Why AI in the SOC Needs Governance

Host: Welcome everyone, and thanks for joining us. Across enterprises and MSSPs alike, analysts are challenged by the scale and speed with which today's threats are outgrowing traditional workflows. What we're exploring in this conversation is how AI helps teams reclaim control by turning their existing expertise, processes, and tools into something that can scale. We'll talk about how deterministic decision models capture the judgment of your best analysts, and how agentic workflows accelerate investigations without sacrificing trust.

Host: So, nice to meet you, Alina. Tell me — how did you get into cybersecurity?

Alina Marcu: Hi David. Actually, I need to tell you a bit of a story. My background is purely technical, and I pursued all of my adult life a career in AI, including a PhD. I've worked as an applied scientist on multiple problems from various domains. Arcanna offered me the opportunity to apply my knowledge in AI to practical and quite challenging domains, such as cybersecurity.

Host: What do you do for Arcanna?

Alina Marcu: My official role with Arcanna is Chief Data Scientist. That usually implies several steps — building, validating, and governing the AI components that we integrate into the platform in order to offer value to our customers, but in a trustworthy manner.

Host: You were the original author of the Decision Layer.

Alina Marcu: That's correct. I was the initial proposer for the Decision Layer and the way we phrased decision-making in the SOC, using the human feedback loop, and also the core of the Decision Layer — the decision models themselves. But Arcanna today is the successful result of a strong collective team effort, no doubt.

Host: Great. Let's get into the Decision Layer. What is it, and what role does it play in the Arcanna platform?

Alina Marcu: Arcanna's Decision Layer is a control plane for the analysts in the SOC, so they can make their decisions. We also call it a trust layer that stands between raw telemetry and automation, so that the SOC decisions are consistent and defensible.

Host: And the Decision Layer uses decision models?

Alina Marcu: That's correct.

Host: How do decision models work?

Alina Marcu: Decision models behind the Decision Layer are deep learning models grounded in the data that the analysts use on a daily basis. The models are trained using the feedback provided by the analysts.

Host: There's a lot of talk right now about applying LLMs and generative AI to things like cybersecurity. Why is it important to separate decision-making AI from generative AI?

Alina Marcu: We're all familiar with the positive impact LLMs have had in some parts of certain domains. They are great assistants because they have broad knowledge across a wide range of topics. But in mission-critical operations, they are not suitable for decision-making, because they still face important limitations. In the SOC, you cannot have a system that makes a decision that is unverifiable, unaccountable, or hallucinated. The impact would be significant.

Host: What was the inspiration behind building Arcanna's decision models?

Alina Marcu: I'm going to tie back to how humans make decisions in general. The human decision-making process is a complex cognitive process that involves multiple steps. When we make decisions, we usually gather relevant information around a particular situation in order to gather context and make the best choice out of all possible options. Our brains do all the heavy lifting and tie the particular situation with past experiences, and in the end we make a decision. In the same manner, we built Arcanna to capture and scale human judgment, but also maintain the accountability and the consistency of the decisions — all grounded in the data and experience of the analysts.

Host: Tell me more about how the decision models incorporate this human contextual decision-making.

Alina Marcu: The data we use in training these models is all the evidence analysts use on a daily basis. An analyst might use certain event fields, enrich them to gather more context, and based on that information, put a decision. We capture all those steps in the process, including the data. We also give the human the possibility to decide which data goes into the model. After that we prompt the user to give feedback so the training process can start. Through these feedback mechanisms, we adapt and continuously improve the decision models.

Host: What data is used to train the models?

Alina Marcu: The analyst has full control over the input of the model and over the SOC outcomes. Whatever they require in order to improve their processes, we can leverage that data — in the same manner that the human does.

Host: There's always a privacy and security element in cybersecurity operations. How does Arcanna ensure these decision models maintain privacy and security?

Alina Marcu: Arcanna can be deployed on-prem or in a private cloud, and can even fully work offline. There is no issue with data leaving the customer's environment. The models reside within the customer's environment. The models, the data, the knowledge — all of it is kept within the customer's control.

