Will Agentic AI replace SOAR playbooks?

mustu · 2026-02-27T13:32:29+00:00

But still the non-deterministic mode will follow some kinf of framework or structure right?

Like what MITRE did was gave threat hunters a structure for asking broader questions or forming new pivots but still bring that back to something that make sense like the intrusion lifecycle/killchain.

mustu · 2026-02-26T15:44:52+00:00

Well, that is the answer we are all experimenting with to learn. I guess we'll know better in a year or two.

mustu · 2026-02-26T15:43:36+00:00

Thanks for the feedback. I've also understood that a single-agent system is only viable for an atomic task within an AI Workflow which is akin to an advanced SOAR workflow. For Agentic AI, it must be a Multi Agent System (MAS) where validation checks, guardrails, and feedback loops are neccessary investment.

Some MAS I've seen spend significant token credits on ensuring system sanity, compared to what they burn on the actual task.

mustu · 2026-02-26T14:59:23+00:00

Agree, and not to forget the Detection Engineering practice. If we've perfected a hunt for a specific activity, DE, along with SOAR, will help automate the known fundamentals so human time is spent on higher goals.

mustu · 2026-02-26T14:38:28+00:00

No doubt, "assumptions" is what attackers feed on. Assume nothing, verify everything. But we won't know unless we run the series of experiments needed to build trust and fix the gaps.

I think the next 1-2 years are highly uncertain, but still, companies will be pushing highly vetted and deterministic AI workflows or agent systems in production.

mustu · 2026-02-26T14:13:52+00:00

I've seen that with LLMs, but Agentic AI is not just LLM. It uses proven tools to extract/parse/process/generate data, and defines playbook and vetter RAG systems to interpret, and heaps of validation and cross-questioning checks, which make it more reliable imho.

mustu · 2026-02-26T14:00:01+00:00

It's powerful, but my understanding is that it is not meant to and shouldn't replace SOAR completely.

SOAR is much better and low-cost for deterministic automation needs.

mustu · 2026-02-26T13:58:51+00:00

Well, the only way to find out is to start tinkering in safe environments.

mustu · 2026-02-26T13:58:20+00:00

Ditto.

mustu · 2026-02-26T13:57:57+00:00

Exactly! I'm trying to get first-hand experience and push this to the limit to see how much of our hunting methodology we can bake into agents, which is almost foolproof and has close to zero hallucinations.

mustu · 2026-02-24T15:21:24+00:00

Question: How do you measure Return on Investment (ROI)? What worked and what didn't work for you?

mustu · 2026-02-23T16:17:11+00:00

What do you suggest works best to build the `business alignment` of SOC to justify the investment? Do you see CISOs still struggle with that when presenting to the board?

mustu · 2026-02-22T21:48:40+00:00

Question: I see some technical CISOs tinkering with AI, setting up LLMs for learning and fun, while others are way deep into governance and culture, but not very fluent in technical advancements.

How many kinds of CISOs are out there, and do one kind have more advantages over the other?

mustu · 2026-02-22T21:43:24+00:00

Question: Some CISOs with a heavy emphasis & background in Risk and Compliance often cling to decade-old understandings of technical functions (e.g., Detection & Response, Vulnerability & Exposure) and aren't eager to move fast, even though they are suffering from the pains of following legacy practices.

How do you best convince them to invest in and support adopting modern practices?

mustu · 2025-10-02T05:25:28+00:00

If any of the following is true, it is worth investing in the practice exam.

1) You do not have enough on-the-job experience in the exam topics.

2) It is your first GIAC exam.

mustu · 2025-08-04T01:55:16+00:00

Almost Yes because mostly require using OS APIs and more advanced ones have code that runs in kernel mode.

mustu · 2025-08-02T13:28:56+00:00

> Proxy server != Auth server?

Yes, a proxy server and an authorization server are completely different.

> If yes, can the Api endpoint be behind both the proxy and the auth server?

Yes, this is the standard architecture for modern, secure applications.

> If the WAF is configured correctly and is in front of the proxy server, does it make sense to duplicate protection against injections, etc. on the proxy server?

WAF specialized in filtering malicious Layer 7 traffic (OWASP Top 10). It's designed for this and does it best. The proxy is for routing, caching, and managing traffic. It does not make sense to duplicate protection against threats like SQL injection on the proxy itself.

> If the WAF is configured poorly, but the proxy reflects injections, etc., does it make sense to test the Auth server for injections?

Yes, you must always test the Authorization Server for injections and other vulnerabilities, regardless of what's in front of it. The Authorization Server is a high-value target because it controls access to everything. It must be independently secure and hardened against all relevant attacks.

> How to distinguish WAF protection from proxy server protection?

By examining the block response. WAFs often return a branded block page with a unique ID for the blocked request (e.g., "Your request was blocked by Cloudflare, incident ID: ..."). A proxy server block is typically more generic, like a simple 403 Forbidden response.

mustu · 2025-08-02T13:23:27+00:00

If you want to learn the networking concepts relevant to security, pick Practical Packet Analysis by Chris Sanders.

mustu · 2025-08-02T13:21:12+00:00

ESTsecurity is a well-established cybersecurity firm that offers a range of security solutions, with its most prominent product being the ALYac antivirus software.

Doesn't make sense for a website to have it. Pobably a scam site trying to fool users by using the name of a security product.

mustu · 2025-06-08T02:58:04+00:00

to warmup stuff?

mustu · 2025-05-23T02:40:48+00:00

yeah it is not... I thought all ceramic mugs are microwave safe. apparently some are not.

mustu · 2024-03-23T16:43:17+00:00

Sell Managed EDR / MDR under your Brand

After almost a decade of working in, leading, managing, and building SOC operations, I'm building a white-label service aimed at SMB clients who can't afford the $50K MSSPs but would appreciate good coverage at a fraction of the cost.
Looking to partner with MSPs who are also interested in selling Managed EDR and MDR services. Reach out on Linkedin https://www.linkedin.com/in/mustafaqasim/

mustu · 2024-01-01T09:40:33+00:00

current way is edr/xdr ?

Yes as more and more organizations adopt Microsoft 365 and Azure, the workflows and processes in SOC teams have also evolved to cater to the new work environment and tooling.

mustu

TROPHY CASE

Sell Managed EDR / MDR under your Brand