TL;DR
- Security requires two things to be in balance to drive outcomes: speed and judgment. Most AI-forward approaches optimize for one at the expense of the other.
- The unlock is a model where AI earns autonomy in specific places through demonstrated outcomes, and humans stay in the moments that require them.
- Today, we’re publishing The Trust vs. Impact Framework, a guide to help you figure out where AI belongs in your SOC. We’re also sharing new Ruxie™ capabilities as examples of fast, accurate, comprehensive AI and automation in action.
I’ve watched various security hype cycles play out. AI is the latest. The promises get louder and the demos get slicker, but the gap between what vendors claim and what actually ships stays roughly the same.
There’s a problem hiding in the narrative, and it’s not about whether AI works. It’s about what most AI implementations actually optimize for. Speed, usually. Accuracy is treated as the constraint you route around.
Both failures hurt but in different ways. No speed means you lose, period. The attacker is already three moves ahead while your team is still building the picture. But no accuracy means someone on your team is spending their Saturday unraveling what the AI got confidently wrong. That’s not “winning” either.
After ten years of running AI in production—trained on incident data across hundreds of customer environments, not demos or proofs of concept—we’ve built something that doesn’t force you to choose.
The problem is the friction between detection and action
Security operations has always had an alert problem. Too many of them. Not enough context. Decisions that should take seconds taking minutes. Every vendor frames their AI as the answer to this. More automation, less noise, and faster triage.
That’s not wrong, but it is incomplete.
The actual problem isn’t the alert itself. It’s everything that happens after the alert fires. It’s the gap between signal and action, and the friction that accumulates between a detection and a closed threat. With attackers now using AI to accelerate every stage of an attack, the window between a detection firing and actual damage is shrinking. The gap between signal and outcome has always carried risk. Now it carries a timer.
The question isn’t whether to use AI to close the gap. The question is how and, specifically, where AI earns the right to act autonomously and where it doesn’t.
AI-intentional beats AI-hype
Ruxie is the AI that runs our SOC. She’s been running inside Expel Workbench™ since our early days, and she’s gotten significantly more capable over ten years of training on threats, incidents, and actual SOC outcomes across hundreds of customer environments.
But she didn’t start with full autonomy. We gave her more autonomy, in specific areas, as she earned it through demonstrated accuracy. That’s by design, and it’s where most AI narratives get it wrong.
Capability and trust are not the same thing. An AI system can be technically capable of making a call and still not have earned the right to make it autonomously. Treating them as equivalent is how you automate your way into risk.
Here’s a mental model for you: humans should be watching AI, and AI should be watching humans. Not because we don’t trust the system but because, in security, we can’t afford moments when that trust is misplaced.
That’s not a limitation of the architecture. It’s the architecture. AI earns autonomy through outcomes. Humans stay in the moments that require their judgment.
Within security, this is the way. And at Expel, speed isn’t sacrificed for accuracy, because we’ve spent a decade building and upgrading the system underneath Ruxie: the data, the pipeline, the outcomes. LLMs are the most recent addition to that foundation. They don’t replace what we’ve built. They let Ruxie do more with it than was ever possible before.
What that looks like in production
These aren’t roadmap items. Every capability below is running today, actively closing the gap between signal and outcome for our SOC and our MDR customers.
At the detection layer, agentic detection rule generation finds coverage gaps and creates new detections for human review, compressing the time it takes to build new defenses without removing human judgment from the loop.
At triage, Ruxie autonomously classifies and closes identity alerts at 99.7% confidence, without bringing in a human. That’s a firm and fast decision, underpinned by years of outcomes data. And it gives analysts the time and focus to handle the higher value work.
In the middle of an investigation, AI-generated summarization delivers plain-language context before anyone touches the alert, across triage, detection logic, investigative actions, and verifications. Fully assembled. Ready to act on.
At resolution, Ruxie automatically generates a complete incident narrative, synthesizing alert details, investigative actions, and key findings into a plain-English attack story. We don’t hide things here. Every decision is visible, every step is documented.
And at the documentation layer, Ruxie turns complex detection logic into plain language descriptions. Our AI makes sure that every new detection that ships is something you can actually read, understand, and trust. You always know what’s protecting you and why.
These are just a few of the many Expel capabilities that work together to shift response timelines from minutes to seconds. Again, without sacrificing trust and accuracy.
The framework behind all of it
These capabilities aren’t random feature additions. They reflect a consistent answer to the same question, asked at every layer of the alert lifecycle: does AI have enough confidence and a low enough impact profile to act here—or does this moment require a human?
Today we’re publishing The Trust vs. Impact Framework. It maps security workflows on two axes: impact (what’s at stake if AI gets it wrong) and trust (how much demonstrated confidence you have in the system’s judgment). Where impact is low and trust is high, AI should act autonomously. Where impact is high or trust is still being established, humans lead.
We’ve published it ungated because we think it’s useful, whether or not you use Expel. Apply it to your own SOC. Apply it to ours. Apply it to every vendor who tells you their AI “changes everything.”
Speed without judgment is a faster way to fail. At Expel, we’ve built something that delivers both. And we’re just getting started.
