Introduction
How one Indian cybersecurity company re-engineered the modern SOC from data architecture to AI-native cyber defence and what the results say about where the industry is heading.
Every few years, cybersecurity goes through a defining shift. Firewalls. SIEM. Automation. Each wave promised to solve the SOC’s core problem: too many threats, too few people, too little time. None of them did. What they actually solved was visibility and that, paradoxically, made things complex.
The modern SOC can see more threats than ever. Enterprise environments generate hundreds of thousands of alerts daily. Analysts can’t keep pace. Critical threats get buried. And when a real investigation finally starts, it takes a seasoned analyst hours to stitch together evidence from a half-dozen disconnected tools while the attacker keeps moving. The emergence of agentic AI, AI copilots and autonomous workflows means SOCs will soon investigate not only users and endpoints but also AI identities, AI interactions and machine reasoning.
The industry’s response has been to layer AI on top: score alerts faster, rank them smarter, hand them to a human more efficiently. Several cybersecurity companies are now questioning whether the industry’s current AI strategy is solving the right problem.
Mumbai-based Aquila I, an AI-native Cyber defence platform , argues that closing this gap requires rethinking the entire architecture from how security data is stored, to how AI agents are designed, to what “investigation” actually means when it’s done autonomously. Their research, published across three technical whitepapers, lays out a case worth examining.
The foundation: a Lakehouse purpose built for cyber defence
Most security platforms run AI on top of data architectures that were never designed for security. Security telemetry is time-sensitive, adversarial and compliance-critical. Generic data platforms force a trade-off between coverage and speed.
Aquila I starts with a purpose-built Security Data Lakehouse a unified data foundation where all telemetry is normalized at ingestion into the Open Cybersecurity Schema Framework (OCSF), a common vocabulary that makes events from any source immediately comparable. A detection rule written once works across all data sources. An ML model trained on one telemetry stream generalizes to all of them.
The Lakehouse is write-once, append-only, and immutable data can’t be altered after ingestion, producing a tamper-proof record. It’s organised around security entities (users, devices, applications) rather than flat event streams, enabling contextual correlation: not just “what happened” but “who, from where, in what sequence, compared to what they normally do.” Sub-second queries at petabyte scale, full retention without data sampling, and multi-cloud deployment round out the design.
This matters because investigation depends on history. A dormant credential reactivated after eleven months is invisible unless you have eleven months of context to compare against.
The operating model: specialized AI, not monolithic AI
A SOC doesn’t face one decision it faces thousands of different ones every hour. A monolithic AI attempting to handle alert triage, threat hunting, incident response, and detection engineering simultaneously becomes adequate at everything and expert at nothing. In security, adequate gets you breached.
Aquila I deploys specialised AI micro-agents, each designed for a distinct security function and operating collaboratively over the Security Data Lakehouse as a shared intelligence fabric. Log Baselining Agents establish behavioural baselines across enterprise telemetry, while SOC Operations, Threat Intelligence, and Response Agents perform contextual triage, autonomous threat hunting, risk assessment, investigation, and coordinated response. Rather than working in isolation, agents continuously build upon shared context including historical investigations, behavioural baselines, entity relationships, and analyst feedback to transform fragmented security events into evidence-driven investigations. Where multiple agents reach different conclusions, an arbitration layer evaluates confidence and escalates to a human analyst whenever judgement or approval is required.
The proof: three investigations no alert could catch
Aquila I’s third whitepaper tests the architecture against three scenarios each invisible to traditional triage, each requiring multi-source contextual investigation.
The ghost account. A cloud IAM user made API calls to enumerate S3 buckets and EC2 metadata valid credential, authorized calls, within scope. Every triage system would close this as benign. But the Alert Triage Agent’s probabilistic reasoning caught a deviation from the account’s baseline. The SOC Analyst Agent queried HR records and discovered the account belonged to a contractor terminated eleven months earlier the credential was never deprovisioned. The Hunting Agent found the account was now scanning every production bucket across regions, against a baseline of two development buckets. The Threat Intel Agent traced the source IP to a residential proxy linked to credential-stuffing campaigns. The Kill-Chain Prediction Agent mapped the sequence as cloud reconnaissance and predicted the next steps. Total investigation: three minutes and forty-two seconds. Manual equivalent: four to six hours. Twenty-three additional dormant credentials were flagged across the organisation.
The email that passed every filter. A Zoom meeting invitation cleared SPF, DKIM, and DMARC technically authentic. The Noise Reduction Agent caught what signatures couldn’t: the sender had zero prior communication history with the organization. The Hunting Agent found a secondary URL in the meeting description resolving to a domain registered seventy-two hours earlier, hosting an adversary-in-the-middle phishing kit. The Exposure Analysis Agent found four more identical invitations targeting finance and treasury staff. One recipient had already entered credentials within fourteen minutes, 340 MB of financial documents were downloaded from a foreign IP. Investigation time: four minutes and fifty-eight seconds. Without the agent chain, the email would have reached every target unopposed.
The insider with legitimate access. A senior R&D engineer accessed product roadmaps and patent filings fully authorized, no policy violation. The Risk Scoring Agent synthesized what no individual system could see: the engineer had resigned twelve days earlier, file access volume was nine times the ninety-day baseline, and the pattern was sequential across fourteen folders never previously touched. The Kill-Chain Prediction Agent predicted USB exfiltration; ninety minutes later, a personal drive was connected and the first transfer began. The Containment Agent escalated to a human insider cases demand human judgment. Upon approval: USB port disabled, staging folder preserved forensically, and a complete evidence package generated for legal. Investigation: four minutes and eleven seconds. Manual equivalent: eight to twelve hours.
Bounded autonomy: the design principle underneath
Across all three cases, a pattern repeats. The agents investigate autonomously, but certain decisions stay with people. Aquila I calls this bounded autonomy routine triage runs on its own, but suspending an employee, isolating a production system, or acting on an insider case requires human approval through the AI SOC Workbench. Every agent decision is logged, explainable, and auditable. When an analyst overrides a decision, the feedback flows back into the Lakehouse and the agent learns from it.
In security, an AI that can’t explain itself and can’t be overridden isn’t a tool. It’s a liability.
The question underneath
The industry has spent years building stronger detection. What hasn’t kept pace is the ability to understand what a detection means to pull in context from six or eight sources, reason about intent, and act before the attacker finishes. That isn’t a model problem. It’s an architecture problem: the right data foundation, AI that’s specialised and governed, and investigation that goes beyond sorting into genuine contextual reasoning.
Whether Aquila I’s specific architecture becomes the standard is an open question. But the question it raises is one every security team will have to confront:
The next generation of SOCs will not be defined by how many alerts they process.They will be defined by how effectively they transform fragmented security events into evidence, reasoning and action.
Aquila I is an AI-native Cyber Defence platform built for global enterprises unifying detection, response, validation, and exposure management in a single platform.
This article is based on Aquila I’s three-part technical research series exploring the future of autonomous security operations:
• The Security Data Lakehouse Powering Autonomous SOC
• Specialised AI Micro-Agents for Autonomous SOC
• AI SOC Investigation: Three Cases Beyond Triage
The complete papers are available at https://www.aquilai.io/resources/whitepapers
Unified. Aware. Autonomous.
-By Vanshika Tayal



