Integrating AI models directly into extended detection and response (XDR) platforms is delivering breakthrough improvements in SOC investigation speed and accuracy.
In an exclusive interview with VentureBeat, eSentire revealed that deploying Anthropic's Claude across their Atlas XDR Platform compresses comprehensive threat investigations from five hours to seven minutes, delivering a 43x speed improvement, while matching senior SOC analyst decision-making with 95% accuracy.
The typical enterprise SOC handles roughly 10,000 alerts daily, according to Dropzone AI's research. SOC analysts tell VentureBeat that, on average, they can investigate just 22% to 25% of all alerts. Depending on how the SOC was configured and whether there's too much reliance on legacy, non-integrated systems, false positives can reach 80%. The result: Critical threats go uninvestigated while analysts spend entire shifts on manual evidence-gathering workflows.
"We're not looking to remove work but deliver better outcomes," Dustin Hillard, chief product and technology officer at eSentire, told VentureBeat. "It really means understanding a threat better for our customers. When we say five hours of work in a few minutes, that's 30 different evidence-gathering steps dynamically generated in the context of that specific security investigation."
The breakthrough comes from integrating AI at the platform level. ESentire's approach enables Anthropic's Claude to orchestrate multi-tool workflows that correlate threat patterns across thousands of data points simultaneously, in essence replicating how senior analysts think but at machine speed.
Platform integration represents XDR's next evolution as AI adoption accelerates
Security copilots initially took aim at operational pains preventing SOC analysts from excelling at their work. They prove extremely useful for accelerating triage, alert de-duplication, noise suppression, firewall tuning and many other tasks. VentureBeat's Security Copilot Guide, a comparative matrix of 16 vendors, reveals how copilots are designed to be tailored to the specific strengths of a given SOC's analyst team.
The next evolution moves beyond standalone copilots as major XDR vendors integrate third-party AI models directly into their platforms. ESentire's approach with Anthropic's Claude demonstrates how deeply-integrated AI can transform investigation workflows. The company's DevOps and engineering teams discovered that platform-integrated AI can deliver comprehensive threat investigations matching senior SOC analyst decision-making with 95% accuracy, while reducing investigation time from five hours to under seven minutes, providing a 43x speed improvement.
"The ideal approach is typically to use AI as a force multiplier for human analysts rather than a replacement," Vineet Arora, CTO for WinWire, told VentureBeat. "For example, AI can handle initial alert triage and routine responses to security issues, allowing analysts to focus their expertise on sophisticated threats and strategic work."
eSentire's Hillard noted: "Earlier this year, around Claude 3.7, we started seeing the tool selection and the reasoning of conclusions across multiple evidence-gathering steps get to the point where it was matching our experts. That's what really got us excited. We were hitting on something that would allow us to deliver better investigation quality for our customers, not just efficiency."
The company compared Claude's autonomous investigations against their most experienced Tier 3 SOC analysts across 1,000 diverse scenarios spanning ransomware, lateral movement, credential compromise and advanced persistent threats, finding that it achieved 95% alignment with expert judgment and 99.3% threat suppression on first contact.
Multi-tool orchestration replicates senior analyst reasoning at machine speed
eSentire's DevOps and R&D teams integrated AI at the baseline of their Atlas XDR platform to deliver greater accuracy, speed and scale in SOC operations. Anthropic's Claude handles the orchestration of multi-tool workflows that correlate threat patterns across thousands of data points. The system synthesizes evidence from endpoint telemetry, network traffic, log data, cloud environments, identity systems and vulnerability feeds simultaneously, all of which previously forced analysts into a series of serial investigation steps consuming entire shifts.
Hillard explained that the deployment runs on Amazon Bedrock, with LangGraph providing the agentic orchestration framework that enables Anthropic's Claude to select tools and reason through multi-step investigations dynamically. Each workflow inherits customer-specific access tokens that cascade through the Atlas Actions platform. By taking this approach, Hillard says every tool call, data query and vendor integration stays secure in tenant isolation.
