Product · 3 MIN READ · JAKE GODGART · JUL 21, 2025 · TAGS: AI & automation
TL;DR
- Expel has three guiding principles we’ve used (and will continue to use) that guide how AI & automation function within our MDR solution
- These principles are the foundation of our security operations platform, Expel Workbench
- For more on our AI practices, check out this overview
It’s impossible to ignore the conversation around AI right now. It’s reshaping industries and promising to solve some of the biggest challenges in security. For us, this moment is an opportunity to talk about the principles that have guided our approach to AI and automation from the very beginning.
Eight years ago, when we began offering MDR services, we built the Expel Workbench™ security operations platform to empower our team to deliver fast, accurate, and transparent services. We built it on one foundational belief. To do security well at scale, technology must supplement human expertise, not try to replace it. From there, we developed three core principles for Expel’s approach to AI and automation. They’re as relevant today as they were on day one.
Principle 1: Outcomes, not hype
The single biggest problem in security operations is noise. Adversaries thrive in the chaos of countless alerts from disconnected tools. Our first job is to eliminate that noise. We use AI and automation in Workbench for a clear purpose: to perform brute-force data processing, allowing our analysts to focus on the real attack.
We apply machine learning models trained on billions of data points from real-world incidents, to correlate data across your EDR, cloud, and identity systems to find the handful of threats that truly matter.
Talk is cheap. For one Fortune 50 company, the AI and automation we developed turned 15 billion raw events (over five weeks) into just 35 investigations. For Venable, we filtered two million alerts down to 114 actionable findings. That’s noise reduction in practice. That’s the outcome.
Principle 2: Design for the human moments
AI excels at repetitive, high-volume tasks. Humans excel at judgment, critical thinking, and making tough calls. Our entire philosophy for Workbench is built around optimizing that partnership. We automate the grunt work to elevate the human moments for our SOC team.
When an alert comes into Workbench, our automation engine is already working. It’s enriching the alert with context: Have we seen this before? What does this user normally do? Our bot, Ruxie, can automatically decode a suspicious PowerShell script and cross-reference it with the MITRE ATT&CK® matrix.
This frees up our analysts from the soul-crushing, manual data gathering that leads to burnout. It allows them to apply their expertise to the critical decision: Is this a threat, and what do we do about it? It’s why our analyst retention is 91% over two years, and it’s why Dayton Children’s Hospital saw their response time drop from hours to just 15 minutes.
Principle 3: AI responsibly
In an industry built on skepticism, trust is everything. You can’t earn it with a black box. It’s why we committed to building and deploying AI you can actually trust from the start, and have embedded this principle directly into how Workbench operates.
We take data privacy seriously and only use vendors that meet Expel’s strict security requirements. Your data is used only with securely deployed large language models (LLM), ensuring confidentiality. When we use generative AI to help draft investigation summaries or incident reports, it’s always reviewed and approved by a human expert before it goes to you. Our cross-functional AI governance committee rigorously reviews every model to ensure it’s effective, secure, and fully monitored and supported in production.
We provide transparency directly in Workbench, with AI-tagged elements explaining what was done and why. For instance, you can see the confidence score we place on our auto-marketing email (AME) model for phishing emails, and links to our documentation that explains the model and how it works. No secrets.
Human experts + AI & automation = MDR success
These principles aren’t a reaction to the current market. This has been our approach since inception, and following these guiding principles has defined how we deliver tangible outcomes today.
Our confidence comes from a strategy that was never about chasing hype. It has always been about building a better, more sustainable way to do security—and we’ve been proving it works, deliberately and effectively, from day one.
