Why high-risk SOC alerts go unanswered — Radiant’s AI

Radiant Security and German firm Cirosec will host a webinar on May 21 to demonstrate an AI security operations center platform that generates triage logic automatically to investigate high-risk alerts. The session will run at 15:00 CEST (6:00 AM PDT) on Microsoft Teams and will be conducted in English; prior registration is required.

Security operations teams report that alerts from web application firewalls (WAF), data loss prevention (DLP) systems, operational technology and IoT networks, dark-web intelligence feeds and supply-chain indicators often go uninvestigated. Analysts say those alerts require specialized knowledge of application behavior, data flows, industrial protocols or vendor relationships that many in-house teams and managed providers do not have.

In-house SOC teams face high volumes of routine alerts that consume analyst time, leaving fewer resources for complex investigations. Managed security service providers and managed detection and response firms often lack the specific business context needed to resolve specialized alerts, and the economics of managed services can make lengthy, customized investigations impractical. As a result, some complex alerts are escalated back to client teams or are deprioritized.

Most AI platforms used in SOC automation rely on a set of predefined categories and static triage playbooks, typically covering a limited number of alert classes. Alerts that fall outside those built-in categories can be passed on or deprioritized. Radiant and Cirosec will demonstrate a different approach that programmatically builds triage logic for each alert in real time using available telemetry and contextual signals.

The companies plan live demonstrations showing the platform creating investigative workflows on the fly for alert types the system has not previously encountered. Organizers say the demo will focus on how the platform uses telemetry and context to select investigative steps, collect evidence and prioritize follow-up actions for alerts from WAF, DLP, OT/IoT networks, dark-web feeds and supply-chain monitoring.

Webinar organizers describe the session as technical and interactive. The agenda includes an explanation of the common coverage gaps in SOC models, a review of the alert types most frequently left uninvestigated, and a live demo of Radiant’s platform triaging those alerts. The session will be held on Microsoft Teams and requires registration in advance.

Background reporting on SOC operations highlights that alerts with indicators of credential theft, targeted data exfiltration from specialized systems or early signs of vendor compromise can remain unresolved when no investigative workflow exists. The May 21 webinar will present an operational demonstration of automated triage logic generation and permit attendees to see how the platform handles uncommon or novel alert types.