Introduction
As 2024 comes to a close, I wanted to share a quick recap through the top frequently asked questions we’ve been asked and share our predictions for 2025 based on what we are observing in the market.
2024 made its mark on our journey as we launched out of stealth, earned our first paying customers and significantly grew the number of organizations using the platform. Through weekly engineering iterations, security research content, practical implementations of automation and AI; the platform evolved into the invaluable investigations solution that it is today.
Why focus on frequently asked questions?
Questions are wonderful embodiments of human curiosity and make for the most interesting part of an interaction. Personally, asking questions and being asked questions are some of the highlights of our customer interactions. The questions and how they are worded (along with timing, delivery and context of the conversation) reveal a lot about how our customers see the world, and how we can help them overcome some of the challenges they may be facing.
In this context, questions shed light to how our customers see the market and Command Zero’s role in it. Let’s go through three frequently asked questions (FAQs) and our responses.
Here are three top FAQs we received this year and our responses:
1. Who is Command Zero for?
Medium to large size enterprises with security operations teams. If you have an in-house team of tier-2 and tier-3 analysts (tier-2+ analysts) who tackle escalated cases, you can benefit from streamlining investigations.
Most of our customers and early adopters work with MDRs/MSSPs who take care of their tier-1 processes. We also work with organizations who use automated triage (SOAR, hyper automation or similar) and/or in-house tier-1 analyst teams.
In essence, Command Zero helps tier-2+ analyst teams run threat hunts and sophisticated investigations in complex environments. Command Zero augments tier-2+ analysts with embedded expert knowledge, abstracted access to universal data sources, advanced LLMs, automation and collaboration capabilities. As a result, they can get to conclusions fast, accurately and in a repeatable way.
2. How does Command Zero complement existing security operations investments?
Command Zero complements your existing security operations investments, specifically SIEM, SOAR, EDR/XDR and threat intelligence among others.
Command Zero connects to security and non-security resources using a federated data model. With Command Zero, tier-2+ teams get unrestricted access to data sources and technology specific content to interrogate them. In many cases, investigations are triggered by alerts from SIEMs, SOARs, threat intelligence feeds and more. These resources provide valuable insights for the initial steps of investigations, yet not all relevant data can be funneled to these resources (due to licensing, storage and operational cost, infrastructure and privacy concerns). So complex investigations require analysts to reach out individually to each data source to fill in the gaps. This is where Command Zero helps gather and interpret the relevant data, streamline decision making and reporting of these investigations.
By making these data useful to analysts, the platform capability helps uncover new details that extract more value and insights from existing security operations solutions as well as non-security solutions.
Another example is operationalizing threat intelligence data. Command Zero streamlines querying your infrastructure for reported threat actors, behavior patterns and compromised objects.
3. How is Command Zero similar to or different from AI-powered SOC analysts? AI-powered chatbots?
The short answer is, Command Zero is a dedicated solution for tier-2+ analysis. AI-powered SOC analysts and AI-powered chatbots mainly focus on very simple tasks or tier-1 processes.
AI-powered SOC analysts are focused on tier-1 analyst tasks. They are valuable for processing high volume of alerts and identifying alerts that need analysts’ attention. Based on customer feedback, they provide good solutions for simplistic tasks yet need supervision and analyst interactions for complicated tasks.
AI-powered SOC chatbots are focused on interpreting analysts’ requests to queries and commands, then summarizing the data they fetch. This is valuable at each step, but these solutions do not provide a solution for complex cases. Specifically, they don't provide an end-to-end investigation experience, and they require users (in this case analysts) to know which questions to ask, or what prompts to use to guide the LLM.
Command Zero leverages encoded knowledge base and structured LLMs to deliver complete investigation experiences in a transparent, scalable and collaborative way. It is an expert platform with all the mechanisms built-in for investigating, it does not require the user to be a technical expert in all systems within scope.
What these FAQs taught us in 2024
Security Operations teams, like every technical buyer, want to understand where a new solution fits into their process. Is it replacing an existing solution? Is it a net new solution? Understanding where Command Zero fits and how it can get to answers fast help overcome initial (and natural) skepticism about our platform.
2024 was an interesting year for the SIEM market with two mega acquisitions: Cisco acquired Splunk and Palo Alto acquired IBM’s QRadar. These movements increased vendor and investor interest in this space as customers re-evaluate their SIEM investments. We had numerous conversations where the customer was planning to migrate from one SIEM solution to another. We also see other customers evaluating big data or data lake-based solutions instead of traditional commercial SIEM solutions.
As our research indicated earlier this year, SIEMs deliver a valuable service but do not deliver the best investigation experience for complex analyses. Command Zero complements SIEMs with dedicated investigation capabilities. This is how we help customers who have invested in SIEMs, MDR/MSSP services and SOAR/Hyper automation solutions.
AI-powered tier-1 analysts and AI-powered chatbots were a very popular topic in 2024 and these themes came up repeatedly in our customer interactions. As the year comes to a close, there is increasing skepticism about these solutions’ ability to deliver. While both approaches have a lot of potential, anecdotal customer feedback suggested underwhelming results compared to their expectations from these new solutions.
What we predict for 2025 based on these FAQs
This is our list of predictions based on the FAQs above along with our market observations this year:
- Mature SecOps teams will look for ways to innovate with their current SIEM or look for alternative solutions. Managing license and operational costs while incorporating AI capabilities will be key drivers for these initiatives.
- MDRs/MSSPs and in-house tier-1 teams will continue to be the right solution for most organizations. AI will not completely replace tier-1 processes anytime soon. AI tier-1 analysts and AI-powered chatbots will need to reach maturity to become the top choice for the average organization.
- SecOps teams will look for ways to get more value from existing investments. SecOps remains to be one of the largest items in CISOs’ budgets. And these budgets are not likely to increase during the first half of 2025. Teams will look for ways to improve efficiency and increase their use of existing solutions.
Conclusion
2025 seems to be a promising year for innovation in cybersecurity and security operations. Command Zero will continue delivering our vision, serving more customers and collaborating with more partners. Here’s to making a meaningful impact for all SecOps teams!
Happy holidays!
