Product · 4 MIN READ · JAKE GODGART, LIZ MCLAUGHLIN, BRIAN BADORREK, IAN COOPER, TYLER BEAUREGARD AND CLAIRE HOGAN · NOV 13, 2025 · TAGS: AI & automation
TL;DR
- We released a new Expel AI-powered capability—Identity Classification—to let Ruxie, our AI and automation engine, perform initial triage and prioritization of identity alerts. This lets our analysts spot identity based threats faster.
- This AI capability was trained using a full year’s worth of data from past analyst decisions—all the good, the bad, and the benign—to teach Ruxie how to think like our best analysts when evaluating identity alerts from your tools.
- This capability is available now, and is already protecting your identity attack surface.
The network perimeter is dead. Your critical data lives everywhere—scattered across your on-prem network, as well as thousands of SaaS apps and cloud servers. The new, critical perimeter is identity. (After all, Troy’s massive walls meant nothing once misplaced trust brought the horse inside.)
The data proves this is where adversaries are focusing. The Verizon 2025 Data Breach Investigations Report linked credential abuse to 22% of all breaches. In our own Expel Q3 2025 Quarterly Threat Report, we found that identity-based attacks accounted for a staggering 73.9% of all incidents we investigated. That’s an increase from the previous two quarters, which were relatively consistent (67.7% and 66.2%).
But knowing where the battle is doesn’t make it easy to win. The reality of investigating identity threats is an operational nightmare. A study by Enterprise Strategy Group (ESG) found that workforce identity teams use an average of 11 different tools, and investigating a single identity incident can take most organizations more than four hours to remediate.
We see this same friction every day in our own SOC; we pulled the numbers and identity alerts take our analysts 58% longer to work through. So we set out with a simple question: “How do we make this valuable signal even more valuable, and how do we get that value to customers faster?”
Applying a force multiplier where it matters most
When facing a high-volume threat buried in operational complexity, the answer can’t be to just throw more people at the problem. It requires a smarter approach. And one that measurably improves our customers’ security.
We took a full year of our own past analyst decisions—all the good, the bad, and the benign—and used it to teach Ruxie, our AI and automation engine, how to think like our best analysts when evaluating identity alerts from your tools.
Today, we’re excited to roll out this new Expel AI power-up for Ruxie. We call it Identity Classification.
With Identity Classification powered by Expel AI, Ruxie can perform the initial triage of alerts from your identity tools (like Office 365, Okta, and Duo) to spot high-risk scenarios like impersonation attempts, sketchy logins from new countries, or an MFA bypass.
These are then escalated or silenced using prevalence, authentication, and behavioral indicators based on the learnings from millions of alerts and thousands of investigations.
With Identity Classification, Ruxie can reduce our analyst’s mean time to decision, so we don’t have to bother you with annoying identity-related questions we couldn’t answer, like verifying it was your VP of Sales logging in from an airport lounge (again), and not someone trying to steal their credentials.
How Identity Classification works
When an alert hits Workbench, Ruxie uses the Identity Classification power-up to analyze indicators like prevalence, behavioral, and authentication patterns across the source, IP, and username to find signs of credential abuse. Each alert is scored and classified along the spectrum:
This immediately improves our team with more focused investigations and better response. Identity Classification helps our team deliver outcomes to customers faster by:
- Finding evil, faster. If the alert looks suspicious or malicious, it’s escalated to the top of the queue for immediate human review. If they find an attacker present, they can kick off auto remediations to disable the user’s account and reset credentials to stop the attack. By automating this work, our SOC experts can deliver you value, faster (after all, that’s what you pay us for).
- Silencing the noise. If Expel AI is sure an alert is harmless (at least 97% confident are benign), the alert is auto-closed by Ruxie with an explanation of the analysis. This gets it out of our analysts’ queue and ensures we’re not bothering you with false alarms. We’ve also engineered the necessary safety measures—including continuous QA and rules that prevent auto-closure on certain high-risk alerts—to make sure things aren’t missed.
- Accelerating every investigation. For everything else, Identity Classification provides detailed evidence. Our analysts see Ruxie’s classification and explanation of why it was made using the key decision drivers and all relevant indicators found in the alert, giving them the context to make the right decision, faster.
The bottom line
When you partner with an MDR, you’re not paying for analysts to be professional alert-closers. You pay for their expertise, their intuition, and their ability to stop an attack before it becomes a disaster. That one critical alert is the modern-day Trojan horse, and it’s buried under a mountain of noise.
We built Identity Classification to clear away that mountain of noise for our analysts. Ruxie can now handle the monotonous work of checking the passports—not to make our lives easier, but to ensure that when a real Trojan horse shows up, a human expert is there to see it for what it is.
With Identity Classification, we are doubling down on our commitment to securing your identity attack surface. With this new feature, our analysts spend less time getting to the answer and more time digging into the weeds to find attackers.
In the coming months you’ll see Ruxie gain even more AI innovation power-ups to create a better, faster, and more decisive defense for you. While other security vendors are adding AI to make them more efficient and improve their bottom line, we’re focused on finding ways we can add AI to create measurable better outcomes for you. With Identity Classification, we’re starting one identity alert at a time.
