Episode 16 - Beyond the Black Box: Solving Data Overload with Agentic Triage
Episode 16 - Beyond the Black Box: Solving Data Overload with Agentic Triage
0:00 / 0:00
About the episode
In this episode, host Richard Bejtlich sits down with Dave Getman to discuss the evolution of Corelight Investigator and the paradigm shift from delivering raw sensor data to providing agentic triage. They explore how AI can synthesize millions of log lines into concise, actionable determinations—categorizing activity as malicious or benign—while maintaining transparency by "bringing the receipts" of raw evidence. Dave explains why the security pendulum is swinging back toward network detection to counter sophisticated EDR evasion and shares a roadmap for the future of auto-containment. By moving beyond the "black box" approach, this conversation reveals how AI serves as both a defender and a teacher, accelerating time-to-value for analysts and drastically reducing median dwell times on the network.
Episode transcript
Download transcriptEpisode 16 - Beyond the Black Box: Solving Data Overload with Agentic Triage
Welcome to Corelight Defenders. I'm Richard Bejtlich, strategist and author in residence at Corelight. In each episode, we explore insights from the front lines of NDR, network detection and response.
Today, I'm speaking with Dave Getman, Senior Director for Product Management. Welcome, Dave. Good morning. How are you? I'm fine, thanks. Thank you for being on the podcast.
Your portfolio includes our Investigator platform, agentic triage, SOC workflows, other topics I'm sure we'll get into. And when I started at Corelight, there was no Investigator. We built sensors, they provided data to users, and then those users had to figure out what to do with the data, how to consume it, how to analyze it, and so forth. Can you talk about how Investigator and then, you know, your other, uh, portfolio items as well, can you talk about how those have changed that process?
Yeah. So Investigator has been a really interesting tool for being able to solve problems that the sensor can't solve by itself. And Investigator allowed us to have a new tool set to say, "Hey, we can make this even simpler. We can speak to and resonate with smaller teams that don't have much time to really, uh, spend on operationalizing around our data." And, uh, we've just been able to keep knocking out different problems that we hear about, uh, and really move a lot faster, and it's just increasingly, especially with our latest launch of agentic triage, I think we're getting to a, a really exciting point. Getting the most out of your data, I think, is a really important concept, and it can take a lot of work and a lot of creativity and a lot of other engineering to get that. And I think that, to me, is what Investigator is able to provide. When you get Investigator, one of the things we do, for example, with detections, is we start aggregating our alerts into d- into a higher level kind of object called a detection.
And that in itself is a task that simplifies things in a major way because it, it provides a point where we've thought about, "Hey, what are the right alerts to kind of aggregate so that an analyst can view them and kind of triage them in one swipe?" And then more recently, we've taken another evolution, which we've said, "You know what? Let's aggregate then that detection level into entities, and then they can triage even more things together." And the entities are really to say hosts or machines. And so we are showing you now an agentic analysis of the detections on that machine.
And so you're gonna get dozens of queries automatically run investigating that machine and the detections on it. And instead of having to look at a bunch of raw logs, what you're going to be getting back is hundreds of thousands, maybe millions of, of log lines, all synthesized down by the agent at various steps down into a final determination as to is this thing, is this, you know, server or workstation likely malicious or likely benign?
Uh, and then you'll get the next level, you get a summary, and it will kind of summarize what it found and all of that analysis into, let's say, maybe a paragraph. And then the next level down from that is that paragraph is supported by around five to six on average key findings that it found in all of that analysis. And then one layer down from the key findings is a supporting two or three liner on what that key finding is, and then a bunch of raw evidence, which is, which it used at the most kind of lowest raw log, raw data level to analyze and come to that key finding. And so that could be... Often it's, it's our data, it's all that evidence that we gather, but it can also be other things where it's looked at y- the EDR information, uh, if there's an EDR integration, or it's looked at, uh, our policy and alert catalog and gone and learned more about the detection itself. We've really been able to use Investigator to make it so that the learning curve and the kinda time to value, to get value out of everything that we do as a company has gone from, you know, it could have taken you days or weeks to start really learning our data and seeing all the value in it, and we're, we're now talking, you know, first hour of operation kind of value. That is quite a step forward from the days where we got a Snort alert and there was a severity associated with it, and we were supposed to do something with that.
Um- Yeah. But, but I, I think there's a, there's an important point there, and you've, you've spoken to it, but I just wanna make sure our audience is aware of it. The key to this for me is that it just doesn't give you the distillation of what's going on and its assessment.
