AI Agents in Cybersecurity: Cutting SOC Workloads by 30% in 30 Days

AI has gone from theory to production faster than any technology. In many areas of expertise, we’re seeing demos turn into usable products within months – from customer support to software engineering. Cybersecurity hasn’t been as quick to deploy LLMs on large operational workloads (worth diving into why in a separate blog post). At Doppel, we automated 30% of our security operations workload in less than 30 days with our new AI agent.

‍

Automating Security Operations at Doppel
‍

Every day, Doppel ingests more than 10 million websites, social media accounts, and mobile apps to identify phishing attacks worldwide. Traditional machine learning filters out obvious false positives, but nuanced decisions remain incredibly time consuming.  Questions like “Does this site warrant a takedown? On which platforms? Under which policies?” require detailed manual analysis.

‍

‍

‍

Turning AI into a Cybersecurity Expert

‍

Automating this decision-making at Doppel’s scale is particularly challenging. These decisions aren’t limited to spotting basic patterns – they require judgment. Analysts must interpret unstructured data like screenshots, time-series activity, and customer-specific policies to choose the correct response and explain their rationale. Even for humans, getting these consistently correct requires a high degree of knowledge and training. These are high impact actions, and getting them wrong means missing a threat or disrupting legitimate activity.

‍

At Doppel, we tackled this challenge by training our AI agent to function as a genuine cybersecurity expert. We took the same methods we use to train human analysts—covering phishing, malware, and brand abuse—and applied them directly to the model. This initial “knowledge transfer” yielded a noticeable jump in performance, but the AI still stumbled on certain non-obvious scenarios. The real breakthrough came when we incorporated thousands of well-curated historical decisions, effectively distilling years of our analysts’ experience into the model. As a result, the AI developed the nuanced judgment required to classify and take action on even the trickiest edge cases.

‍

Just as importantly, the agent is constantly learning as it sees new examples. This tight feedback loop is critical in combatting security threats like phishing – which have evolved into a high-speed cat-and-mouse game, with AI accelerating the pace even further.

‍

‍

‍

The results surprised us. 

‍

Using OpenAI’s latest o1 model (showcased at OpenAI DevDay), our AI agent exceeded human-level benchmarks. Compared to our human analysts, the agent had a lower false-positive rate and uncovered more genuine threats. For Doppel, this shift allowed our analysts to focus on complex threat patterns while the AI handled routine decisions at scale. For our customers, it delivered faster response times and more threats eliminated.

‍

‍

Although our AI has dramatically reduced security operations (SOC) workloads in just the last month, there’s still so much exciting tech to be built. Our engineering team is re-imagining what’s possible in the SOC using AI agents from the ground up—unlocking more efficient, resilient, and proactive defenses. And we’re just getting started.