SHARED INTEL Q&A: AI in the SOC isn’t all about speed — it’s more so about smoothing process

The SOC has long been the enterprise’s first line of defense. But despite years of investment in threat feeds and automation platforms, the same question persists: why does intelligence still struggle to translate into timely action?

Related: IBM makes the AI speed argument for SOCs

The 2023 disclosure of Volt Typhoon was a case in point. Despite a 47-page CISA advisory, breaches linked to the actor continued for months. It wasn’t a failure of knowledge—it was a failure to act on that knowledge fast enough.

Monzy Merza, CEO and co-founder of Crogl, believes the next frontier in cyber defense lies in building systems that learn and adapt to how an organization actually works. In this Q&A, Merza explains why today’s playbooks fall short—and how Crogl’s “knowledge engine” could help SOCs bridge the intelligence-to-action gap.

LW: Threat intel is abundant. Why does operationalizing it still fail?

Merza: Because SOCs must reverse-engineer every advisory into their own context. Intel doesn’t map cleanly to their systems. Analysts test hypotheses across 40+ tools, each with its own schema. It’s exhausting. Worse, guidance from CISA or vendors stays broad to be universal—so it rarely tells you exactly where to look in your environment. That gap creates friction even in mature SOCs.

LW: Incidents like Volt Typhoon and AndroxGh0st seem to repeat. What do they expose?

Merza: That data isn’t just scattered—it’s fragmented by platform and time. An email may live in one place, logs in another. Even the same data type changes as it ages—raw early on, normalized later. SOCs spend too much time stitching things together, while alerts keep flooding in. It’s triage under fire.

LW: How is Crogl’s “knowledge engine” different from SOAR or AI playbooks?

Merza: SOAR platforms were a meaningful step forward, but they rely on having well-structured, normalized data—and they assume that workflows can be cleanly templated in advance. The real world doesn’t operate that way.

Crogl’s engine starts from the opposite premise. It doesn’t expect clean data or perfect processes. It adapts to whatever’s present—across messy, fragmented logs, changing API schemas, and evolving team behavior. This is crucial because every SOC’s environment and operational style is different. Our platform absorbs those realities and builds intelligence around them.

Where traditional tools enforce structure, we learn from the lack of it. Crogl detects patterns as they emerge, maps dependencies dynamically, and generates context-specific response logic. That’s what makes it more than just a workflow tool—it’s a contextual reasoning engine that evolves with the customer.

LW: Why do traditional playbooks break down in practice?

Merza: Traditional playbooks are static and brittle. They’re written with the assumption that every step, condition, and data format will stay consistent—which isn’t the case in real-world security ops. Incidents unfold differently every time.

Security teams often build these playbooks with the best of intentions, but they require constant maintenance and human oversight. Crogl addresses this by dynamically generating and adapting response steps based on actual live signals and prior outcomes. Instead of brittle logic, we offer adaptive workflows that reduce false positives, boost speed, and reflect how real teams operate.

LW: You emphasize “process intelligence.” What does that mean in the real world?

Merza: Process intelligence means understanding the workflows and norms unique to each organization—not just detecting anomalies in a vacuum. Every business has its own cadence, approval chains, and quirks. Without that context, you get lots of noise.

For example, if a company regularly spins up hundreds of new containers on Friday nights due to a DevOps cycle, a system lacking context might flag that as suspicious. But if you know the rhythm of the org, you know that’s normal. Similarly, if admin rights are granted liberally in one team due to business requirements, rigid systems will panic. Crogl learns these nuances and uses them to shape decisions that are smart, not reactive.

LW: Why did Crogl reject the typical SaaS model?

Merza: Transparency and control. We deliberately chose an architecture that allows customers to own and inspect everything—from the models to the data flows to the output logic. In today’s regulatory climate, black box AI isn’t acceptable. Especially in sectors like healthcare, defense, or finance.

With Crogl, you get a full bill of materials. You can trace every decision and align it to your compliance framework. That kind of visibility lets you layer on your own rules, tailor governance, and keep auditors comfortable. It’s not just about trust—it’s about defensibility.

Also, not every organization wants another cloud dependency. We offer deployment flexibility, including air-gapped environments. That’s a non-starter for a lot of traditional SaaS vendors.

LW: What’s next for SOCs as AI becomes more embedded?

Merza: Workloads are exploding—faster than teams can grow. SOCs need tools that adapt to data and processes without breaking. But we also need a new interaction model. Not just AI that answers queries, but AI that asks better questions—surfacing threats, suggesting actions, and helping analysts stay ahead. That’s where this is going.

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(Editor’s note: A machine assisted in creating this content. I used ChatGPT-4o to accelerate research, to scale correlations, to distill complex observations and to tighten structure, grammar, and syntax. The analysis and conclusions are entirely my own—drawn from lived experience and editorial judgment honed over decades of investigative reporting.)

The post SHARED INTEL Q&A: AI in the SOC isn’t all about speed — it’s more so about smoothing process first appeared on The Last Watchdog.