From 2.1 Billion Events to 10 Incidents: How We Protect the Elisity Platform

At Elisity, we're always looking for practical ways to harness AI and strip friction out of daily operations. As a leading microsegmentation platform trusted by Fortune 500 companies to protect their critical assets from lateral movement attacks, we understand firsthand the challenges of managing security at scale. Our own security operations face the same alert fatigue that plagues our customers, processing millions of events to find the few that truly matter. Today's post spotlights one of those experiments—an AI-powered, human-in-the-loop SOC analyst that's transforming how we tackle security alerts.

TL;DR

Facing billions of security events weekly but only a handful that ever require action, Elisity built a human-in-the-loop AI "SOC analyst." The agent now triages approximately 200 weekly critical alerts down to fewer than ten that reach a human, slashing response time, eliminating repetitive toil, and avoiding burnout.

The Challenge: Alert Fatigue in a Growing Business

• Data deluge: > 2.1 billion log events/week from Kubernetes, AWS, Microsoft 365/Defender, etc.
• Automated filtering helps, but isn't enough: correlation + threat intel squeeze that flood to ~4,000 alerts, yet 200 still end up flagged critical.
• Human bottleneck: Every critical alert previously demanded a senior analyst's 30-minute investigation—100+ hours/week of repetitive toil.

What "Triaging One Alert" Really Means

1. Pull raw details from the SIEM (stack, user, IP, tenant-ID, result).
2. Check for related alerts on the same actor.
3. Research externally, which, depending on the alert, could include things like:
   • Leak-check the user (Have I Been Pwned).
   • Whois/business lookup on the IP (VPN? Boingo hotspot?).
   • Threat-intel & VirusTotal for reputation
4. Summarize evidence and decide -- benign, blocked, or suspicious.
5. Ticket & comms—update Jira, notify the user, escalate if needed.

Repeat × 200 every week = alert fatigue and missed context.

Workflow with Agent

What Actually Happens Now

• ≈ 190/200 alerts autoclosed. Most are routine blocks (e.g., IP blacklists) that the agent verifies and resolves instantly—work that used to consume dozens of analyst hours
• < 10 alerts/week escalate. The agent ships a rich bundle of evidence (timeline, lookups, user response) so the analyst can decide in minutes, not half an hour
• 0 missed incidents. Coverage is equal or better because the human sees every edge case, minus the noise

Key Takeaways

• Automate the grind. Anything deterministic and repeatable belongs to an agent.
• Keep a human in the loop. Humans spend time on judgment, not on repetitive research. Quality improves when analysts focus on the true unknowns, not the known goods.
• Prove it to auditors. Every alert -- closed or escalated -- has the same, machine-generated evidence trail.
• Scale pain-free. Whether logs double or triple, parallel enrichment keeps latency measured in seconds.