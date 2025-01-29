An air traffic surveillance company thwarted advanced persistent threats, boosted DevSecOps automation and ducked $2 million in incident response costs with agentic AI tools.

Generative AI adoption is still at an early, awkward stage among mainstream enterprises, while agentic AI -- in which autonomous software components execute multi-step workflows independently -- remains a bleeding-edge technology. However, some of the first tools driven by generative and agentic AI have been used for security operations (SecOps), and some of the earliest enterprise agentic AI adoption has been in security operations centers.

One early user of agentic AI for SecOps is Aireon, a global satellite network operator that tracks air traffic control data. It sells software to air navigation service providers and other companies in the aerospace industry, such as Boeing. Aireon's 66-satellite network spans the globe, but its workforce is relatively small at fewer than 200 employees, according to the company's CISO, Peter Clay.

"We do have a full-time IT service desk that manages our customer stuff, but for corporate computing and cybersecurity, I have a total staff of five," Clay said. "So doing threat hunting across 130 to 150 million log events per day is not trivial."

Compounding this challenge is a general SecOps skills gap in the industry. New SecOps professionals enter the industry every year, but candidates with intermediate skills accrued over five to 15 years are in much shorter supply, Clay said -- all while cyberattacks grow more costly, frequent and sophisticated.

To address these gaps, Clay turned in 2024 to an open source large language model (LLM), WhiteRabbitNeo, which was trained to identify and remediate security vulnerabilities. Eventually, Aireon also purchased a product from WhiteRabbitNeo commercial sponsor Kindo.ai that provides a framework to automate DevSecOps workflows using runbooks and AI agents.

"The power of this stuff is, I'm able to take really smart, engaged people that understand the basic concepts of what we're after and upskill them very rapidly to achieve the outputs that we need," Clay said. "In my experience, it takes five to seven years to create a threat analyst that can do a true hunt and deliver valuable information. We were able to cut that down to a couple of hours."

The evolution of generative AI into agentic AI presents both new capabilities and new challenges.

From SecOps upskilling to DevSecOps agents WhiteRabbitNeo helped Aireon's SecOps team learn threat hunting skills and uncover advanced persistent threats lurking in the company's networks. In part, this is due to the probabilistic nature of AI systems, which make decisions based on an evolving analysis of probabilities rather than more rigid and definitive deterministic rules. This makes predicting the behavior of malicious AI agents difficult using traditional rules-based systems, while a set of defensive AI agents is better suited to the challenge, Clay said. "We're able to not just pattern match but also pull together and aggregate a ton of information and go, 'Well, wait a minute. Our network was running this way for 12 months, and three days ago, it started doing this. What does that mean?'" he said. "[Then we can] start to run some deeper queries [and] start to understand this a little bit better. Being able to do that at scale is really interesting, particularly for small and midsized businesses." Since deploying WhiteRabbitNeo and Kindo.ai, Clay's team caught two active advanced persistent threats -- one trying to get into the company's network and one that was already inside the environment -- and shut them down before the attacks could advance. "Speed kills problems," Clay said. "The faster I find something, the faster I fix it, the less impact on the organization as a whole." A member of Clay's team built a set of AI agents using Kindo that captures and queries the company's security plan documentation for developers as they work. The SecOps team uses this same set of agents to upload new versions of the documentation, track queries and identify which developers need help implementing security controls. "Instead of saying, 'Read this 400-page document, and we will do a really boring one-hour training on it,' [we're] able to be there when the developer goes, 'How many critical, high, medium or low vulnerabilities can I have in my code to move to the next step?'" Clay said. "That freed up a ton of people's time and gave them really, really focused feedback." Aireon uses another agentic AI tool from Derive for finance automation, risk management and compliance, which Clay tapped to measure the effectiveness of WhiteRabbitNeo and Kindo. "Derive is able to ingest your controls and then output financial modeling that allows you to say, 'We implemented this control and our risk exposure, in dollar terms, rose or fell from here to here,'" he said. So far, Derive has estimated that the AI agents Clay deployed have helped the company avoid $2 million in risk exposure. "The savings came from our expected loss with where we were versus the expected loss, with the implementation controls and [expected] outcomes we have now," he said. "My CFO can look through the numbers [and be] comfortable talking in these terms."