BLOG | PRODUCT

Ruxie AI now covers every stage of the threat lifecycle

Subscribe

By Jake Godgart

June 23, 2026  •  4 minute read



Ruxie AI, agentic capabilities across the threat lifecycle

TL;DR

  • Expel is extending Ruxie™ with new agents and capabilities that apply AI coverage across every stage of the threat lifecycle—collection, detection, enrichment, triage, investigation, response, reporting, and evolution.
  • Each AI and agentic capability targets a specific friction point that slows detection and response, built on 10 years of real SOC outcomes and MDR experience.
  • These new capabilities are now in production with more coming in the coming months. Current customers will experience these new AI additions in their existing MDR deployments—no add-ons, no new contracts.

 

Today, threats move fast, and defenders have to move faster. Human speed alone isn’t enough. Stopping attacks requires the use of AI. But AI alone isn’t the whole answer.

Speed without accuracy just means you miss real threats faster. And accuracy without speed? That just gives attackers the time they need while your team tries to piece the puzzle together.

To solve for both, you need AI and human collaboration where AI is applied strategically in the threat lifecycle to reduce the friction points that slow detection and response. Typical AI applications that focus the use case on combatting alert fatigue and reducing operational friction may only solve a part of the problem. At Expel, we believe AI must be used to speed up the entire threat lifecycle process—from detection to done. We can confidently say this is how you actually close the gap between a security tool firing an alert and achieving a real security outcome.

We’ve applied various forms of AI in our SOC operations ever since we started building Expel Workbench™ (our SecOps platform). We called her Ruxie™. Back then, she was a master of applying deterministic AI workflows. And since then, we’ve added more machine learning, large language models (LLMs), and agentic AI to accelerate detection and response.

Fast forward to today. Ruxie is now trained on a decade of threat data, real outcomes, and analyst decisions. She’s a product of everything Expel has learned—every closed alert, every documented incident, every detection rule, every piece of context and analyst feedback.

Now, Ruxie is finally gaining the powerups needed to complete the circle and apply her AI coverage across every single stage of the threat lifecycle: collect, detect, enrich, triage, investigate, respond, report, and evolve. These capabilities are incorporated directly into customers’ existing Expel Managed Detection and Response (MDR) deployments and are in production now, with more to come soon.

Built on a decade of real SOC outcomes

When Expel was founded, our bet was simple: you choose the tech that works best for your program, and we’ll build the ultimate workbench to optimize it. Instead of building yet another security tool to crowd the market, we built a digital SecOps platform for our analysts, powered by our AI assistant, Ruxie.

Ruxie isn’t trained in a vacuum. Her intelligence is forged from a decade of real-world SOC operations. Every time our analysts close a case or make a final call, that human outcome becomes her new ground truth. By feeding those real-world decisions directly back into her engine, we are constantly refining models and training on new data sets. Today’s expert decisions actively hardwire her algorithms for tomorrow.

But we apply AI with healthy skepticism. Every new capability maps strictly to our Trust vs. Impact Framework. If an action has a low potential for negative impact and Ruxie has high confidence, she automates it instantly. But if the operational impact is high—like isolating a critical server—human judgment is non-negotiable. We’re extending a foundation that’s been running since before agentic AI was a buzzword, targeting the exact friction points that slow down a response.

Ruxie handles the volume and velocity. She delivers the speed. Our MDR experts make the high-stakes calls where accuracy determines the outcome.

 

No coverage gaps for attackers to exploit 

Now, we’re introducing new AI and agentic capabilities that extend Ruxie’s coverage across the entire threat lifecycle to ensure there are no friction points for an attacker to exploit: 

  1. Collect: Ruxie unifies telemetry from more than 160 integrated security tools and external intelligence sources into a single data pipeline built for AI and agentic processing.
  2. Detect: Ruxie correlates related threat data across endpoint, identity, cloud, network, and other attack surfaces to expose unified attack campaigns and hidden malicious patterns.
  3. Enrich: She quickly builds a complete, investigation-ready picture for every alert by automatically pulling live telemetry, asset data, organizational and user context, and prior analyst decisions.
  4. Triage: She analyzes evidence using multiple AI workflows to make high-confidence decisions. Ruxie classifies and auto-closes identity alerts and leverages agents to evaluate blocked malware, freeing analysts to focus on true threats.
  5. Investigate: Her agentic workflows extract, consolidate, evaluate, and classify data, applying structured reasoning checks to instantly return alert disposition recommendations.
  6. Respond: Ruxie executes targeted response actions to contain and stop the adversary the absolute moment a threat is confirmed.
  7. Report: She automatically documents every closed alert and incident in plain language so outcomes are fully traceable, while syncing real-time Expel Workbench investigations with Slack and Microsoft Teams to deliver multi-channel visibility and communication.
  8. Evolve: Her agentic workflows actively evaluate new vendor alerts against existing Expel detection strategies to identify coverage gaps and automatically generate new detection rules to protect all customers.

Because she is constantly refining models and training on new data sets, Ruxie never sees the same trick twice. Every threat she processes today makes her smarter and faster for tomorrow.

 

Accurate defense at AI speed

AI drives the pipeline. Expel’s experts drive the decisions. Ruxie handles volume and velocity; our MDR analysts handle the calls where human judgment determines the outcome—complex investigations, ambiguous signals, decisions with downstream consequences. That’s what makes it possible to deliver accurate outcomes at AI speed. 

“Having AI workflows for context, then relying on a human expert to make the final call, offers a level of security we can’t get from an AI-only approach. Automation and AI catch things in real time, and human expertise helps understand context, make nuanced decisions, and avoid false positives that disrupt operations.”
Jason Waits, Chief Information Security Officer, Inductive Automation

 

Every stage where AI coverage runs out is a stage where an attacker can move freely. Ruxie’s new capabilities close those gaps—from the first enriched signal through the final documented outcome.

“AI-powered attackers don’t pause between initial access and lateral movement. They’re operating at machine speed. Ruxie’s job is to match that pace at every stage. These new capabilities extend our AI coverage to specific and intentional stages of the threat lifecycle, so there’s no gap left for attackers to exploit,” said Justin Bajko, Expel’s Chief Product Officer.

These new AI and agentic capabilities are already in production and incorporated directly into existing Expel MDR deployments.

No add-ons. No new contracts. Just better defense.

Tags

AI & automation / Ruxie

Blog home