Product · 4 MIN READ · JAKE GODGART · NOV 10, 2025 · TAGS: AI & automation
TL;DR
- Responding to identity alerts can be time consuming because security analysts must spend critical minutes digging for user context (like role, team, and normal behavior) before they can understand and investigate the threat.
- We’re launching “user context summary,” a new Expel AI power-up, to automatically query identity tools (like Okta and Google Suite) to gather user details data so an LLM can instantly provide analysts with a human-readable summary of the user’s role, department, and technical privileges.
- This new summary allows our analysts to quickly orient on identity alerts so they can move from alert to decision much faster—confidently separating real threats from false alarms—letting our human experts focus on high-stakes decisions, not manual research.
When an identity alert fires, the clock starts ticking. The difference between a company-ending breach and a harmless false alarm might be understanding: “Who is this user?”
Answering that question can turn into a race against time, and the stopwatch is often broken when trying to piece together what that typical users’ profile is.
Could it be your VP of Sales logging in from an airport lounge (again), or an attacker who just bought their credentials on the dark web? Are they traveling? What’s their role? Are they supposed to have access to production cloud servers? Are they a ‘technical_admin’ with the keys to the kingdom?
Answering those questions requires context. And context is often buried in logs and disparate tools, requiring investigative work to be done before the real analysis can even begin.
Amplifying our experts with AI-powered user context
You don’t hire our world-class MDR SOC team to have them waste time on grunt work. You pay us to be decisive. The friction of gathering, parsing, and orienting on user context details is the opposite of decisiveness.
Today we’re releasing a new AI-powered feature to solve this. We’ve integrated a sophisticated large language model (LLM) into Ruxie, our AI and automation engine, so she can act as a brilliant research assistant that presents our analysts (and your team) with human-readable context about the user up front in identity alerts.
We call this new Expel AI power-up feature user context summary.
Instead of making our analysts dig to understand who the user is and if their actions are anomalous, Ruxie now does it for them. When an alert hits Expel Workbench™, Ruxie’s AI-powered user context summary immediately analyzes the user involved to transform raw data into a consumable narrative.
User context summary automatically queries your identity and endpoint tools (like Office 365, Google Suite, Okta, and Microsoft Defender), gathers all the raw user details, and uses our fine-tuned AI to generate a concise summary of who that user is. This includes a clear summary of the user’s key attributes (like their role, department, and contact info), a classification of their user type (e.g., executive, technical_admin), a description of their security and access profile, and any security considerations for analysts to keep in mind during investigation.
The following diagram illustrates the workflow used to generate the user details context summary.
How this delivers a better defense for you
This immediately arms our team—and you—with the context to make the right call about the user’s behaviors and if it’s a malicious imposter, faster. Ruxie’s AI-powered user context summary helps our team deliver better outcomes by:
- Moving from alert to understanding in seconds. The AI-generated summary is now one of the first things our analyst (and you) see for identity alerts in the investigation. They no longer start with “Who is this?” They start with, “This is a non-technical user from the marketing team…why are they trying to access a production database?” User context summaries speed up our mean time to decision (MTTD). By letting AI handle the user context summary, our experts can spend their time (and your money) on responding to the threat, not just trying to find out if it is one to begin with.
- Putting false alarms on silent. This same context is what separates noise from a real threat. That “impossible login” from Singapore? The AI summary instantly shows our analyst the user is on the sales team and belongs to a working group based out of Singapore. Other supporting workflows confirm that MFA was used to log in during normal work hours and the user has a history of international travel to Singapore. From there, we can confidently close the alert without ever bothering you. This means the only calls you would get from us at 2am are the ones that really matter.
- Providing clear explanations. For every alert with user evidence, Ruxie collects user data from the connected identity tools and generates a summary, visible to you right in the alert details. You no longer have to wonder how our analyst reached a conclusion about the user. You see the same core facts our analysts used to make their decision, building trust in our decisions and giving you a clearer picture of what’s happening in your own environment.
The bottom line
We built the AI-powered user context summary so our analysts can focus 100% of their time on the high-stakes work you hired them to do.
While some in the industry are talking about using AI to replace humans and cut corners, we’re focused on using AI to sharpen our tools and amplify our experts. This feature is a perfect example: it combines the raw power of AI with the irreplaceable intuition of a human.
Ruxie now handles the monotonous work of checking user profiles and activity logs—not to make our lives easier, but to ensure that when a real threat appears, a human expert has the context they need to see it, stop it, and explain why, instantly.
That’s how we deliver a faster, more accurate, and more transparent defense for you. It starts by knowing exactly who we’re really looking at.
What’s next
User context summaries are one of many LLM implementations we’re releasing under the Expel AI umbrella. The use of this LLM model helps to lay the foundation for how we continue to integrate even more sophisticated, high-quality, trusted AI capabilities for Ruxie.
We prioritize AI features like this one to enable our human analysts to make faster, more accurate decisions, directly leading to reduced triage times, fewer false positives, and a more focused, efficient security operation.
We’ve got some exciting innovations our AI Engineering team is cooking up. Stay on the lookout for more Expel AI power-ups we’ll add to Ruxie in the coming weeks.