You can still go in there and look at the data that it used to make its decision. And to me, that is how you build trust in a system. If I'm just running a black box, and it's giving me outputs that it says it's, it thinks it's malicious, it thinks it's not malicious, but I can't find a way to understand how it made that determination, and better yet, see the data that it used to make the determination, then I'm not gonna have a lot of trust in that system. I, I might build up trust over time if by using other methods I'm able to, uh, double-check its work. So for example, every time it tells me, "This is a suspect, suspected compromise," I go out to my
EDR and that, that confirms it, for example. But if, uh, you know, I would much rather know how did the system make its determination? What is the evidence? And then not only that, okay, given that evidence, can I pivot from that and look for other things that the system didn't find? Because, you know, the highest ended intruders are figuring out ways to evade all this stuff all the time. So for me,
I love all of that, but I'm still glad that we're still providing the evidence that people can look at. They can use it to check the system, they could pivot, and then they could even use it to extend the system to do-Or other forms of detection if they want
It's not an accident, right? If you put the sensor in the right places, then you're gonna see it. And having the log for that is critical, and we collect all of that data. We collect more data than any of our competitors. And so we know that people love us for that. And then when we went and talked to customers about were, were they trying out AI tools and how are they liking them, pretty much all of our conversations sounded the same, which was: "We're trying out tools, and we don't like any of them." And a common thread was that they didn't trust it.
And so when we went to build this, we really said, "We need to build this thing so that people can trust it." That needs to be a huge investment area. Whatever the cost of doing that, we need to, we need to incur it.
And we did, right? And so it's not free to build it the way that we built it. There's real, uh, cost to doing that, both in the time, uh, the one-time cost of building it that way and the ongoing cost of being so deep in the evidence and using so much data. But it was the right thing to do, and it has paid off. Our competitors, some of them don't even collect the data in this kind of way. They really just have detections. And then the other ones that do collect the data, we know none of them collect the same amount of data that we do. None of them have the amount of detail that we do. And so I think we are kind of uniquely positioned to be able to show our work and kind of bring our receipts and provide that transparency and inspectability. I think part of the appeal of this feature is that it can be a knowledge transfer from the product to the user, and this is most important, I would say, for a new user. So the new user could have two facets. It could be a, the person could be a new user of the product but still be experienced, or the person could be a new user of the product and be inexperienced. So that first category of person would probably get up to speed pretty fast 'cause they're, they're trying to replicate their workflows, figure out how they find the data that they want with this new interface or whatever.
But the other person, they might not even know what they're supposed to be doing because they're new to security or they're new to this particular aspect of security, the network security monitoring aspect. And so I, I get the sense, and I've, I've-- Using, you know, Investigator working on the new, uh, Corelight NDR, book that will be coming out soon. Uh, you? may even be, it may even be out by the time you're hearing this, we' never know.
Um, but I get the sense that you can use Investigator. to teach you how to investigate certain types of, uh, incidents. Is, is that true? Is that true? There used to be just the network and a ton of focus on the network. And for a long time, the network was the incident responder tool. And then EDR came out, and the pendulum kind of swung over to the EDR side. And a lot of analysts these days have spent the majority of their time on the EDR side. And so we don't feel like we, we encounter as many network experts these days. But the pendulum in terms of security has swung back to really requiring the network a lot because EDR evasion has become a very common tactic, especially for advanced attackers and for us, where we don't really focus on SMB and we really focus on the enterprise and strategic enterprise, including government.
These companies are getting attacked by sophisticated attackers who are absolutely doing their best to evade EDR detection, and Investigator is absolutely seeking to kind of close that gap for customers. I've never thought about it until this very moment, but it actually is in many ways also not just that we built in an agentic tool, but kind of we built what the future of learning might look like in terms of people learn by doing. And so there's a lot of talk about AI and how it can be a great teacher and used for education, and I think that'll be a lot less kind of lecturing. It's not that AI is gonna lecture you. It's gonna be probably helping you, uh, learn by doing, right?
And so in a lot of ways, this, uh, it's, it's a, you know, it was already a great question, but it's a, it's a phenomenal point that, uh, I think it is not only defending you, but it is, it is teaching you. So that, that's a great insight. Thanks. That, that, that is something I've,
I've come across when using different AI tools to try to troubleshoot technical problems. So I, for example, I, I had an issue with my gaming PC, and I was trying to troubleshoot it, and I s- I just grabbed all the stats I could on the machine, dumped it into a file, uploaded it to Gemini and said, "Here's the problem I'm having. Here are the stats of my machine.
