Security operations centers (SOCs) are drowning in alerts, forcing analysts to waste time chasing down false positives while real threats slip through. The problem isn’t just efficiency—it’s burnout, missed signals, and limits on what security teams can reasonably triage.
In this episode, Edward Wu, CEO and founder of Dropzone AI, explains how their AI-powered SOC analyst automates triage and investigation for security alerts. The result is more efficient operations, faster detection of real threats, and a significant reduction in alert fatigue. He’s joined by our panelists, TC Niedzialkowski, head of IT and security at Opendoor, and Steve Zalewski, co-host of Defense in Depth.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Dropzone AI
Full Transcript
[Voiceover] Connecting security solutions with security leaders. Security You Should Know starts now.
[Rich Stroffolino] Welcome to Security You Should Know. Today, we’re talking about Dropzone AI, and what they’re doing in security operations. Now, the problem they’re addressing, it’s a big one in the industry, it’s alert fatigue. Helping us get answers to these questions is TC Niedzialkowski, former head of security at Thumbtack, and Nextdoor, and Steve Zalewski, co-host of Defense in Depths.
TC, I’m going to start out with you. Why is alert fatigue still a problem?
[TC Niedzialkowski] I mean, this is a constant challenge in cybersecurity. There’s just too much attack surface to prioritize everything. So as a result, we need to focus our resources with a risk-based approach, because if you’re blocking or alerting on things that is legitimate business, then you’re blocking the business from proceeding, you’re wasting resources, you can be burning out your employee use.
So, really, I think that your ability to monitor alert block is limited by the resources and cost that you’re able to apply.
[Rich Stroffolino] All right, Steve, I’m going to turn the question to you. Alert fatigue, are we still dealing with this issue?
[Steve Zalewski] The way I characterize that is, I’ve dropped a thousand needles on the floor, and I’m spending my time trying to pick up each individual needle as opposed to color-coding the needles and saying, “The only ones that are important are the red ones, and I can ignore the rest.” So until we can reach that stage of, finding a problem does not mean it’s really a problem, of characterizing the types of needles we want, that’s why we’re in alert fatigue because it takes a lot of time to pick up a thousand individual needles, only tomorrow to have another thousand on the floor.
[Rich Stroffolino] All right, well, helping us make sense of these pile of needles, as Steve has so aptly laid out for us, today, we’re going to be talking to Edward Wu, CEO and founder of Dropzone AI. So to start out, we’re answering three essential questions. So Edward, how do I explain the value of your solution to my CEO, what does Dropzone AI do and what does it not do, and what is the pricing model?
Can you give us these preliminaries?
[Edward Wu] Yeah. So if I was the CISO, I would say, “Mr. CEO, our company is at risk because our SOC team is overwhelmed by alerts, and we need help. We want to triage, investigate, and if needed, contain all the security alerts within 10 minutes. What if I can have five additional trained security analysts on the team without increasing our headcount or budget?” At Dropzone, we are building an AI SOC analyst that automates the initial triage and investigation of alerts end-to-end.
We are not a detection product or a sim, and we price based on the number of alert investigations you need.
[Rich Stroffolino] Excellent. All right. So thank you, Edward, for giving us a top-level overview there but Steve and TC, I know you’ve got a lot of questions here. So let’s start. Steve, I’m going to throw to you. What other questions do you have about Dropzone AI?
[Steve Zalewski] Yeah. So, Edward, are you trying to solve an efficiency problem, meaning I can just pick up more needles faster with my SOC1 analyst? Or are you actually addressing my problem around effectiveness, which is that, what I’m really trying to do is find the red needles? So how do you characterize what you do?
[Edward Wu] That’s a really good question. In my mind, we solve both efficiency as well as effectiveness because, from my perspective, they are yin and yang. By being more efficient, you can also become more effective, by the virtue of being able to sort through a lot more signals, and the ability to connect a lot more dots.
