Skip to main content
← Newsroom
CoverageApril 2, 2026

AI-Enabled SOC Operations: From Alert Overload to Autonomous Investigation

By Sean Martin and Marco Ciappelli, Co-Founders of ITSPmagazine

The security operations center is at an inflection point. Alert volumes are climbing, data is fragmented across environments, and analyst bandwidth is a hard ceiling that no amount of hiring can fully overcome. At RSAC Conference 2026, Sean Martin and Marco Ciappelli sat down on-site with Monzy Merza, Co-Founder and CEO of Crogl, to talk about what it actually looks like when AI stops being a marketing concept and starts running investigations inside real enterprise SOCs.

What Does the State of the AI SOC Actually Tell Us?

Crogl recently published the State of the AI SOC report, a survey of more than 600 organizations designed to cut through the noise and put real data behind the community's experience. The headline finding is striking: nearly 40% of alerts go completely unattended. Not triaged, not escalated — just ignored by default because there is not enough human bandwidth to process them. For many security leaders, that number will feel familiar. The data simply confirms what practitioners already suspected and gives the entire community permission to name the problem out loud.

The report also surfaces a tension that sits at the heart of AI adoption in security: a large share of respondents said that the security of the AI system is more important to them than the capability of that AI system. In other words, trust before performance. That is a meaningful signal for vendors and security teams alike, and it shapes how Crogl has approached its own product architecture — air-gapped deployment, support for multiple language models, and a design philosophy that assumes data will not move.

How Is Crogl Changing the Way SOC Analysts Operate?

Crogl's knowledge engine is built on a foundational premise: in large enterprises, data is fragmented and that is not going to change. Rather than requiring organizations to normalize data before analysis, Crogl builds an enterprise semantic knowledge graph that maps relationships across data lakes, SIEMs, and SOAR platforms — wherever the data lives. Analysts do not have to remember schemas, query languages, or which tool holds which telemetry. Crogl handles the traversal and produces the investigation.

Merza describes two compression effects that his customers experience. The first is a competency compressor: an analyst working through Crogl can draw on multiple data lakes simultaneously, regardless of their individual expertise with each system. The second is a domain knowledge compressor: instead of routing phishing alerts to one person and endpoint alerts to another, Crogl works across both, and every analyst gains exposure to the full spectrum of investigation output. The compound effect is a team that punches well above its headcount.

The practical examples from the conversation ground this in reality. A CISA advisory like Volt Typhoon — nearly 30 pages of technical detail — would take a human analyst hours to work through before a single query is written. A Crogl customer can upload that advisory and receive an assessment across the enterprise footprint, mapping IOCs to detection points, in sub-hours. The same logic applies to compliance: instead of an analyst manually running 500 audit queries one at a time, Crogl executes the full data call and returns a report.

Is AI Creating or Eliminating Security Jobs?

Merza takes a clear position on one of the most contested debates in the industry. His thesis: AI will create more security jobs, not fewer. The argument is structural. Every new AI deployment inside an enterprise is a new attack surface. Every new system needs to be secured. Every new footprint needs to be defended. The nature of the work is changing — the repetitive, multi-tab, high-volume tier-one work that no one wanted is going away — but the volume of meaningful security work is expanding. The entry level is rising, not disappearing.

He draws a historical parallel: just as the industry went from handwriting IDS rules to next-generation firewalls without the world ending, it will move through this transition with more security professionals on the other side, doing more interesting work. The organizations that are getting ahead of this are the ones already standing up AI review boards and putting security capability at the center of how they evaluate new AI tools — not as a gating mechanism but as a competitive advantage.

Watch the full conversation on YouTube or listen on ITSPradio. Connect with Monzy Merza on LinkedIn to continue the discussion.

More from Crogl

Coverage

March 25, 2026

Every Cybersecurity Breach Has a Warning — Monzy Merza on Inside the Silicon Mind

From the nuclear weapons lab to leading security at Splunk, Databricks, and HSBC — Monzy Merza joins Inside the Silicon Mind to share the moment that led to Crogl, why 399 out of 400 alerts don’t matter, and how AI is turning weeks of threat analysis into minutes.

Read More →Coverage

March 19, 2026

The AI SOC Analyst Is Already Here — Are You Ready to Rethink the Role of Your Security Team?

ITSPmagazine’s Brand Spotlight with Crogl CEO Monzy Merza, recorded ahead of RSAC Conference 2026 — on why AI won’t shrink security teams, how Crogl operates across multi-SIEM environments without data normalization, and what practitioners can expect on the show floor.

Read More →

Want to See Crogl in Action?

Talk to the team.

Try Crogl