Host: When we look at an individual decision model, it seems like there's lots of flexibility in how they can be created. What's the typical scope of a decision model?

Alina Marcu: The scope of decision models can reside within a particular investigation flow or use case, and they do that particular task especially well, because they're fitted to that data and that outcome. For instance, in the case of alert triage — one of the most frequently implemented use cases by our clients — we usually deploy a Decision Layer with a decision model that does just that task.

Host: Let's get into the mechanics. Walk me through how it starts from data ingestion all the way to the output of the model.

Alina Marcu: Of course. Our clients use Arcanna by integrating with their SIEMs, EDR, or other data sources, so we can ingest that data into the platform. After that, there's a decision selection step — the user looks over the data. If all the data is there to make an informed decision, we continue to train the model. If not, we have additional steps such as normalization or enrichments. For instance, we can enrich the data with threat intel to bring more context and guarantee the data used in decision-making is rich enough.

Alina Marcu: After that, we prompt the user to give feedback to the model. Some clients have prior decisions from past investigations we can leverage, but the models are trained using feedback. Once the model is trained, it's deployed in production, where it can offer a prediction or decision, a confidence score, and a decision insights report, so the SOC understands the outcome of the model. Some clients add an extra step — a post-decision automation step that involves sending the result of the model into existing tools.

Host: How can we put different decision models together in the Arcanna platform?

Alina Marcu: We have what we call flows in Arcanna — orchestrated automation steps within the AI pipeline. Flows offer full flexibility to the customer to decide where and what component to add to the pipeline. They have full control if they want to do other automation steps such as ingestions or data enrichments, code blocks, or even running agentic workflows. They can decide whether to add one decision step or multiple, and where to put the Ontology. These steps can be enabled or disabled based on the customer's preference, so we don't require them to redesign the whole pipeline. We can fit Arcanna to any complex process within the SOC.

Host: They're very flexible. Now, in your previous answer you mentioned an Ontology. What is an Ontology in Arcanna?

Alina Marcu: Arcanna's Ontology is a new addition to the Arcanna stack. Its main purpose is to capture the tribal knowledge of the SOC team — data that doesn't reside in any other source or integration, something unique to that organization. It's built, maintained, and owned exclusively by the client. It can be built at the level of the individual — if a certain analyst has a particular way of investigating an incident, we can capture that — or at the level of the whole organization, so we can have full visibility.

Alina Marcu: The Ontology is the organized knowledge from mission-critical operations experts, modeled using entities we can extract from multiple data sources. We can extract them from alerts, but also semantic relationships between these entities, which are defined and created by the user. We can tie an alert with certain entities and relationships from the Ontology to make better decisions and actual reasoning.

Host: The Ontology can really help decision-making to scale. Let me shift gears. I'd like to talk about transparency and explainability — a really important component when making decisions in a SOC. We contrast that with black-box AI models, where it's very difficult to know what's happening inside the model. How does the Decision Layer avoid the pitfalls of black-box AI?

Alina Marcu: That's a question we get asked a lot, because it's important. Arcanna offers full visibility and control over the steps involved in building and training these models. The user sits with Arcanna from the moment of defining the task, ingesting the data, deciding what data goes into the model, and the SOC outcomes. We offer the customer full visibility that we do not use external knowledge or data that could potentially impact the behavior of the models — they are dedicated and built specifically for their operations, their processes, their use cases.

Host: Can analysts trace back why a model made a specific recommendation? And if so, how?

Alina Marcu: Given that we have full auditability throughout the whole pipeline, we can trace back who provided the feedback at every given moment. We can track individual feedback at the level of the team and over time. We can roll back if something went wrong with the model based on particular feedback. We also offer customers the ability to see the most similar labeled events that were labeled in the past by the team, to better enforce the decision made in this particular instance.

Host: So there's a real reinforcement and even a coaching element. How does the Decision Layer adapt when customer environments or threat landscapes change?