We have seen our technology obviously helping teams to become more efficient by the virtue of offloading the initial triage and investigation, as well as just saving their security analysts a load of time so they don’t need to look at the false positives. That also translates to effectiveness, because now security teams can look at alerts that they previously tuned out because those were too noisy, but actually are very meaningful behavior detections that can help them to identify previously unexpected behaviors and attacks.
[Rich Stroffolino] All right, TC, I’m going to throw to you. What questions do you have for Dropzone AI?
[TC Niedzialkowski] Yeah. So when it comes to being trained on security alerts and identifying whether this is a true positive or false positive, is Dropzone AI able to reach out to system owners or staff to clarify information, or get additional context before it makes that assessment?
[Edward Wu] Absolutely. As we build our technology, we discovered around 60% of the effectiveness of a human or AI SOC analyst come from the ability to perform technical analysis like log diving, file, sandbox, report, analysis, or reverse engineering, but the other 40 % of the effectiveness comes from understanding of the organizational context.
So that includes organizational policies, preferences, and practices. Actually, recently, we launched a new feature where our AI SOC analyst now has the ability to reach out using Slack, Teams, or email to specific service owners or managers of affected individuals, and ask them questions, and request for additional context.
I think all of us have played with ChatGPT. We know ChatGPT is great at answering questions, but actually, similar technologies can also be utilized to interview relevant parties as well.
[Steve Zalewski] So I want to expand on that a little bit for you, challenge you a little bit, which was, so if I look at a SOC1 analyst, a SOC2 analyst, and a SOC3 analyst, right, which is pretty standard for how we look at the world, the SOC1 analyst basically does the correlation, the SOC2 analyst has the runbooks to do the analysis, and the SOC3 analyst kicks in when he’s got to make a decision, okay?
So if I look at it that way, are you looking to replace the SOC1 analyst or augment the SOC1 analyst, or do I have that wrong?
[Edward Wu] From the functionality perspective, our technology is going to automate the initial triage investigation as well as, if configured, the initial containment. So maybe using your terminology, we are looking to automate Tier 1 and Tier 2 analysts. But the end goal is obviously not to just yank the job away from them, but rather give them an opportunity to up-level and work on other critical projects, whether that could be threat hunting, that could be visibility fabric expansion, that could be actually security data lake engineering as well as start intelligence in other key security initiatives.
[Steve Zalewski] So let me ask the following, and I’ll let TC go. So based on what you said, I look at it as two ways, which is, for the three types of analysts here, as you described it is, are you looking to have your AI augment the human for them to make the decision, or do you actually see yourself ultimately having AI be augmented by a human when it can’t make a decision?
How do you see your technology playing forward like this?
[Edward Wu] I think part of this will be how smart AI can eventually become, but our current vision is we built our technology to force multiply and augment human analysts. That’s actually why we called it Dropzone because we envision it as a portal of reinforcement and staff augmentation for the security defenders.
With regards to human augmentation, we believe the future of SOC teams should encompass primarily tier three human security analysts, where they are operating like generals and special forces, while our AI SOC analysts and software is operating as the footsoldiers, looking at every single alert, pivoting across different tools, and spending hours of brainpower on every single alert.
[TC Niedzialkowski] Yeah, I’m wondering, in terms of implementing your technology, what type of permissions will it need in terms of read/write to different systems, and how would you prevent or protect against AI-type attacks like prompt injection, data poisoning, or hallucinations?
[Edward Wu] Yeah. To answer your question in reverse, we have built a number of guardrails to prevent and minimize the damage of prompt injections as well as other poisoning attacks. Part of our system is designed in a way where there are multiple agents and multiple models being used. So the virtue of having multiple layers of the reasoning by itself minimizes the damage that a specific injection or attack could cause.
But at the same time, we are also actively working with a couple of partners to perform additional AI red teaming, so we can better understand the limits as well as the capabilities of the guardrails we have built. To answer your first question around implementation as well as deployment, in general, we only need read-only access.
