Autonomous Incident Responder

Product Summary

“Cetas AIR is the AI-assisted incident detection, visualization, and PREVENTION solution built by experts, usable by anyone."

Cetas Autonomous Incident Responder (AIR) is the automated incident response solution for on-premise, cloud and server-less environments.

Our solution is unmatched for dramatically reducing the time required to fully identify and resolve incidents before they become breaches.

Our use of artificial intelligence and patented algorithms* have been finely tuned and informed by our massive knowledge base of compromise indicators and response playbooks. Many solutions that make use of AI or machine learning hide the details from the end-user. When Cetas' AI signals an alert it explains in a detailed, visually compelling and easy to understand story how the conclusion was drawn. A threaded timeline is constructed which includes all of the individual events of concern, pertinent data and an explanation for the reason of concern. Our 2000+ models cover 100% of the MITRE ATT&CK matrix as well as the NIST Cybersecurity Framework.

We can easily and rapidly make sense of billions of events, spotting patterns and anomalies not obvious to human analysts. Based on experience, with relatively few signals of concern we can predict what is likely to happen next and raise a meaningful alert for analysts to look into. These alerts are accurate 95% of the time.

“There are known knowns; there are things we know that we know. There are known unknowns; that is to say there are things that we know we don’t know. But there are also unknown unknowns; there are things we do not know we don’t know.”

Donald Rumsfeld

“Cetas AIR turns the unknown into the known.”

While many solutions require weeks or months to learn and start making mostly accurate determinations, AIR is ready within a few hours of being installed. Installation time is typically from a few minutes to a few hours.

AIR also features Security Orchestration Automation Response (SOAR) capabilities. If so configured, upon detection of an incident or a pattern of events that indicates an incident may be imminent, AIR can pro-actively make changes to security controls to prevent or mitigate compromise.

Our product currently is capable of sourcing events from over 60 products and services, with new sources being added constantly. We can automate changes to 10 products. Obtaining event data from and/or modifying controls in custom in-house-developed systems is also possible.

Reducing MTTR

MTTR, or mean-time to response, is the penultimate key performance indicator for a security team. In a nutshell, a low MTTR means the time it takes to detect a threat, diagnose it, respond to it, and ultimately patch the vulnerability that allowed said threat to exist is crucial for successful security operations. With each security analyst having only limited daily bandwidth in prioritizing incidents, keeping up with the explosion of analyzable data due to multi-cloud, hybrid environments as well as the constantly increasing number of endpoints has proven to be an impractical challenge to be solved by traditional, manual approaches. To further exacerbate the issue, the size of SOC teams has remained stagnant while the volume of data ingested has increased exponentially. All of this creates the perfect storm for an ever-widening landscape of vulnerabilities and therefore a consequential increase in MTTR. So how do we stay head of the curve?

Solving the MTTR issue can be boiled down to one thing: reducing the amount of alerts a single analyst needs to prioritize and act upon. Despite different expertise levels, the goal of reducing MTTR means bridging the gap between analyst tiers. The Cetas solution achieves this through its automated detection system built upon a cognitive architecture designed by data scientists and incident responders alike. In order to reduce the time searching for the needle in the data haystack, we believe that the old-fashioned “come up with rules as we go” approach only further increases MTTR due to even more alerts being generated that are in all likelihood false positives. The modern MTTR problem requires a modern solution.

A well-designed automated solution in cybersecurity should act as an augmented limb for the incident responders’ natural reflexes. Both pundits and supporters of AI prophesize it replacing humans, but in cybersecurity, we believe the current state of commercial AI is far from capable of mirroring the nuance of incident responders thought processes; the closest we can get to this is informing an algorithm on as many logical operations an incident responder might process with the hope of finding new patterns. Therefore, rather than replacing your team, AI should act as a guide that sheds light on the important information you need to definitively conclude compromise.

Here at Cetas, we have seen this MTTR problem being approached from many different angles, and through our own research and background understanding of the MTTR problem, we have built an AI system that is multi-faceted in algorithmic usage, data throughput, and violation output. We have created a highly scalable architecture that allows our catalog of algorithms to fire responses in real-time, which are sent to a correlation layer to provide a single, confidence-inducing output to the incident responder. The more signals we can show for a single violation, the quicker an analyst can choose to further investigate and create an incident to be responded to.

