Security teams are drowning in alerts and manual responses. Exaforce is building an AI SOC platform that automates detection, triaging, investigation, and response, aiming to turn a team of three analysts into the equivalent of ten. I spoke with co-founders Ariful Huq and Marco Rodrigues about their data-first approach, how they're using LLMs for reliable triaging, and the practical deployment details.
Security operations often feel like a losing game of whack-a-mole. You block one attack vector, and another pops up. Malicious actors constantly innovate, forcing security teams into reactive, manual, and attack-specific responses. This problem isn't just about your own software; it extends to the sprawling ecosystem of third-party dependencies and SaaS services that now hold critical data.
This is the gap Exaforce aims to fill. The company is building an AI-driven Security Operations Center (SOC) platform designed to automate the core tasks of security operations: detection, triaging, investigation, and response. The goal is to amplify the effectiveness of existing security teams, whether they're a startup with no SOC or a mid-sized enterprise struggling to keep up with alert volume.
I spoke with Ariful Huq, co-founder and head of product, and Marco Rodrigues, co-founder and head of product, at Exaforce last month at AWS re:Invent to understand their approach to solving this persistent problem.
The SOC Journey: From Compliance to Daily Operations
Organizations typically reach out to Exaforce at different stages of their security maturity. As Marco Rodrigues explains, a common trigger is achieving compliance certifications like SOC II or ISO.
"When it comes time to actually start putting together incident response plans or where there's legal liability that's being driven through their customer contracts, that’s where they tend to get a bit more serious," Rodrigues says.
The needs vary dramatically:
- Early-stage startups (often with just 1-2 security engineers) need a foundational detection framework and a routine for responding to alerts.
- Growing companies find they can't keep pace with the volume of new detections required as they scale.
- Larger enterprises face a critical talent shortage. "The reality is that the skill set is not there—they can't hire these people even if they wanted to," says Ariful Huq.
The Detection Gap: SaaS and Cloud Blind Spots
A surprising finding for Exaforce is that even large organizations often have minimal detection coverage, especially for cloud and SaaS services.
"We found in starting our journey in building this AI SOC platform is that most of the market thinks about this as an AI analyst problem. But we think about four primary tasks in the SOC and detection is one of them: detections, triaging, investigations, and response," Huq explains.
For very small organizations, the immediate need is simply getting off the ground with out-of-the-box detections. For larger companies, the gap is often in critical SaaS services where sensitive data resides.
"Like GitHub, Snowflake, OpenAI. These are critical services where a lot of critical data resides today. And they don't have detections on top of it," Huq notes. Exaforce helps fill these coverage gaps, while leveraging existing detections from tools like Cloudflare or endpoint security for enrichment.
Moving Beyond Noisy Anomaly Detection with LLMs
One of the biggest challenges in security is reliable anomaly detection. Traditional statistical anomaly detection has a poor reputation for being noisy, generating false positives that overwhelm analysts.
Exaforce's approach combines statistical modeling with modern AI. "We still have statistical modeling because you certainly need to understand what is normal," says Huq. "But what's really interesting now is we're leveraging our large language models, our AI agents, to actually do the triaging for these detections."
The key is layering a "knowledge layer" based on LLMs that incorporates business context. Every organization has unique ways of using its technology. Developers, for instance, might perform actions that look identical to an attacker's behavior. By understanding this context, the system can better distinguish between legitimate activity and threats.
"In the past, you couldn’t create higher fidelity because you didn’t have enough people to look at these detections. Now we actually have machines looking at them, so we can actually take even the lowest signals, put it all together, let machines do the stitching and bring up the fidelity," Huq explains.
Making AI Triaging Reliable: Context Over Guesswork
The reliability of AI triaging depends heavily on how much "guesswork" is eliminated. "With LLMs, we try to give them as much directional guidance as possible," says Huq.
Their process involves:
- Building semantics and relationships from the ingested data
- Providing specific context to the LLM, answering critical questions about the detection
- Narrowing the data scope to avoid overwhelming the model ("You give too much data. It's you reading a hundred page book. The first page versus the last page, what are you most likely to remember?")
Rodrigues frames this as "human reasoning at scale, machine scale." The critical value is in the upfront data processing work that presents the right context to the LLM.
Data-First Architecture: Ingestion Over Overlay
Exaforce's approach differs from competitors who take an "overlay" approach—relying on third-party detections and trying to triage on top of them. Exaforce takes a fundamentally different, data-first approach.
"We try to ingest the data and build semantics around it, build a bunch of enrichments," says Huq. "From our perspective, it's a combination of LLMs plus the data engineering work."
While they do some fine-tuning (particularly for natural language to SQL conversion), they find that robust data engineering reduces the need for extensive tuning. They primarily leverage commercial LLM APIs, giving them domain-specific context to work with their general intelligence.
Rodrigues emphasizes continuous measurement: "There is a level of measurement in terms of measuring the LLM output precision. The team is constantly measuring that as new models come out."
Beyond SOAR: Dynamic Response Automation
Traditional Security Orchestration, Automation, and Response (SOAR) platforms require building rigid, step-by-step playbooks. Exaforce is moving toward more dynamic response automation.
They offer out-of-the-box actions like password resets, instance isolation, and session token resets. More importantly, they enable customers to build custom automation agents using natural language.
Huq gives an example: "I have some actions I need to take based on monitoring a set of IPs for a specific type of behavior. Let's say I get a password spray attempt from a bunch of IPs. I'm gonna record these IPs. Anytime I see any activity from these IPs that’s successful, I wanna know about it."
The system can also proactively reach out to users for verification. "The agents themselves will respond to request more information to determine whether something is false, needs to be investigated further, or is deemed a cause positive," says Rodrigues. "The system itself will ping a user on Slack saying, 'Hey, was this really you? Did you attempt to do these things?'"
This asynchronous verification saves significant analyst time spent on manual follow-ups.
Deployment and Integration: Low Lift, High Value
For organizations concerned about deployment complexity, Exaforce offers a flexible approach. Most customers choose deployment in Exaforce's cloud, with each customer getting a single-tenanted deployment in their own Snowflake data warehouse.
Data ingestion is API-based, tapping into major cloud providers through granted roles. For SaaS services like GitHub, OpenAI, or Snowflake, it typically requires read access to logs, event data, and configurations.
"It's a fairly easy lift—a matter of three to four hours," says Huq. "We've seen customers start a POV, onboard four to five data sources, and then start to see the value."
The system can leverage historical data for baselining. If 90 days of historical data is available, Exaforce will ingest it immediately and begin building behavioral models within the first run. This historical analysis is crucial for effective anomaly detection.
The Path Forward
Exaforce represents a shift in how security operations can be approached. By combining data engineering, statistical modeling, and AI agents, they're aiming to transform the reactive, manual nature of SOC work into something more proactive and scalable.
The platform addresses a critical pain point: the growing gap between the volume of security data and the availability of skilled analysts. For organizations struggling with alert fatigue, coverage gaps, or simply lacking the resources to build a comprehensive SOC, this approach offers a practical path forward.
As threats continue to evolve and the attack surface expands with cloud and SaaS adoption, the need for intelligent automation in security operations will only grow. Exaforce's data-first, AI-enhanced approach provides a compelling model for how the industry might bridge that gap.
For more information, visit Exaforce or explore their approach to AI-driven SOC operations.
Comments
Please log in or register to join the discussion