Have you ever heard of any, any issue like this?" And it said, "Yeah. Actually, I have." And of course, it hasn't. It's just, you know, scoured the internet, synthesized what it's seen, and then come up with some plausible solutions. It said, "Yeah, I have. Here's a couple of different ways you could approach this." I hadn't even thought of that. It hadn't, didn't even occur to me. And the only way I would have gotten probably anything like that would, would have been to have posted to the right forum, hope that the right person had read it and had decided to respond. When we're dealing with the agentic triage and you have these assessments of what's seen, how close are we to saying,
"U-under these conditions, every time you tell me with a, you know, a certain probability that this system is compromised, I'm gonna go to auto containment," whether that's via the EDR or a firewall rule or, or network access control or something like that.
H-how close are we to that, do you think? Shockingly close. We built response, uh, recommendations in, and we obviously tested them as best we absolutely could. With it rolling out and now talking to the customers using it, the feedback so far has been that those recommendations are almost always spot on. When I say almost always,
I, I can't think of a time when someone has said that they're wrong. And so I wanna be careful about that because I, you know, I'm not claiming the feature is perfect, but, uh, I'm not aware of a time it's been wrong yet.
And so we are absolutely now kind of thinking, okay, we tried to make it really easy for us to recommend, "Hey, you should quarantine this machine," and then having a button so you can just kind of-quarantine it. Or hey, you should block this IP address, and then having a button so you can just block that IP address.
But the next step, like you said, it is auto response, and I would've thought that it would've taken us longer, that we would've gotten people saying, "Ah, it's, you know, it's right 70% of the time, 80% of the time." If we continue to hear the kind of pattern of feedback we've been hearing, then I could definitely imagine us launching a sort of automatic response sooner rather than later. So certainly in the cards for this year. That- that's where we need to go, and I'm not a person who is like, "AI out front, let's go," you know? I'm not that, not that aggressive. But when you think about everything that's been s- reported in the news and what we're seeing with our customer base, and they need help with this. And time for me is the, is the greatest metric in security, and I'm always tracking, uh, the numbers with the, the Mandiant M-Trends report. And w- we had the, the global median dwell time increase for the second year in a row, which is bad. Uh, we need to get that number out of the, you know, d- double digit days. I think it was... it went from 11 to 14. Uh, don't quote me, I- I have to go back and look at it. But we need that number to be in hours, and hopefully at some point it'll be even in minutes, because when you can get down to a sub-hour and definitely into a minutes type, uh, dwell time for an intruder, it's very difficult for them to accomplish their mission. Uh, if they're AI-enabled, perhaps they can do a little bit more, but then you just start to encounter a lot of friction inside a real company because, you know, every company's different. They may have similar infrastructure, but it can be difficult to, uh, suddenly discover what you want or accomplish whatever it is that you're trying to accomplish as, as an intruder.
So I am, I am pleased to hear that we're that close, and I could imagine scenarios where you have sort of defense conditions, where if you're at Defcon 5, you have to have a very, very high threshold before you auto contain. If, for example, you're suddenly facing a big wave of attacks like, um, you know, you're caught up in a geopolitical event like it's, that's going on right now, maybe you- you're dropped down to Defcon 3, where you say, "No, we're gonna be a lot looser. If you see anything that's similar to this, we're gonna go ahead and auto contain a lot faster." And, uh, you know, maybe when you- you're down to Defcon 1, you're just auto containing everything at a very, very low threshold because, you know, it's a, it's a full-blown attack and you're trying to contain, you know, you're in a running battle with the intruder. It seems at this point actually that it's understood that we need to do that, and we need to go there because of the environment that we're in. The best thing we can do to support our customers in this sort of wave of AI attacks that seems to be coming, and like you said, just reducing those times.
And because when we started this, things were not as sort of imminent and grim as they kind of appear now in terms of attackers using AI, and that's kind of part of the question that I think you're kind of poking at here, right? Is that you can have the human in the loop or the human on the loop. Um, and the, you know, so is it stopping and asking for permission, and somebody's approving it? Or is it taking the action and then just making it really clear that it took that action so that it's... and then giving a button to be able to quickly roll that action back if the analyst disagrees with it. Well, Dave, I think that's a good place to end our, our episode today. It would be good, I think, to maybe bring you back in six months, uh, while we're still within this calendar year, 'cause I have a feeling that this could be another, another interesting conversation. So if you're willing to come back, I'd definitely like to invite you back. Absolutely. I'd be thrilled. I love talking about this stuff, and it was, uh, it was great to have a chat with you about it. And so yeah, I couldn't agree more. In six months, I would be shocked if there's not a ton to talk about, so let's do it. All right. Sounds good. Thank you for joining us on the Network Defenders podcast, sponsored by
Corelight. We will see you on the network. You've been listening to Corelight Defenders. To stay informed with expert intelligence on today's cybersecurity challenges, please subscribe to ensure you never miss an episode. We'll see you on the network.
