What Agentic AI Means for SOC Investigation
Mike Dupuis
Marketing, Crogl
What agentic AI security looks like in practice
At the AI SOC Summit in March, Crogl CEO Monzy Merza opened his keynote with a question most security leaders are not asking yet: what happens to the SOC when the attacker is also running agents?
The answer arrived before the conference did.
In December 2025, a threat actor began working through Mexican government systems using Claude Code and ChatGPT as their primary tools. By mid-February 2026, ten Mexican government bodies and a financial institution had been compromised, with 150 gigabytes of data exfiltrated covering 195 million taxpayer records, voter registration files, government employee credentials, and civil registry data. According to Gambit Security, the Israeli firm that analyzed the breach, roughly 75% of the remote command execution activity was generated and executed by the AI. The attacker sent over 1,000 prompts to Claude Code. When it resisted, they switched to GPT-4.1. When that slowed down, they switched back.
The AI was not the assistant on this operation. It was the operational team.
This is what agentic AI security has to contend with. Not a chatbot answering questions. Not a copilot suggesting next steps. An autonomous system executing a sustained, multi-target campaign across weeks, adapting when it hit resistance, producing thousands of ready-to-execute plans, at a cost accessible to nearly anyone.
The industry has been debating agentic AI security as a future problem. Mexico made it a present one.
Why the agentic wave is categorically different
The Mexico breach is one incident. What makes it significant is what the attackers did not need.
They did not need a nation-state budget. They did not need a team. They did not need zero-day exploits or months of manual reconnaissance. They needed AI subscriptions and persistence. That combination compromised eleven organizations over roughly two months, adapting in real time when one tool hit a guardrail.
Every prior technology shift in security took years to mature as an attack vector. Networks brought network intrusions. Email brought phishing. Cloud brought misconfiguration exploitation. The Capital One breach happened roughly thirteen years after cloud computing entered mainstream enterprise use. Mexico happened within two years of mainstream agentic AI reaching the consumer market. The compression alone should reset how security teams think about this.
Three attributes separate agentic AI attacks from every preceding attack vector. They run thousands of operations in parallel where a human runs one. They chain trust across automated agent-to-agent calls that security controls were never designed to evaluate. And every improvement in legitimate AI capability compounds directly into attacker capability, because the legitimate AI and the attack AI are the same models.
CrowdStrike's 2026 Global Threat Report documented an 89% year-over-year increase in AI-enabled adversary operations. That number marks the transition from experimentation to operational use. Threat actors are not evaluating agentic AI. They are deploying it.
Agentic attacks do not replace phishing or identity attacks. They automate them at scale, adapt them in real time, and run them in parallel with every other active campaign. The SOC team that was already stretched in 2024 is now operating against an attack surface that scales automatically while its own capacity does not.
What agentic attacks mean for the SOC specifically
The SOC was already underwater before agentic AI security became an operational concern.
The Crogl 2026 State of SecOps report, commissioned through the Ponemon Institute and drawn from 649 security practitioners, found that the average enterprise SOC receives 4,330 alerts per day. Teams investigate 37% of them. The other 63% go unreviewed. Not because analysts decided they were low-priority. Because there was no time.
Agentic attacks do not just add to that volume. They change what the alerts represent.
A traditional attack campaign has a recognizable shape. Initial access, reconnaissance, lateral movement, exfiltration. Each step discrete. The timeline constrained by how fast a human can work. SOC tooling built around this model looks for patterns that unfold over hours or days, with gaps between steps that give analysts time to catch up.
Agentic attacks do not have that shape. Multiple campaign stages run simultaneously across multiple targets. Reconnaissance is not finished before exploitation begins. The agentic attacker executes across the entire kill chain at once, adapting each branch based on what works.
For the SOC, two things happen at once. Alert volume rises because more activity is happening in parallel. And the correlations that would normally connect those alerts into a coherent story become harder to find, because the activity does not follow the sequential pattern that detection logic was built to surface.
The Ponemon data captures the defender side of this asymmetry. Half of security teams identified workflow integration as their top barrier to deploying AI in the SOC. Nearly as many flagged data normalization. The attacker's agentic system operates across targets without waiting for a normalized pipeline. The defender's tools require one. That asymmetry is the real problem the industry is not naming clearly enough.
It also changes the math on the 63% of alerts that go unreviewed. When alert volume rises in a predictable threat environment, teams prioritize, triage, and accept that some alerts are noise. When the nature of attacks changes so that uninvestigated alerts are more likely to represent active campaigns running in parallel, the cost of that backlog changes with it.