"Using Bedrock was actually quite simple for us because we've been on AWS basically since the platform started," Hillard explained. "The way Anthropic models are deployed within Bedrock makes everything locked tight in a way that we and our customers got comfortable with. A lot of our customers are critical infrastructure companies with extreme sensitivity around their data."
When an incident triggers, a typical detection and response system has 15 minutes to contain it before lateral movement threatens broader infrastructure. That time window previously forced rapid-fire triage that precluded deep investigation. Hillard explains that Anthropic's Claude is helping to turn that time pressure into an advantage by executing comprehensive evidence gathering across all telemetry sources — querying process trees, conducting log searches across stored telemetry, correlating related incidents from historical ticketing data and cross-referencing active threat intelligence.
The Atlas XDR platform's investigation process dynamically generates approximately 30 evidence-gathering steps tailored to each specific threat scenario across three dimensions: deeper analysis of security telemetry, context from related past incidents at the customer and threat landscape intelligence about what active threat actors are doing across eSentire's entire customer base.
Network effects amplify threat intelligence across customer deployments
ESentire's Threat Response Unit uses Anthropic's Claude to search across log, endpoint, network, cloud and identity data. When the team identifies emergent threat actor behaviors — through open-source intelligence or protecting critical infrastructure customers who see attacks first — they reflect those patterns against their 2,000-plus customers to identify repeated techniques before damage occurs.
An attack against one customer strengthens defenses for all customers, as Claude enables the Atlas XDR platform to continually learn from new threats. Hillard told VentureBeat that the platform's threat hunting stays ahead of commercial feeds 35% of the time and identifies threats never seen in commercial feeds 12% of the time.
"What used to take our experts a week to accomplish, they can now do in an hour," Hillard says. "When they have a creative idea to test a new data analysis pattern, work that might have taken an engineering team a month to build, they can now do it directly in natural language."
The velocity shift enables analysts to test hypotheses in hours rather than weeks, amplifying human expertise rather than replacing it. Hillard says the approach is working at scale across customers’ critical infrastructure deployments.
Streamlined workflows prevent analyst burnout before it happens
The performance improvements address a growing workforce challenge before it becomes a crisis. SOC analysts tell VentureBeat the industry is decades away from a completely autonomous SOC, with many analysts relying on swivel chair integration (moving from one system to another to resolve alerts). This fragmented approach wastes time, introduces errors and contributes to analyst burnout.
More than 70% of SOC analysts say they're burned out, with 66% reporting that half their work is repetitive enough to be automated. In anonymous conversations VentureBeat conducts regularly via Signal, SOC analysts confide that a six-month to one-year tenure has become common. One analyst reported a 96% false positive rate in their environment — conditions that make effective threat detection nearly impossible.
The U.S. Bureau of Labor Statistics projects information security analyst positions will grow 33% from 2023 to 2033, vastly outpacing the 4% average across all occupations. Using AI-based platforms to streamline SOC workflows represents a crucial strategy for enterprises to prevent burnout before it forces their best security talent to leave for less demanding roles.
The strategic shift to platform-integrated AI
As enterprises face projected 33% growth in security analyst positions through 2033, platform-integrated AI offers a path to scale SOC operations without proportionally scaling headcount. The shift from five-hour investigations to seven-minute automated workflows doesn't eliminate the need for senior analysts; it amplifies their expertise by enabling them to focus on sophisticated threat hunting and strategic work rather than repetitive evidence-gathering tasks.
Platform-integrated AI represents a fundamental change in SOC economics. The 43x speed improvement that eSentire achieved demonstrates that AI can replicate elite analyst decision-making with 95% accuracy when integrated adequately at the platform level — not by replacing human expertise, but by automating the workflows that previously consumed entire shifts and left critical threats uninvestigated.
The question for enterprise security leaders is how quickly organizations can integrate AI at the platform level to improve SOC performance before the combination of alert overload and manual workflows drives analysts to leave. For critical infrastructure protection, the ability to investigate threats 43 times faster while maintaining 95% accuracy while aligning with senior analysts represents the difference between staying ahead of adversaries and falling behind.
About the Author