Today, I'm speaking with Dave Getman, Senior Director for Product Management. Welcome, Dave. Good morning. How are you? I'm fine, thanks. Thank you for being on the podcast.
Your portfolio includes our Investigator platform, agentic triage, SOC workflows, other topics I'm sure we'll get into. And when I started at Corelight, there was no Investigator. We built sensors, they provided data to users, and then those users had to figure out what to do with the data, how to consume it, how to analyze it, and so forth. Can you talk about how Investigator and then, you know, your other, uh, portfolio items as well, can you talk about how those have changed that process?
Yeah. So Investigator has been a really interesting tool for being able to solve problems that the sensor can't solve by itself. And Investigator allowed us to have a new tool set to say, "Hey, we can make this even simpler. We can speak to and resonate with smaller teams that don't have much time to really, uh, spend on operationalizing around our data." And, uh, we've just been able to keep knocking out different problems that we hear about, uh, and really move a lot faster, and it's just increasingly, especially with our latest launch of agentic triage, I think we're getting to a, a really exciting point. Getting the most out of your data, I think, is a really important concept, and it can take a lot of work and a lot of creativity and a lot of other engineering to get that. And I think that, to me, is what Investigator is able to provide. When you get Investigator, one of the things we do, for example, with detections, is we start aggregating our alerts into d- into a higher level kind of object called a detection.
And that in itself is a task that simplifies things in a major way because it, it provides a point where we've thought about, "Hey, what are the right alerts to kind of aggregate so that an analyst can view them and kind of triage them in one swipe?" And then more recently, we've taken another evolution, which we've said, "You know what? Let's aggregate then that detection level into entities, and then they can triage even more things together." And the entities are really to say hosts or machines. And so we are showing you now an agentic analysis of the detections on that machine.
And so you're gonna get dozens of queries automatically run investigating that machine and the detections on it. And instead of having to look at a bunch of raw logs, what you're going to be getting back is hundreds of thousands, maybe millions of, of log lines, all synthesized down by the agent at various steps down into a final determination as to is this thing, is this, you know, server or workstation likely malicious or likely benign?
Uh, and then you'll get the next level, you get a summary, and it will kind of summarize what it found and all of that analysis into, let's say, maybe a paragraph. And then the next level down from that is that paragraph is supported by around five to six on average key findings that it found in all of that analysis. And then one layer down from the key findings is a supporting two or three liner on what that key finding is, and then a bunch of raw evidence, which is, which it used at the most kind of lowest raw log, raw data level to analyze and come to that key finding. And so that could be... Often it's, it's our data, it's all that evidence that we gather, but it can also be other things where it's looked at y- the EDR information, uh, if there's an EDR integration, or it's looked at, uh, our policy and alert catalog and gone and learned more about the detection itself. We've really been able to use Investigator to make it so that the learning curve and the kinda time to value, to get value out of everything that we do as a company has gone from, you know, it could have taken you days or weeks to start really learning our data and seeing all the value in it, and we're, we're now talking, you know, first hour of operation kind of value. That is quite a step forward from the days where we got a Snort alert and there was a severity associated with it, and we were supposed to do something with that.
Um- Yeah. But, but I, I think there's a, there's an important point there, and you've, you've spoken to it, but I just wanna make sure our audience is aware of it. The key to this for me is that it just doesn't give you the distillation of what's going on and its assessment.
