From AI SOC to AI in the SOC: the Agentic SecOps Workspace launch

The industry spent two years bolting chatbots onto security tools and calling it innovation. Maxime Lamothe-Brassard, LimaCharlie's founder and CEO, used this launch event to name the ceiling that approach hits. A chatbot is a two-party conversation, and its usefulness is capped by whoever is typing into it. The move that actually matters, the one every speaker circled back to from a different angle, is to stop treating AI as something an analyst consults and start treating it as something that operates the platform with the same access as your best person. The distinction sounds subtle until you watch what it does to the economics, to the engineering underneath, and to the distance between a junior analyst and a senior one.

The assistant was always a dead end

Lamothe-Brassard frames the past two years as a race between two things: the tooling that lets a model call functions, and the reasoning quality of the models themselves. Tool calling matured first, so early products did the obvious thing. They wired a model to a narrow API ("get this alert, summarize it") and shipped that as a feature. That was the right call when models were weak and the wrong call now. The models have caught up, he argues, and if you keep inserting a human into the middle of every step to dictate which tool fires in what order, you throw away much of the value the newer models offer. The whole point of an operator is that you describe an outcome, hand it hundreds of tools, and let it reason out the path.

His critique of the AI SOC startups is structural rather than competitive. To raise money a startup needs a moat, and the moat cannot be the model, because the frontier labs have, as he put it, reached escape velocity and will outpace anyone trying to train their own. So the moat becomes opacity, a black box metered per token or per alert. For a service provider that math falls apart immediately: multiply a hundred alerts a day by thousands of tenants by a few dollars an alert and, in his phrase, you "cry yourself to sleep and decide not to do it." The legacy bundlers face the opposite problem. They built for humans clicking through a portal, so every new AI use case requires building the API layer underneath it first. Both roads lead to the same place, something close to SOAR with a little fuzziness, rather than a system that genuinely reasons.

The keynote was also honest that MCP alone did not solve this. When LimaCharlie tried to surface its full tool set through an MCP server, roughly 170 tools burned about 70,000 tokens of context before any real work started, a non-starter. What worked was the CLI agent. Lamothe-Brassard calls Claude Code a "browser moment," a tool built for software engineers that practitioners quickly turned to running real security operations, and the CLI "turned out to be the best MCP" because it leans on ordinary APIs and preserves the model's agency instead of wrapping it inside a handful of fat MCP calls. That is why owning the thing matters. Because LimaCharlie was API-first from the start, an agent gets full coverage of the platform, and because the company puts the scaffolding (the plain-English instructions that teach Claude how the platform behaves) in open source rather than selling it, an MSSP can fork it and bend the behavior without waiting on a vendor.

What changes is the cost shape, not just the speed

For an MSSP or MDR the service is the product, so the pricing model is not a footnote. The shift Lamothe-Brassard cares about is from a per-token or per-alert meter to a frontier-lab subscription, on the order of a fixed amount per analyst per month. That turns AI from an unpredictable variable cost into a forecastable one, no matter how noisy a single tenant's day gets. Eric Capuano, co-founder of the Digital Defense Institute, made the consequence blunt on the practitioner panel: efficiency converts directly into profit margin.

The speed gains are real and specific. Capuano described detection engineering, normally many hours or days because you cannot push an untested rule into a production pipeline, collapsing to about six minutes once an agent is given reference examples plus tools to test its own theories and iterate until every condition is met. His sharper example: when a researcher at Elastic dropped a MongoDB proof of concept on Christmas Eve with no defensive guidance available, he spun up a dozen Docker containers the day after Christmas, generated and analyzed the attack data with a coding agent, and was first to publish detection content, work he says he simply would not have attempted without the force multiplier. Daniel Lees, a senior staff cloud security architect at Google, reframed the value at scale as correlation and reasoning across infrastructure, so the needle "bubbles up" out of the haystack as an explainable story instead of an analyst spending three hours manually pivoting from one log to the next.

The argument the panel kept having

The most useful tension in the session was a disagreement nobody fully resolved. Josh Neil, co-founder and CTO of Alpha Level, has done machine learning for threat detection for 25 years, and he pushed back on the idea that an LLM is the only AI in the room. Precision and recall on detection, he warned, still sit several orders of magnitude away from what fully automated remediation would require, because the moment your algorithm shuts down the CEO's account, your AI is finished. Kris Merritt, founder of CrowdStrike Overwatch, sharpened the point: LLMs are exceptional generalist reasoners, not workflow masters, and the cheapest useful entry point he sees is uploading an intelligence report and pulling its indicators into a query. Lamothe-Brassard's analogy bridged the two. Machine learning is the assembly line you spend a year tuning to stamp out a hundred identical bicycles a day, right for high-volume repeatable triage. The LLM is the person across the street with a full toolbox who can fix your one broken bike well enough, right for configuration, onboarding, and research where some fuzziness is acceptable. Neil's own concession is the tell: what LLMs have done is open the industry's appetite for inferential methods of any kind, after twenty years of CISOs rejecting anything they could not read as a rule.

That debate lands hardest on Capuano's claim that this finally lets a junior analyst punch above their training. When it is done right, he says, the work is no longer subject to who was on the keyboard, because the investigation runs on judgment compiled from the team's best thinking rather than the training level of the person on call. But both Merritt and Capuano name the catch. An LLM, in Merritt's framing, is only as useful as the operator plus one level of expertise: hand its output to a tier-one analyst and it looks like magic, hand the same output to a tier-two analyst and they catch where it is fundamentally wrong. Dropped into a SOC programmatically, he warns, it just amplifies the problems already there. Capuano sharpens the operational version. Put these tools in untrained hands without a harness whose models, workflows, checkpoints, and tools are expertly designed and continually maintained by people who know what is going on, and you make the bad outcomes worse. The human stays in the loop not as a courtesy but because that is where the judgment lives.

Ken Westin's demonstrations made operator-level access concrete, and they mapped cleanly onto multi-tenant delivery. The agent did not just advise. Asked from VS Code to deploy a sensor to AWS, with the LimaCharlie MCP server and the AWS CLI authenticated, it created an installation key and targeted the right EC2 instance without being told to use EC2, inferring it because it was the only one running. A larger onboarding run brought sensors and data sources online across AWS, Azure, GCP, and Digital Ocean in about 16 minutes, work that would otherwise take hours. It stood up a new tenant with free community Sigma rules and a Git sync extension backing the configuration into a GitHub repo, ran a tuning pass that flagged three noisy rules and recommended false-positive suppressions, and turned a public incident article into deployed IOC lookups and detection rules. None of that is a chatbot summarizing an alert. It is the operator pattern spanning the whole tenant lifecycle.

Strip away the demonstrations and the through line is ownership. Buying AI as an opaque, per-alert SKU ties your operations to someone else's release schedule and asks you to trust what you cannot audit. Defining it as code you install per tenant, inspect at every step, and upgrade the day a better model ships turns AI into infrastructure you control. For a service provider that is not a philosophical preference. It decides whether AI touches your whole operation, deployment, onboarding, detection engineering, reporting, the work that quietly eats margin, or only the narrow slice a vendor decided to build.