Fejléc

Smarter Incident Management with AI: Half a Year of Experience

Szerző ikon Gábor Szabó

Dátum ikon 2025.10.02

Cybersecurity operations centers (SOCs) face growing challenges: more incidents, repetitive tasks, staff shortages, and rising expectations. To address these, EURO ONE InfoSec tested the NetWitness AI analysis agent for six months to see how it could ease the burden on analysts.

SOC as Cyber Defense

The SOC serves as the organization’s security center, aiming to detect and manage incidents quickly.

Its main processes include:

  • Incident detection and response: identify, analyze, respond, document, and report.
  • Vulnerability management: track and address system weaknesses.
  • Threat intelligence: monitor external attack trends and relevant data.
  • Threat hunting: proactively search for hidden threats.

Analysts at different levels handle these tasks, but the growing workload and repetitive duties remain a challenge.

Role of the NetWitness AI Agent

The AI agent is more than automation — it acts as a virtual analyst that:

  • Collects context and related data.
  • Builds a timeline of events.
  • Provides conclusions and recommended actions.

This shifts analysts’ work from manual data gathering to making informed decisions.

Lessons from 2,600 Incidents

During six months of testing, the AI handled 2,600+ incidents across 62 categories. Key findings:

  • Speed: Human investigations in a median of 2.5 minutes, far quicker than the full manual analysis.
  • Consistency: Its performance was stable, delivering reliable results across all incident types.
  • Accuracy: More than 90% of cases were correctly assessed.
  • Content issues: analysts found critical errors in 1% of cases and minor ones in 5%.
  • Hallucinations: very minimal (0,27%).
  • Rigor: In some cases, the AI flagged issues earlier and applied stricter criteria than human analysts, providing a cautious layer of defense.

Additionally, analysts found the structured reports especially useful for training junior team members.

Different from Classic Automation

Unlike rigid SOAR playbooks, the AI agent works flexibly as a virtual analyst. Its main strengths are:

  • Independent analysis: it collects data, builds timelines, and forms conclusions without manual input.
  • Analyst empowerment: instead of raw logs, experts start with ready-made reports to guide their decisions.
  • Learning tool: structured outputs also support the training of less experienced team members.


Benefits of Introduction

  • Faster investigations.
  • Freed capacity for higher-value tasks.
  • Reliable results with cautious analysis.
  • Scalable support without increasing staff.


Future Outlook

Development is ongoing, with modules planned for threat hunting and intelligence. As threats grow and skilled staff remain scarce, the AI agent helps:

  • Speed up incident handling.
  • Reduce errors.
  • Free analysts for critical work.

Therefore, we encourage organizations not to delay adopting AI in their cyber defense. Early adopters gain immediate efficiency benefits and the chance to shape future development. By testing the AI agent, companies not only strengthen their security operations but also leave behind the attackers.

Read the full article on our International subsidiary’s website by clicking on the logo:

Interested in learning more or joining as an early adopter? Get in touch with our team!