Alina Marcu: Our decision models adapt and continuously improve through human feedback. That's the core mechanism that makes the model work, ingesting the knowledge from the SOC and adapting to new threats. On top of decision models, we have guardrails — performance monitoring, outlier detection, and for each decision we provide a confidence score. We use these mechanisms to detect data drifts or performance drifts that can be caused by various reasons, and we can prompt the user to take action: "This happened here. You need to investigate why. Maybe roll back to a previous model."

Host: Turning to trustworthiness and safety — what steps are taken to ensure the models are accurate, consistent, and aligned with the expectations of the SOC itself?

Alina Marcu: By design, our decision models are consistent. Once we have a model trained, the weights of the model are fixed — meaning that once we get a particular input, we can guarantee the same output every single time. To make the models accurate, we recommend customers start with a human-in-the-loop approach, in order to match the model with the SOC's expectations. After confidence has been built between the SOC and the model, and the performance metrics justify it, we can move into a human-on-the-loop step — where we don't need custom feedback review of every decision, but we can put controlled automation on the high-confidence alerts.

Host: So you can use human-in-the-loop methodologies to train and hone the model, and once it's trained, move into production with a human-on-the-loop approach.

Alina Marcu: Of course. And this is within human control. The human decides the confidence thresholds — when they're comfortable moving the model into the controlled automation pipeline.

Host: Why not rely on general-purpose LLMs?

Alina Marcu: General-purpose LLMs can work in some situations when you need broad knowledge — internet-level intelligence. But for a more practical and secure approach, you need something that is built within your rules, using the knowledge from your team, on your data, to solve your problems.

Host: Let's talk about the value of these decision models to people within the SOC. How does the Decision Layer pipeline impact analyst workload over time?

Alina Marcu: For the analyst, we can reduce the false positive rate by auto-closing some triaged alerts — the high-confidence ones, using the models the analyst has trained. An important aspect to mention: Arcanna as a platform is a tool that augments the human. Arcanna works with and alongside humans. We do not intend on replacing them. The team is accountable for the decision made.

Host: That's an important distinction. It really helps each individual analyst scale the amount of alerts they can manage. What does this mean for SOC leaders who need to justify AI decisions to auditors or executives?

Alina Marcu: Decision models are trained with the data and the knowledge that resides within your institution. The knowledge from your team is distilled within these models, not on internet opinions. That's very valuable for auditors. We also have full visibility over the pipeline — we work in a controlled setup. We have full traceability of the feedback and the decisions made through time within the environment. That's valuable for both executives and auditors.

Host: Are there other value factors brought by Arcanna we haven't covered?

Alina Marcu: Of course. We haven't talked much about how we can leverage the collective knowledge of the whole SOC team. We have a consensus mechanism — we can use feedback from multiple members of the team to build the best model, not just at the level of the individual, but the collective knowledge. Like the best player in the team. That's a very valuable aspect.

Alina Marcu: I'd also like to mention something interesting. We have the best customers, and they are very creative. We build Arcanna with them in mind and with their help, and sometimes they surprise us with use cases we hadn't thought about — but as a byproduct of what we built. One example: an Arcanna Coach. A trained decision model can be used to onboard newcomers, or for someone less experienced, to double-check their decisions against the model trained by the team and align with them.

Host: That's really great. It's a way to scale the expertise of the team — helping individual analysts handle higher volumes, helping consensus form across team members, and taking more junior members and giving them trained models to build their skills. Thanks for joining us.

Host: For MSSPs, operational scale is everything. You're expected to deliver high-quality detection and response across dozens or hundreds of customer environments — each with different data availability, different baselines, and different expectations. Arcanna helps MSSPs meet these demands without adding headcount, compromising quality, or sacrificing SLAs. Its decision models provide reproducible, customer-specific decisions at massive scale, while agentic workflows accelerate investigations across diverse tool sets and log sources. The result is a force multiplier for your analysts — faster triage, consistent outcomes, and the ability to onboard new customers without operational strain. With Arcanna, MSSPs can expand their service capacity, maintain quality, and stay ahead of evolving threats using the expertise they already have.