You can still go in there and look at the data that it used to make its decision. And to me, that is how you build trust in a system. If I'm just running a black box, and it's giving me outputs that it says it's, it thinks it's malicious, it thinks it's not malicious, but I can't find a way to understand how it made that determination, and better yet, see the data that it used to make the determination, then I'm not gonna have a lot of trust in that system. I, I might build up trust over time if by using other methods I'm able to, uh, double-check its work. So for example, every time it tells me, "This is a suspect, suspected compromise," I go out to my
EDR and that, that confirms it, for example. But if, uh, you know, I would much rather know how did the system make its determination? What is the evidence? And then not only that, okay, given that evidence, can I pivot from that and look for other things that the system didn't find? Because, you know, the highest ended intruders are figuring out ways to evade all this stuff all the time. So for me,
I love all of that, but I'm still glad that we're still providing the evidence that people can look at. They can use it to check the system, they could pivot, and then they could even use it to extend the system to do-Or other forms of detection if they want
It's not an accident, right? If you put the sensor in the right places, then you're gonna see it. And having the log for that is critical, and we collect all of that data. We collect more data than any of our competitors. And so we know that people love us for that. And then when we went and talked to customers about were, were they trying out AI tools and how are they liking them, pretty much all of our conversations sounded the same, which was: "We're trying out tools, and we don't like any of them." And a common thread was that they didn't trust it.
And so when we went to build this, we really said, "We need to build this thing so that people can trust it." That needs to be a huge investment area. Whatever the cost of doing that, we need to, we need to incur it.
And we did, right? And so it's not free to build it the way that we built it. There's real, uh, cost to doing that, both in the time, uh, the one-time cost of building it that way and the ongoing cost of being so deep in the evidence and using so much data. But it was the right thing to do, and it has paid off. Our competitors, some of them don't even collect the data in this kind of way. They really just have detections. And then the other ones that do collect the data, we know none of them collect the same amount of data that we do. None of them have the amount of detail that we do. And so I think we are kind of uniquely positioned to be able to show our work and kind of bring our receipts and provide that transparency and inspectability. I think part of the appeal of this feature is that it can be a knowledge transfer from the product to the user, and this is most important, I would say, for a new user. So the new user could have two facets. It could be a, the person could be a new user of the product but still be experienced, or the person could be a new user of the product and be inexperienced. So that first category of person would probably get up to speed pretty fast 'cause they're, they're trying to replicate their workflows, figure out how they find the data that they want with this new interface or whatever.
But the other person, they might not even know what they're supposed to be doing because they're new to security or they're new to this particular aspect of security, the network security monitoring aspect. And so I, I get the sense, and I've, I've-- Using, you know, Investigator working on the new, uh, Corelight NDR, book that will be coming out soon. Uh, you? may even be, it may even be out by the time you're hearing this, we' never know.
Um, but I get the sense that you can use Investigator. to teach you how to investigate certain types of, uh, incidents. Is, is that true? Is that true? There used to be just the network and a ton of focus on the network. And for a long time, the network was the incident responder tool. And then EDR came out, and the pendulum kind of swung over to the EDR side. And a lot of analysts these days have spent the majority of their time on the EDR side. And so we don't feel like we, we encounter as many network experts these days. But the pendulum in terms of security has swung back to really requiring the network a lot because EDR evasion has become a very common tactic, especially for advanced attackers and for us, where we don't really focus on SMB and we really focus on the enterprise and strategic enterprise, including government.
These companies are getting attacked by sophisticated attackers who are absolutely doing their best to evade EDR detection, and Investigator is absolutely seeking to kind of close that gap for customers. I've never thought about it until this very moment, but it actually is in many ways also not just that we built in an agentic tool, but kind of we built what the future of learning might look like in terms of people learn by doing. And so there's a lot of talk about AI and how it can be a great teacher and used for education, and I think that'll be a lot less kind of lecturing. It's not that AI is gonna lecture you. It's gonna be probably helping you, uh, learn by doing, right?
And so in a lot of ways, this, uh, it's, it's a, you know, it was already a great question, but it's a, it's a phenomenal point that, uh, I think it is not only defending you, but it is, it is teaching you. So that, that's a great insight. Thanks. That, that, that is something I've,
I've come across when using different AI tools to try to troubleshoot technical problems. So I, for example, I, I had an issue with my gaming PC, and I was trying to troubleshoot it, and I s- I just grabbed all the stats I could on the machine, dumped it into a file, uploaded it to Gemini and said, "Here's the problem I'm having. Here are the stats of my machine.
Have you ever heard of any, any issue like this?" And it said, "Yeah. Actually, I have." And of course, it hasn't. It's just, you know, scoured the internet, synthesized what it's seen, and then come up with some plausible solutions. It said, "Yeah, I have. Here's a couple of different ways you could approach this." I hadn't even thought of that. It hadn't, didn't even occur to me. And the only way I would have gotten probably anything like that would, would have been to have posted to the right forum, hope that the right person had read it and had decided to respond. When we're dealing with the agentic triage and you have these assessments of what's seen, how close are we to saying,
"U-under these conditions, every time you tell me with a, you know, a certain probability that this system is compromised, I'm gonna go to auto containment," whether that's via the EDR or a firewall rule or, or network access control or something like that.
