Securonix releases SAM and a new Agentic Mesh

Securonix has taken a big leap into operational AI with the release of two solutions in collaboration with AWS. The first is SAM, the AI SOC analyst. The second is the Securonix Agentic Mesh, which it claims will create a new era of AI-powered SecOps.

Simon Hunt, Chief Product Officer of Securonix, said, “We built Sam and Agentic Mesh to solve two problems CISOs face every day: unscalable workloads and unprovable AI value.

“By tying AI directly to analyst productivity and governing it by design, Securonix gives security leaders a practical, defensible way to scale operations that stands up to board and regulatory scrutiny.”

What is SAM?

Securonix describes SAM as an AI SOC Analyst. Where it differs from other AI SOC Analysts and solutions is that it is embedded into, not separate from, the company’s Unified Defence SIEM. That gives it access to data at source, rather than having to continuously extract and import logs from other products.

SAM has a controllable workflow that can be tuned by the customer. It begins by triaging the data it’s gathered. It then takes that data and does contextual enrichment, which uses other data such as behavioural analytics and threat intelligence. All of that feeds into its investigation summaries, from which it produces both a case report and an executive report.

What also makes SAM interesting is that it is not a single AI. It is a conductor that can launch and control other agents. This ensures that it can operate faster than other platforms and access a wider set of resources using a tuned agent. That tuning ensures that the agent does not go off and access or use data that it shouldn’t.

The data sources and locations that SAM and its agents access are all logged. This allows a human SOC analyst to look across any investigation and check the outcome. It also means that for compliance and audit teams, there is a surety about the underlying data.

Where does the data that SAM uses come from?

As already noted, SAM is embedded into the Unified Defence SIEM. This is its start point. The threat intelligence it uses comes from the Securonix threat intelligence platform. That means it is working with data that is being continuously updated and curated.

What is not clear is whether the customer can use alternative threat intelligence sources. Customers may want access to a wider set of intelligence to improve success rates.

Another question that customers are likely to have is around enrichment and investigation. Securonix does not own or train its own LLM. Nor does it use customer data for that purpose. However, it does use third-party models from Anthropic and OpenAI.

Using third parties creates a risk of data leakage. That is why an increasing number of security companies use no-store, no-train and detonate-after-use clauses. Securonix goes further. Its services are built on AWS Bedrock, hence the involvement of AWS in this announcement.

Securonix also says it scrubs all customer data before enrichment and investigation to remove personal or sensitive data.

What is the Securonix Agentic Mesh?

Unlike a traditional mesh approach, this one is about managed agents, through SAM, human-in-the-loop and an AI-native platform. SAM orchestrates eight specific agents. Each does a separate job when it comes to SOC intelligence. A fuller description of the agents is here, but here is a quick look.

• Policy Agent: Creates new rules based on input from the human analyst. Makes it easier to detect issues.
• Response Agent: When a threat is confirmed, it acts to contain that threat.
• Insider Intent Agent: Identifies insider threats before damage occurs. What’s not clear is whether this is just about human behaviour, as the announcement states, “it evolves with user behaviour to catch subtle risk signals.”
• Noise Control Agent: Reduces false positives, which improves outcomes.
• Search Agent: Creates queries to hunt for anomalies.
• Investigate Agent: It applies a confidence score and category to IOCs. This is used to determine where it sits in the triage stack.
• Threat Intel Agent: Enriches investigations to help analysts understand the threat severity and context.
• Data Pipeline Manager (DPM): Routes security telemetry for smarter operations.

The scope of the agents is impressive, but there are some questions unanswered. Can SAM control multiple instances of any one agent type, e.g. launch several search agents? Is each investigation ring-fenced? If so, will there be multiple SAMs, one per investigation? Can customers design and deploy their own agents to be controlled by SAM?

The latter question is especially important. Customers may want to build their own agents with fine-grained access. That is a strategy that we are beginning to see in all orchestration scenarios. It helps customers be sure about the data an agent can access.

Enterprise Times: What does this mean?

This is a substantial announcement by Securonix. It moves its current AI-powered from being passive to being an active participant in the SOC analyst cycle. Unlike other tools that position themselves as being SOC Level One Analyst replacements, this is a tool for all levels of SOC analyst use.

There will be a lot of interest in the orchestration capabilities of SAM. It changes the way that security teams will work with AI agents to make them active parts of the process. It will speed up investigations and help teams get more efficient.

How much SAM will reduce the number of attacks and how safe it will make the enterprise will take time to learn.

The post Securonix releases SAM and a new Agentic Mesh appeared first on Enterprise Times.