The Ponemon survey shows 42% of in-house SecOps teams have three to five full-time staff. Hiring does not close a gap that size fast enough to matter against a threat that scales automatically. And cutting headcount makes the problem worse. A March 2026 report by Anton Chuvakin, Security Advisor at Google Cloud's Office of the CISO, and Oliver Rochford, co-founder of Aunoo AI, drew on more than 30 vendor briefings and direct CISO interviews. The finding was direct. AI SOC tools in production are deployed narrowly. Analysts frequently distrust AI-generated outputs they cannot interrogate. Alert reduction as a vendor metric can obscure operational risk rather than eliminate it.
AI in the SOC adds real capacity. It does not replace the people making the calls. The answer is not AI instead of analysts. It is AI that extends what analysts can do, at a scale that matches the threat.
What an agentic AI security capability actually looks like in production
This is where most of the industry conversation falls apart, and where Crogl was built.
Crogl is a customer-managed knowledge engine for security operations. Not an AI SOC agent. Not a copilot. A system that runs in your environment, queries your data sources in their native formats, builds a continuously updated knowledge graph of your users, assets, and behavioral baselines, and conducts investigations end to end before an analyst is involved.
Here is what that looks like on a Tuesday morning. An alert arrives in your SIEM, one of the 4,330 that day. Crogl receives it, queries Active Directory for the affected user, pulls behavioral history from the past 72 hours, cross-references threat intelligence, checks the asset against its current baseline, and reasons across the evidence. By the time the analyst opens the ticket, the investigation is documented. The reasoning is auditable. The recommended action is grounded in context the analyst can interrogate, confirm, escalate, or override.
This is not a thought experiment. A Department of Defense deployment of Crogl handles 60,000 alerts per month across 100 terabytes of data, three SIEMs, and two SOARs, with the productivity equivalent of six additional full-time analysts. That environment is air-gapped. The investigation runs locally. The data does not move.
That is the difference between AI assistance and agentic investigation. AI assistance accelerates the analyst. Agentic investigation delivers a finished record.
The reason most AI SOC tools cannot do this is architectural, not model-related. An LLM receiving a raw alert knows what the alert contains. It does not know who the affected user is, what systems they normally access, whether this behavior pattern has appeared before, or what else has happened in the environment in the past 72 hours. Without that context, the model produces a generic response to a specific situation. It may be fast. It will not be accurate in the way that matters for a real investigation. The Chuvakin and Rochford report identified this dynamic in production. Demos perform well when alerts are clean, telemetry is comprehensive, and the attack path is linear. Live SOC environments rarely present any of those conditions.
Three things separate an agentic SOC investigation capability that works in production from one that works in a demo. Crogl was built around all three.
First, a continuously updated knowledge graph of the environment. Without it, every alert is investigated in isolation.
Second, the ability to query data sources in their native formats without requiring normalization beforehand. Half of security teams in the Ponemon survey cited data normalization as a top barrier to deploying AI in the SOC. Architectures that require a clean, normalized pipeline before investigation can begin do not remove that barrier. They inherit it. Crogl does not.
Third, an orchestration layer that reasons across evidence from multiple sources and produces a documented outcome the analyst can interrogate, validate, and act on.
The model is the least interesting part of this stack. Every vendor has one. The knowledge graph, the native-format querying, and the orchestration layer are what determine whether agentic investigation works on the alerts no one can auto-resolve, or only on the ones that were already solvable.
Why deployment model is the first question, not the last
For agentic AI security tools, deployment model is the first question, not a footnote.
The reason is straightforward. An agentic investigation system authenticates, holds credentials, queries data sources, chains results across multiple systems, and takes action on behalf of the analyst. The security model governing that system matters as much as its investigative capability. A capable agentic system running on infrastructure you do not control is a risk surface, not just a tool.
Cloud-native AI SOC tools resolve the deployment question by asking organizations to accept data leaving a controlled environment. That answer does not work for federal agencies, critical infrastructure operators, financial institutions with strict data residency requirements, or any environment where the data is classified or regulated. The Ponemon survey found that 45% of SOCs already protect an air-gapped network. That is not a fringe requirement. It is a mainstream one that most AI security vendors are not built to meet.
Agentic attacks make the data residency requirement more critical, not less. A cloud-native investigation tool processing alert data from a sensitive environment creates an exfiltration surface at the exact moment agentic attackers are probing for one. The tool you deploy to defend against agentic threats should not itself introduce the data exposure those threats are designed to exploit.
