Inside Crogl’s Compound AI System: Monzy Merza Talks SOC Automation on N2K CyberWire

At this year’s RSAC 2025, Crogl co-founder and CEO Monzy Merza sat down with Dave Bittner from N2K CyberWire to dig into a problem that’s all too familiar in modern security operations: too many tools, too few people, and a flood of alerts that never stops. The conversation not only highlighted the pain points SOC teams live with daily but also unpacked how Crogl is reimagining the analyst experience through a compound AI system that delivers measurable outcomes.

Breaking the Bottlenecks in Alert Triage

As Merza explained, when an alert hits, security analysts often have to pivot between dozens of disconnected systems—data lakes, EDR tools, SIEMs—each with its own schema and query language. This fragmentation leads to significant inefficiencies and cognitive overhead. “The tools were in their way in the sense that now I have to know all the schemas. I have to know where all the data sits, where the different types of data sits, and then I have to integrate the results that I'm getting,” he said.

According to Merza, the average organization uses more than 45 security tools, and analysts are often forced to manually stitch insights across these disparate sources. Crogl's approach is to reduce that friction entirely. Rather than forcing normalization, Crogl builds a semantic knowledge graph that overlays existing infrastructure. Whether you're analyzing GuardDuty logs, conducting automated threat detection, or investigating process anomalies, Crogl translates context across environments without requiring analysts to memorize schemas or write complex queries.

A Compound AI System Built for Real-World Complexity

Merza introduced the concept of a "compound AI system" — a layered architecture combining LLMs, agentic workflows, relational databases, and retrieval-augmented generation (RAG). “AI is not a singular entity. It is a combination of things working together to produce an outcome. In our case, the outcome being: work on tickets in a responsible way such that it's documented, it's inspectable, and it is auditable.”

What makes this model especially relevant in today’s security climate is its adaptability. Crogl works not only in hybrid cloud settings but also in fully airgapped, customer-managed environments, where data privacy and control are paramount. "We have a customer today that's running Crogl in an internet-disconnected environment, fully functional. So it's a self-contained, customer-managed system."

Empowering the Analyst, Not Replacing Them

Crogl doesn’t aim to replace analysts; it enhances them. As Merza put it, "What would we have to build to really enable and empower the analyst to really exercise their intuition and be as good as they want to be without creating a tool that actually impedes them?"

That’s why Crogl captures repeatable processes from analyst, making their decision-making accessible and usable for the next person who walks into the SOC. "Let’s say “Bob” wants to share his work with “Alice”. And between the two of them as a team, they do better work. So create a mechanism to learn a process from Bob's work and learn a process from Alice's work such that when the third person comes in, they can benefit from the work of those two people."

Solving the CISO Bandwidth Crisis

For CISOs, the challenge isn’t just alert fatigue—it’s scale. AI has fundamentally changed the expectations placed on employees and customers alike, but security budgets haven’t scaled accordingly. “They're telling us they have ten times the workload but not ten times the budget,” Merza said. "They don't want to hear about AI. They want to know what you can actually do."

Crogl’s answer is simple: It works on tickets so your team doesn’t have to. This enables security leaders to redeploy their human talent toward complex investigations, threat hunting, and detection-as-code initiatives, while Crogl handles routine triage, documentation, and response.

Inspectable, Auditable, and Actually Useful

The AI conversation often veers into hype, but Merza grounded it in reality. Crogl isn’t a black box—it’s inspectable and auditable by design. Every action it takes is traceable, documented, and tied back to a clear decision path. That means security teams can confidently validate the reasoning behind each alert response, whether for internal reporting, compliance, or regulatory review.

This level of transparency is especially critical in high-stakes environments, where trust in automation must be earned—not assumed. Traditional SOC automation tools often fall short here, offering limited insight into how decisions are made. Crogl, by contrast, gives teams the ability to pause, inspect, and learn from every action taken—transforming AI from a mysterious assistant into a collaborative partner.

Real-World Impact: From Analyst Satisfaction to Business Value

One customer used Crogl to detect and prevent a multi-million-dollar fraud case—not because the system was designed for fraud detection, but because its flexible architecture allowed an analyst to explore a hunch across siloed data sets. “We have an analyst who used Crogl to solve a multi-million-dollar fraud use case. And I said, but we didn't build a fraud detection product. He said, 'No, no. You are the only product in my enterprise because you have this semantic knowledge graph that connects all the different data lakes together, and the analyst doesn't have to remember everything.'"

As Merza put it, "Security professionals get into this field because they want to protect and contribute. We're helping them do just that."

See How Crogl Turns Alerts into Action—Automatically.

Security teams today are overwhelmed with alerts and under-resourced to respond. Crogl changes that by working directly on tickets across your SIEM, SOAR, and ITSM platforms—triaging, investigating, and documenting every step in real time. Our compound AI system doesn’t just promise efficiency; it delivers repeatable, auditable outcomes that let your team focus on what matters most.

Ready to reclaim your team’s time and effectiveness? Schedule a demo today.