'Inside Security' with Jon Ticknor (Co-founder & CTO, Tier4 AI)

'Inside Security'
Blog
Leen Security
January 29, 2025

Security Operations Centers (SOCs) has and will remain at the heart of defending organizations from threats. But as cyberattacks grow more sophisticated and relentless, traditional SOCs have struggled to keep pace, plagued by inefficiencies, alert fatigue, and resource constraints. These challenges have sparked a movement toward automation, and now, the next frontier: AI-powered SOCs.

In this edition of 'Inside Security', we sat down with Jon Ticknor, CTO of Tier4 AI, to explore the evolution of SOCs, the role of automation and AI, and how Tier4 AI is reimagining how SOCs operate. Jon’s journey from a Ph.D in Environmental Engineering to DARPA to founding Tier4 AI provides a fascinating lens into how the future of security is unfolding.

What is a SOC? A Historical Perspective

At its core, a SOC is a centralized team of security experts responsible for monitoring, detecting, and responding to security incidents. Historically, SOCs were designed to address known threats by leveraging tools like firewalls, intrusion detection systems (IDS), and SIEM platforms.

Early SOCs were reactive by nature. They were set up to respond to incidents after they happened, not prevent them. We saw talented people spending most of their time doing repetitive, mundane tasks instead of tackling the real threats. They were like watchtowers.

Over time, SOCs evolved to incorporate more proactive measures like threat hunting and behavioral analysis, but even these advancements weren’t enough. The sheer volume of alerts and the growing complexity of attacks overwhelmed human analysts, leading to inefficiencies and burnout.

The Rise of SOC Automation

Recognizing these challenges, the industry began to adopt SOC automation, the next iteration of the SOC designed to handle repetitive tasks such as alert triage, incident response workflows, and threat intelligence lookups. Automation reduced the workload on analysts and allowed them to focus on higher-value activities like threat hunting.

SOC automation was a big leap forward, it gave SOCs a lifeline - it handled the repetitive, low-level tasks that bogged down analysts. However, it still didn't provide the full picture. It introduced consistency and scalability, but it still lacked context, nuance, and decision-making capabilities. Automation could flag an alert but couldn’t answer the critical follow-up questions: What does this mean? How should we respond?

This limitation revealed the need for a more advanced solution, one that could combine the efficiency of automation with the intelligence and adaptability of human decision-making.

Why Automation Wasn’t Enough: The Origin of Tier4 AI

The journey to Tier4 AI began with a shared mission and deep experience in the security space. The founding team had worked together in a previous company focused on security detection, specifically ingesting telemetry data from an environment and surfacing potential threats. At the time, this was during the rise of next-generation SIEMs. While competitors in the space focused on becoming comprehensive SIEM platforms, their team carved out a niche on the detection side, building tools that identified malicious activity without directly competing with broader SIEM functionalities.

Eventually, the company was acquired by an MDR provider, which exposed the team to a recurring challenge: alerts without context. As they partnered with customers and observed MDR workflows, they noticed a critical disconnect.

We’d surface an alert that looked highly malicious but the follow-up processes - enrichment, validation, and context, were all left to the customer or the MDR team. Threat intelligence wasn’t automated, user behavior wasn’t analyzed, and analysts were left to manually piece together the puzzle.

This gap underscored a larger problem in the industry: SOC inefficiency and the inability to scale. With thousands of security job openings going unfilled and smaller organizations unable to afford top-tier talent, many businesses began outsourcing to MDRs and MSSPs. However, these services faced their own challenges, struggling to hire and retain skilled analysts while managing increasing workloads. Even the best engineers end up overwhelmed with repetitive tasks.

Armed with this insight, the team saw an opportunity to address a significant pain point. They revisited an earlier idea to combine detection capabilities with automation, but this time leveraging advances in LLMs. These new tools allowed them to rethink how tasks like threat intelligence lookups, log aggregation, and user behavior analysis could be handled. By automating these repetitive tasks, they realized they could drastically improve the unit economics of MDRs and MSSPs, enabling them to scale efficiently without overburdening their teams.

We started timing everything. A minute here, 45 seconds there - when multiplied across thousands of incidents, it added up to hours of wasted effort. The more we looked, the clearer it became that automation wasn’t just a nice-to-have; it was a necessity.

With this vision, Tier4 AI was born. The platform was designed to redefine the role of SOC analysts - taking on the repetitive, time-intensive tasks so that humans could focus on what they do best: making decisions, hunting threats, and strategizing defenses. By combining their expertise in detection with cutting-edge AI and automation, Tier4 AI aims to flip the economics of managed security services, empowering organizations of all sizes to operate efficiently, effectively, and at scale.

We’re not just building tools. We’re building a new way for SOCs to think, act, and scale in a world that demands more from security than ever before.

