It’s no secret that security analysts in both commercial and government Security Operations Centers (SOCs) around the world are under immense pressure. Cybersecurity talent shortages are so severe they are regularly highlighted in official reports, such as the National Cyber Workforce and Education Strategy published earlier this year by the White House, and they have inspired recruitment advertisements in podcasts that trumpet the fact that there are more than three-quarters of a million unfilled cybersecurity jobs in the U.S. alone.
There’s no sign things will get any better soon. In fact, analysts could find themselves stretched even further because the cyber-risk landscape is evolving so fast, as reflected by the increased volume and sophistication of threats organizations are facing. In the previous post in this series (linked to at the top of this blog), we highlighted how Generative AI (GenAI) tools, which harness advances in compute and AI Large Language Models (LLMs), have the potential to make their lives even harder by enabling nefarious actors to produce convincing phishing emails and malicious code at unprecedented scale and levels of sophistication. (The advances powering GenAI are highlighted in the first blog in this series, which is also linked above.)
What’s also true, though, is that GenAI’s capabilities can make it a blessing as well as a curse for cyber defenders. The technology is excellent at gathering context, translating code and machine-generated content to natural language, summarizing findings, and even automatically implementing corrective actions. Fortuitously, these happen to resemble some of the important and time-consuming tasks that security analysts carry out daily. As a result, there’s a huge opportunity ahead for innovative startups to harness GenAI capabilities to help analysts with their workflows and automate some of their tasks entirely.
From Reverse Engineering to Forward-Thinking
While the incorporation of AI technology into cybersecurity products is not a new phenomenon, we believe this emerging generation of tools will be more capable than existing ones, particularly for augmentation and automation use cases. The security world is just in the very early stages of this GenAI-powered wave of change, but there are already intriguing startups at work here, some of whom are highlighted later in this post.
We see the potential for exciting new products and companies in several different domains, including:
Reverse Engineering. A frequent and laborious task for security analysts is reverse engineering malicious code to understand its functionality, origin, and purpose. While the process involves detailed and sophisticated tasks requiring deep expertise, GenAI is already proving useful for some of the more mundane elements and it could prove even more useful over time with better prompt engineering—which involves structuring text so it can be interpreted and understood by a GenAI model—better definitions of functions within other functions (nested-function analysis), and better overall models.
For instance, researchers at healthcare security startup Scope Security are developing an LLM fine-tuned for reverse engineering that interprets decompiled code to generate natural-language, step-by-step descriptions of functions. IQT portfolio company Vector 35, the developer of reverse-engineering platform Binary Ninja, is using GenAI to do intelligent variable naming, function naming, and code summarization. And software supply chain security startup Endor Labs is experimenting with GenAI to see whether it can automatically review potential malware flagged by algorithms. SOCs sometimes limit the scope of reviews today because of the cost of dealing with false-positives – cases of code incorrectly flagged as malware. Using GenAI promises to reduce these costs, which would allow SOCs to comb through more suspect code.
Querying. One of the more straightforward instances of GenAI augmenting analysts in cyber involves simplifying queries using natural language. Historically, databases that contained relevant cybersecurity information often required analysts to learn and use bespoke search and query languages to interact with them. Thanks to GenAI, over time we may see the obsolescence of these languages as startups and the dataset providers themselves apply the technology to automatically translate proprietary query languages into natural language.
Censys, a leading internet intelligence platform with robust datasets mapping the internet in real-time, is a good example of what’s possible here. It recently introduced CensysGPT, which enables users to express their search queries using natural language and therefore should cut the time it takes analysts to get results compared with mastering the firm’s proprietary Censys Search Language. The decline of these bespoke languages over time will both lower the barriers to entry for new cybersecurity talent and potentially boost SOC analysts’ productivity. The next area worth focusing on could also help analysts be more productive too by taking away time-consuming tasks and giving them to machines.
Alert investigation. More robustGenAI-powered solutions could automate security-operations tasks and, in particular, alert investigation. It’s not uncommon for SOCs to tune their detection-and-prioritization software stack to match the bandwidth of the security team, leaving a large percentage of “low-priority alerts” to go uninvestigated. Seed-stage startup Dropzone aims to apply a complex system of multiple pre-trained LLMs to SOC processes in an effort to mimic the techniques of an analyst and autonomously investigate 100% of those high-volume, low-complexity alerts. Intezer, Radiant Security, and some other early-stage startups, as well as later-stage, next-generation Security Orchestration, Automation, and Remediation (SOAR) players such as Torq, are going after similar investigation-and-triage automation use cases.
Posture Management. We’re also seeing several new companies use novel GenAI-driven techniques to help customers measure the efficacy of major components of their security stack—including network security, identity and access management, endpoint security, and email security—at preventing cyberattacks. What’s especially noteworthy is that these approaches also propose and drive configuration changes to improve organizations’ overall security posture. In addition to strengthening cyber defenses, this also helps customers realize the value of the (often massive) investments they’ve made in their existing stacks.
Reach Security is an example of a company in this emerging area that some have termed “enterprise security posture management.” Reach’s product is interesting and compelling for its use of AI techniques that have been employed successfully in other areas to solve complex operational challenges, like landing rockets on platforms. Such challenges require a system to reason with and interpret multiple inputs, and to make a clear recommendation based on analysis of these inputs.
Cyber Tools That Must Earn Trust
While this and other applications of GenAI to security operations are certainly exciting and hold the potential to help security analysts do their jobs both more efficiently and effectively, it remains to be seen whether they will deliver on that potential. Much will depend on the ingenuity and effort of the smart entrepreneurs who work on these opportunities.
For security-operations use cases, in particular, we think the most impactful innovations will be ones that deliver a novel approach to solving durable challenges, do not overstate their capability, and consistently prove their value to the point of earning trust as a core part of a security analyst’s toolkit. IQT expects to make investments in visionary companies in this space—and if you’re working on something incorporating GenAI to improve security operations, we’d love to hear from you. We’re also looking closely at the related challenge of data analytics and synthesis in cyber, which will be the subject of the final blog post in this series. Stay tuned!