Reducing False Positives

The greatest pitfall of threat detection solutions is the tremendous volume of false positives they generate. Security teams are forced to continuously add to this tangled amalgamation of security tools, which ironically, inundate their incident responders with even more false positive alerts. If the performance of a security team is measured by mean-time-to-response, then alert fatigue due to low efficacy alerts is the largest detriment to performance. With the ever-increasing volume of data coming from multi-cloud, hybrid environments the expectation of finding the ground truth alert, without flagging the noise around it, has introduced a level of ambiguity that current SIEM and UEBA products are unable to effectively discern. As complexity in analysis continues to increase and false positive tolerance rightfully decreases, an autonomous solution, with dynamic risk scoring is required.

A good threat detection solution, whether it creates alerts through heuristics, baselines, or machine learning MUST strive to elucidate the incident responder on the actionable alerts. Through automating the cognition of the incident responder’s investigative techniques, the four pillars that serve as the foundation of our threat detection capabilities are: perception, abstraction, reasoning, and the ability to learn (insert visual). Instead of flooding the alert pipeline with numerous statically scored alerts, our heuristics, our statistical models, and our proprietary machine learning models (supervised/unsupervised...need to stress supervised here i think) are put through a funnel of screening before being shown to the analyst. This means the analyst can expect far shorter investigation time in an alert because the patented Cetas AI Incident Responder cuts through the false positive noise. Our cognitive architecture provides a “confidence” screen for any alert before it is shown to the user.

Introducing... AIR!

Rather than providing independent alerts from our combination of heuristics, statistical baselining techniques, and machine learning models, we are able to unify the alerts provided by all three into a single, coherent, true positive alert. The efficacy of this single alert is further enhanced by our dynamic risk scoring determined by a confidence-setting algorithm. We call this layer of diligence “confidence” because the intention is for the analyst to confidently act upon the final set of alerts we provide rather than burning bandwidth on automatable investigation. Ultimately, the alert throughput shifts from a pipeline to an easily digestible straw, and only the most critical events are considered. It is important to keep in mind that this reduction in false positives does not result in a tradeoff where we get more false negatives—rather the opposite—because our threat detection system is modeled after incident responder methodology, we are actually able to catch an even higher percentage of true positives (ML polish).

Key Features
  • Cloud-hosted or on premise
  • Thoroughly modern, high-performance, scalable architecture
  • 100X+ faster time to value due to front-loaded knowledge-tuned models (hours instead of months!)
  • Investigation time reduced from days to minutes
  • Explainable AI
  • Minimal false positives (< 5%)
  • Full MITRE ATT&CK and NIST CSF coverage
  • Complements existing investments in UEBA, logging, SIEM and SOAR solutions
  • Sources events from over 60 systems such as Active Directory, Azure AD, Okta, AWS IAM, firewalls, VPNs, etc.
  • Capable of automating changes to over 10 systems such as Active Directory, Azure AD, Okta, etc.
  • AI Model Drift prevention capability which includes Drift Monitoring, Drift Prediction, Drift Alerting, Model Regulation and Model Tuning

Supported Integration Points

Event Sources

Some of the common event sources that AIR integrates with:

  • AWS CloudTrail
  • Barracuda Email Security
  • Bluecoat CAS
  • Bluecoat Proxy
  • Box
  • Checkpoint VPN
  • Cisco ACS
  • Cisco WLC
  • FireEye
  • Fortinet Firewall
  • Fusion Badge
  • GitHub
  • JumpCloud
  • LDAP
  • Linux & UNIX Syslog
  • Meraki Firewall
  • Microsoft Active Directory
  • Microsoft Azure AD
  • Microsoft Exchange Admitaudit & Mailaudit
  • Microsoft IIS
  • Microsoft Office 365
  • Microsoft SCCM
  • NetApp
  • Okta
  • Palo Alto VPN
  • RSA SecurID
  • Salesforce
  • Sophos
  • Splunk
  • Symantec Endpoint Protection
  • TrendMicro DSA
  • VMWare vCenter


Some of the common target systems that AIR can integrate with to make changes:

  • Bluecoat Proxy
  • Checkpoint VPN
  • Fortinet Firewall
  • LDAP
  • Meraki Firewall
  • Microsoft Active Directory
  • Microsoft Azure AD
  • Okta
  • Palo Alto VPN
  • Salesforce

Generic Parsers

AIR also comes with a set of generic parsers which can be used to build custom connectors. They are:

  • Apache Kafka
  • AWS CloudWatch
  • Azure Event Hubs
  • Google Pub/Sub
  • HTTP
  • Redis
  • Salesforce Input
  • SNMP
  • Text files
  • Websocket