Crogl is built for this constraint. The system runs on-premises, in a private cloud, or in a fully air-gapped environment. It queries data sources in their native formats. Every action the agent takes is logged, explainable, and auditable. Analysts can interrogate not just the finding but the reasoning that produced it.
That last point matters more than it appears. The Chuvakin and Rochford report found that analysts in production AI SOC deployments do not trust outputs they cannot interrogate. Alert reduction metrics without traceability shift risk rather than remove it. An agentic investigation capability that produces a documented, auditable outcome changes that dynamic. The analyst is not asked to trust a black box. They are handed a record they can validate, challenge, and act on.
The capability question and the deployment question are not separate evaluations. An agentic investigation system that cannot run in your environment cannot help you. An agentic investigation system that runs in your environment but cannot be audited creates a governance problem. The organizations that get this right will treat both as prerequisites.
Frequently asked questions
What is agentic AI security?
Agentic AI security refers to the use of AI systems that take autonomous action across multiple steps, tools, and data sources to defend or attack an environment. On the defensive side, an agentic AI security system receives an alert, breaks the investigation into tasks, executes those tasks across connected data sources, reasons across the evidence, and delivers a documented outcome. On the offensive side, agentic AI enables sustained, multi-target attack campaigns that run reconnaissance, exploitation, and exfiltration in parallel, at a cost accessible to nearly anyone with an AI subscription. The December 2025 breach of Mexican government systems, in which roughly 75% of remote command execution activity was AI-generated, is the clearest documented example to date.
How do agentic AI attacks work?
Agentic AI attacks use autonomous systems to execute sustained campaigns across multiple stages simultaneously. Rather than moving through a kill chain sequentially, an agentic attacker runs reconnaissance, exploitation, and exfiltration in parallel across multiple targets, adapting in real time when one approach hits a constraint. In the Mexico breach, a single attacker used Claude Code and ChatGPT to compromise ten government bodies and a financial institution over two months, exfiltrating 150 gigabytes of data covering 195 million records. According to Gambit Security, roughly 75% of the remote command execution activity was generated and executed by AI, as reported by SecurityWeek. When one model hit guardrails, the attacker switched to another. The AI was the primary execution layer.
What is the difference between agentic AI and AI-assisted security?
AI-assisted security accelerates the analyst. The model generates a summary, suggests a next step, or enriches an alert. A human reads the output, gathers additional context, runs queries, and makes the call. Agentic AI security operates at a different layer. The system conducts the investigation before an analyst is involved. It maps the affected user and assets against behavioral baselines, queries data sources in their native formats, reasons across the evidence, and delivers a documented outcome. By the time a human sees the alert, the context is assembled and the finding is ready for a decision. AI assistance delivers a faster starting point. Agentic investigation delivers a finished record.
Does agentic AI security replace SOC analysts?
No. It changes what analysts spend their time on. A March 2026 report by Anton Chuvakin, Security Advisor at Google Cloud's Office of the CISO, and Oliver Rochford, co-founder of Aunoo AI, found that in production AI SOC deployments, human analysts retain decision authority throughout. AI handles enrichment, summarization, and investigation steps. Humans make the calls. The Crogl 2026 State of SecOps report found that 57% of practitioners cite freeing analyst bandwidth as a primary benefit of AI in the SOC. The argument for agentic investigation is a capacity argument, not a headcount argument. The 4.8 million unfilled cybersecurity positions globally are not closing. The answer is analysts whose time is spent on decisions, not on assembling the evidence that precedes them.
How do you defend against agentic AI attacks?
Defending against agentic AI attacks requires investigation capability that operates at the same speed and scale as the threats. Three requirements follow. First, the defensive system needs a continuously updated model of the environment: users, assets, behavioral baselines, and event history. Agentic attacks run parallel operations that do not follow sequential patterns. Correlating them requires context that exists before the alert arrives, not assembled manually after it does. Second, the system needs to query data sources without requiring normalization beforehand. An investigation architecture that requires a clean data pipeline is too slow by design. Third, every action the defensive system takes needs to be logged, auditable, and interrogable. AI agents authenticate, hold credentials, and take autonomous action. Governing them requires the same rigor applied to human users and service accounts, including a full audit trail from decision to action. Crogl is built around these three requirements and runs in the environments where the data lives, including air-gapped networks.