for details about network behavior or ask the AI to analyze the reputation of an IP address. AI provides OSINT and technical expertise in real time, saving the analyst from searching for answers on Google or VirusTotal.
3. Strict validation of the action (Human executes)
Once the doubt is lifted, it is the human who keeps his hand on the trigger. To trigger a critical remediation (such as isolating a machine via Intune or purging emails on the tenant), the system requires not only voluntary action from the analyst, but also a security elevation.
The order only goes through if the operator enters their double authentication code (MFA), validating a level sessionAAL2. This step certifies (and traces in the JSON audit logs for the SOC 2 standard) that the human intervention was conscious, measured and sovereign.
Conclusion: Augmented rather than Artificial Intelligence
Replacing cyber analysts with autonomous algorithms is a dangerous utopia. The real innovation is removing the drudgery from their work (reading JSON, collecting data, reporting) so they can focus on cognitive investigation and response strategy. This is the era of AI-assisted SOC.
Maintain control while increasing your efficiency.> Discover how the moduleAkuity SOC Investigation and Kill Chainintegrates AI as a real decision-making Copilot.