H-how close are we to that, do you think? Shockingly close. We built response, uh, recommendations in, and we obviously tested them as best we absolutely could. With it rolling out and now talking to the customers using it, the feedback so far has been that those recommendations are almost always spot on. When I say almost always,
I, I can't think of a time when someone has said that they're wrong. And so I wanna be careful about that because I, you know, I'm not claiming the feature is perfect, but, uh, I'm not aware of a time it's been wrong yet.
And so we are absolutely now kind of thinking, okay, we tried to make it really easy for us to recommend, "Hey, you should quarantine this machine," and then having a button so you can just kind of-quarantine it. Or hey, you should block this IP address, and then having a button so you can just block that IP address.
But the next step, like you said, it is auto response, and I would've thought that it would've taken us longer, that we would've gotten people saying, "Ah, it's, you know, it's right 70% of the time, 80% of the time." If we continue to hear the kind of pattern of feedback we've been hearing, then I could definitely imagine us launching a sort of automatic response sooner rather than later. So certainly in the cards for this year. That- that's where we need to go, and I'm not a person who is like, "AI out front, let's go," you know? I'm not that, not that aggressive. But when you think about everything that's been s- reported in the news and what we're seeing with our customer base, and they need help with this. And time for me is the, is the greatest metric in security, and I'm always tracking, uh, the numbers with the, the Mandiant M-Trends report. And w- we had the, the global median dwell time increase for the second year in a row, which is bad. Uh, we need to get that number out of the, you know, d- double digit days. I think it was... it went from 11 to 14. Uh, don't quote me, I- I have to go back and look at it. But we need that number to be in hours, and hopefully at some point it'll be even in minutes, because when you can get down to a sub-hour and definitely into a minutes type, uh, dwell time for an intruder, it's very difficult for them to accomplish their mission. Uh, if they're AI-enabled, perhaps they can do a little bit more, but then you just start to encounter a lot of friction inside a real company because, you know, every company's different. They may have similar infrastructure, but it can be difficult to, uh, suddenly discover what you want or accomplish whatever it is that you're trying to accomplish as, as an intruder.
So I am, I am pleased to hear that we're that close, and I could imagine scenarios where you have sort of defense conditions, where if you're at Defcon 5, you have to have a very, very high threshold before you auto contain. If, for example, you're suddenly facing a big wave of attacks like, um, you know, you're caught up in a geopolitical event like it's, that's going on right now, maybe you- you're dropped down to Defcon 3, where you say, "No, we're gonna be a lot looser. If you see anything that's similar to this, we're gonna go ahead and auto contain a lot faster." And, uh, you know, maybe when you- you're down to Defcon 1, you're just auto containing everything at a very, very low threshold because, you know, it's a, it's a full-blown attack and you're trying to contain, you know, you're in a running battle with the intruder. It seems at this point actually that it's understood that we need to do that, and we need to go there because of the environment that we're in. The best thing we can do to support our customers in this sort of wave of AI attacks that seems to be coming, and like you said, just reducing those times.
And because when we started this, things were not as sort of imminent and grim as they kind of appear now in terms of attackers using AI, and that's kind of part of the question that I think you're kind of poking at here, right? Is that you can have the human in the loop or the human on the loop. Um, and the, you know, so is it stopping and asking for permission, and somebody's approving it? Or is it taking the action and then just making it really clear that it took that action so that it's... and then giving a button to be able to quickly roll that action back if the analyst disagrees with it. Well, Dave, I think that's a good place to end our, our episode today. It would be good, I think, to maybe bring you back in six months, uh, while we're still within this calendar year, 'cause I have a feeling that this could be another, another interesting conversation. So if you're willing to come back, I'd definitely like to invite you back. Absolutely. I'd be thrilled. I love talking about this stuff, and it was, uh, it was great to have a chat with you about it. And so yeah, I couldn't agree more. In six months, I would be shocked if there's not a ton to talk about, so let's do it. All right. Sounds good. Thank you for joining us on the Network Defenders podcast, sponsored by
Corelight. We will see you on the network. You've been listening to Corelight Defenders. To stay informed with expert intelligence on today's cybersecurity challenges, please subscribe to ensure you never miss an episode. We'll see you on the network.
Subscribe now