Most customers can actually deploy us within 30 minutes by creating service accounts as well as read-only credentials so our technology can connect with your existing security stack.
[Steve Zalewski] So, Edward, pushing on the validity of all of the needles, my observations has been, and I want your observation here, is a lot of what the SOC teams do are chasing after potential vulnerabilities. The runbooks and the way it’s been figured in the data that we’re consolidating out of the logs, is to identify a potential vulnerability.
That’s thousands, ten thousands, hundreds of thousands. So to your point of, “I can go faster to potentially find the interesting ones,” what I’m thinking here, what you’re doing is you’re actually moving us to material exploitability, that what my opportunity is, now is, “Never mind if it’s vulnerable.
Is it actually being exploited, and that I have an attack that I can now do something about it, as opposed to just find out about something that happened?” Is that a fair assessment of where you’re going?
[Edward Wu] I think it’s pretty spot on. Other than maybe one caveat I want to clarify is, our technology right now is focused on alert investigations. So we actually do not process vulnerabilities, like software vulnerabilities or IT system vulnerabilities as input. But the value proposition is exactly the same.
Ultimately, one of the biggest challenge within cybersecurity is the asymmetry. But attackers only need to be right once, defenders need to be right every single time. We see AI and software, ultimately, being a force multiplier, allow security teams to operate if there’s an additional armies of analysts and engineers with extra eyes, hands, and brains looking at everything.
[TC Niedzialkowski] Yeah, I’m wondering what’s your ideal customer profile in terms of, is it targeted at MSSPs or large organizations that already have an established SOC, or is it a fit for a customer where they don’t have a dedicated SOC, and so these types of alerts, they’re going straight to the existing IT or engineering staff already?
[Edward Wu] That’s a great question. Right now, we are primarily focused on enterprises with internal SOCs as well as managed security service providers. We currently do not help enterprises with no internal SOC because ultimately, our view is if you are an and that you do not have an internal SOC, your best approach should be partnering with an MSSP or MDR, who can not only offer the labors of Tier 1, Tier 2 alert investigations and triage, but also Tier 3 expertise with regards to containment and corrective actions.
[Rich Stroffolino] Edward, what’s one thing we didn’t ask about that we need to know about your solution?
[Edward Wu] I think the biggest thing is asking the question, “Hey, Edward, how do I know you’re not selling stink oil?” I think it’s pretty clear in cybersecurity right now, everybody is waving AI, everybody is talking about GenAI capabilities, and how do I actually validate any of the claims? At Dropzone, we have been very transparent on marketing.
We are the only vendor in this space with public-facing product documentations. We are the only one with an ungated public test drive of our product, as well as over 30 recorded interactive product demos. We have also been the only vendor that has been recognized by Gardner as a cool vendor for the modern SOC.
So I would encourage folks to check us out. You don’t have to believe a single word I have said today. At the end of the day, our technology is on the website and definitely to encourage people to take a look and see for yourself how it actually performs.
[Rich Stroffolino] All right. Well, that’s just about it for this episode of Security You Should Know, and that website to get all of that documentation to learn more, it’s Dropzone.ai. A big thank you to Steve Zalewski and TC Niedzialkowski for helping us learn more about what Dropzone AI is doing, and a huge debt of gratitude and thanks to Edward Wu from Dropzone AI for your time, and being game to answering all of these questions.
Thank you for listening to Security You Should Know.
[Voiceover] That wraps up another episode of Security You Should Know. If you like this program, please subscribe, tell your friends and leave us a review. All companies showcased on this program are sponsors of CISO Series. If your company would like to be spotlighted and interviewed by our security leaders, go to our contact page on CISOSeries.com or just email us at info@ciso-dev.davidspark.dcgws.com.
Thank you for listening to Security You Should Know, connecting security solutions with security leaders.