AI SOC Automation, Predictability & Challenges in Adoption

Tier4 AI is one of many new-age startups at the forefront of leveraging AI to bridge the gaps left by traditional SOC automation. With the objective on combining AI agents with built-in threat intelligence to deliver faster response times, greater consistency, and significant cost savings, AI SOC automation promises to augment human capabilities rather than replacing them.

And a huge part of that promise to augment manpower lies in making outcomes predictable and scalable. Predictability is a cornerstone of effective SOC automation, especially when selling to large enterprises, MDRs, and MSSPs. In an industry often associated with chaos and uncertainty, predictable results create trust, efficiency, and confidence. For enterprises, this translates to consistent handling of alerts, regardless of the team member or time of day. Predictability reduces human error, streamlines processes, and ensures security operations run smoothly. For MDRs and MSSPs, it allows them to manage multiple clients more effectively, scaling their operations without sacrificing quality or overburdening their teams.

However, while AI SOC automation holds transformational potential, adoption comes with it's own set of challenges, making it extremely essential to align expectations. Customers must understand that AI is a tool that evolves over time - it won’t revolutionize security overnight. For SMBs, AI can mean the difference between handling alerts in-house or outsourcing to an expensive MSSP. And for larger enterprises, the focus is on reducing analyst burnout and improving efficiency.

Much like self-driving cars in their early stages, AI in security still requires a human in the loop to navigate edge cases and ensure critical decisions are made correctly. AI can automate repetitive tasks, enrich alerts, and improve efficiency, but human oversight remains crucial to address complex, nuanced scenarios that technology alone cannot handle.

As organizations integrate AI into their SOCs, it’s a game of patience and learning. The best results come from collaboration: AI handles the heavy lifting, while analysts focus on higher-value activities like threat hunting and strategic planning. Over time, this partnership between humans and AI will redefine the role of SOCs, creating a security environment that is not only scalable and efficient but also resilient against the ever-evolving threat landscape.

The Future of SOCs: Merging Automation and Detection

Looking ahead, Jon envisions a future where SOCs are more proactive and less reactive, while forcing traditional SIEM models to evolve.

Traditional SIEMs have been integral to SOC operations, aggregating and analyzing log data from various sources. However, these systems often become cumbersome due to their complexity and the volume of data they handle. The integration of AI offers an opportunity to rethink the SIEM model by unifying data centralization, intelligent stitching, analytics-based detection, and incident management into a holistic solution. This approach focuses on smarter, edge-based detection and remediation, reducing reliance on centralized log storage and enabling more efficient threat management.

While the integration of AI into SOCs holds significant promise, Jon warns us that it requires a substantial shift in mindset and operations. There's a significant concern about the growing trend of outsourcing security operations to MSSPs and MDRs, pointing out that the economics of these models often prioritize cost-cutting over skill development.

“The business incentives are not structured to invest in advanced users analyzing alerts. Instead, the focus tends to be on hiring the lowest-cost labor to meet minimum contract requirements.

This approach, while practical in the short term, risks undermining the development of skilled in-house teams and creates a reliance on external providers. Jon hopes that advancements in tools and automation will shift this dynamic.

With the right tools, organizations can empower smaller, more efficient teams to handle the same workload without outsourcing. For example, instead of needing a team of five to ten analysts, a team of three could manage the same volume of work - freeing up resources and enabling organizations to invest in training their staff. It’s about giving organizations the capabilities to do more with less, while also building the expertise they need to thrive independently. That’s the change I’m hoping for over the next three to five years.

Conclusion

SOCs have long been the backbone of organizational defense, but their traditional reactive approach is no longer sufficient in the face of increasingly sophisticated cyber threats. With the advent of AI-powered SOCs, we are witnessing a pivotal shift - one that blends automation, detection, and human expertise to create a more proactive and resilient security posture. This transformation is about much more than just adopting new tools; it’s about redefining the way SOCs operate, from tackling inefficiencies and burnout to empowering smaller, more capable teams.

. . .

We'd like to thank Jon for his time and insights. You may connect with Jon on LinkedIn.

Scale your security
integrations faster with Leen

Get a demo

Related Reads

How Unified APIs Simplify Security Integrations for Automated GRC Vendors

Learn why Drata, Sprinto, Thoropass, Scytale & Secureframe use unified APIs

Blog

Reducing Compliance Costs with Automated Data Collection via Unified APIs

Learn how Unified APIs can reduce compliance costs

Blog

Revolutionizing Cyber Insurance Analytics with Unified APIs: Real-Time Insights for Smarter Underwriting

Discover How Unified APIs Enhance Cyber Insurance Underwriting

Blog

How Leen Powers Cyber Insurance Underwriting

Discover how Leen’s Unified API empowers cyber insurance underwriters with real-time security data to make faster, more accurate risk assessments

Announcement
Blog