Why the Current SOC Model Is Over: Highlights from London EXPONENT

At EXPONENT London, speed set the stage. Average breakout times dropped 29% between 2024 and 2025. Exfiltration time was just six minutes. And the average time adversaries dwell undetected inside enterprise networks: sixteen days. AI is driving speed for the adversary.

But AI is making defenders faster, too. We’ve seen agentic defense drive down customer response times to minutes and detection times to seconds.

Security operations is the defense layer of the company, and that defense layer must be agentic. As ReliaQuest Founder and CEO Brian Murphy framed it: "The only way to defend against AI is with AI. You don't want to show up with a manual process against something that's automated.”

52 Minutes Against a 6-Minute Adversary

The average detection time for customers relying on SIEM-based detection across ReliaQuest's customer base is 52 minutes. Against a six-minute exfiltration window, that gap has moved past latency into liability territory.

ReliaQuest's answer is architectural. GreyMatter's Universal Translator normalizes telemetry at the field level—across any SIEM, EDR, cloud, network, and email source—into the OCSF schema automatically.

GreyMatter Transit takes data streaming from any connected technology and runs complex multi-event correlation logic against it before it's parsed, indexed, or stored. Transit holds partial event sequences in temporary storage and waits for subsequent events to complete a pattern, creating real-time detection. One early deployment: Transit detected adversary activity in 16 seconds and ran a containment play in 41 seconds. That’s initial exploitation to full containment in under a minute.

Transit also reshapes the cost equation. If you stored data in your SIEM primarily to detect on it, and Transit already handled that detection, you can drop the data or route it to low-cost cold storage for compliance.

More than three-quarters of security detections living in a SIEM today don't require multi-event correlation, and in fact they don't need the SIEM at all. The architectural options Transit opens—detect and drop, detect and route, detect and filter—let the SIEM stay without remaining the bottleneck everything flows through.

75 Million Alerts and Counting

ReliaQuest President of Product and Technical Operations Brian Foster drew a sharp line on stage between what the market calls agentic AI and what's running in production at ReliaQuest.

Many AI agents are given broad roles, but asking one to do too much leads to mistakes—“Jack of all trades, master of none,” as Brian Murphy put it onstage. Rather than relying on single agents to handle entire disciplines, the GreyMatter Agentic Teammates decompose each discipline into hundreds of single-task agents.

The six production Teammates—Intel Researcher, Detection Engineer, IR Analyst, Threat Hunter, IT Engineer, and OT Engineer—own their discipline end-to-end, collaborating when a request spans disciplines and working autonomously in the background 24/7 without being prompted. GreyMatter has worked and resolved more than 75 million alerts across ReliaQuest's customer base over the last 12 months.

Every execution passes through a 7-phase validation framework before reaching production. The precision threshold: 98% before anything ships. Current production precision: 99.4%.

Accuracy at Scale Without the Spiraling Invoice

Underpinning GreyMatter's accuracy is a modular, multi-model AI framework that routes each task to the right model at the right cost.

Every time a task executes, GreyMatter selects the best available model based on cost, speed, and accuracy. Continuous automated A/B testing with an LLM as judge routes the same request through multiple models simultaneously and feeds results back into future model selection automatically. A frontier model handles complex reasoning while a low-cost model handles translation. The cost delta at enterprise scale is enormous.

That’s how ReliaQuest is able to avoid charging by investigation, search, or model call. The price is the price. The consumption model other vendors ship—metered by tokens, queries, and searches—puts a ceiling on security.

Reactive, Proactive, Predictive — Where Do You Stand?

During his keynote session, Brian Foster asked the room: where does your program sit across three operational stages?

Reactive is where most SOCs still operate. Alerts fire, analysts triage, teams contain, cycle repeats. GreyMatter's Agentic DCIR runs across SIEM, EDR, cloud, network, and email through natural language—any defender can build detection rules, run threat hunts, execute response playbooks, and investigate alerts across any connected technology without knowing any vendor-specific syntax.

Proactive means hunting threats before they land. Agentic Teammates initiate threat hunts, detection gap analyses, and emerging threat assessments without being prompted. They surface what you should be looking for based on your environment, your exposure, and current threat intelligence then go looking.

Predictive is the current frontier. A new threat advisory publishes; within the same day, Teammates autonomously map coverage against the advisory's TTPs, calculate your likelihood of being hit and potential impact, deploy new detections, and enable response playbooks. You know your exposure, exactly what GreyMatter has already done to protect you, and precisely what's left to act on—ahead of the threat.

Defense Is a Team Sport

Across every customer running GreyMatter, one environment's early signal becomes proactive protection across the entire network. Detection rules deploy in days. Customers are protected before threats reach mainstream awareness or public reporting. With hundreds of thousands of alerts analyzed across the network, the defensive advantage compounds with every environment added.

That compounding effect extends beyond detection. The problems and ideas customers surfaced at EXPONENT are already being mapped to GreyMatter's development roadmap—shaping the future of agentic defense.