Back

How Daylight Makes AI SOC Investigations Reliable at Scale

Lior Liberman
Lior Liberman
July 9, 2026
Product
How Daylight Makes AI SOC Investigations Reliable at ScaleBright curved horizon of a planet glowing against the dark backdrop of space.Bright curved horizon of a planet glowing against the dark backdrop of space.

How AIR Runs AI SOC Investigations

Most debates about AI in the SOC collapse into a false binary.

On one side is the old automation model: deterministic workflows, rigid playbooks, predefined steps, and brittle logic. On the other is the AI-native promise: fully agentic investigations where an AI system adapts freely based on whatever it learns along the way.

That framing is too simple.

Deterministic does not have to mean rigid. Agentic does not automatically mean better. In production security operations, the goal is not to build the most open-ended investigation system possible. The goal is to produce accurate, consistent, explainable, complete investigations at scale.

That requires architecture. At Daylight, AIR is the investigation engine behind our managed security services. It runs AIR Investigation profiles through a central orchestrator and coordinates multiple specialized agents.

An AIR Investigation Profile defines how AIR should evaluate a specific class of security activity: the core questions to answer, the must-have evidence to collect, the expert guidance to apply, the relevant context to retrieve, and the points where specialized agents may need to reason over incomplete or ambiguous data.

AIR is used across alert investigations, threat hunting, and agentic data lake queries. It does not treat every investigation as a blank page for an agent to reason through from scratch. It also does not reduce investigations to static SOAR-style playbooks. It combines deterministic and agentic workflows in the same investigation.

When the required data is clear and easy to retrieve, AIR uses deterministic flows. When the task requires reasoning, interpretation, or semantic understanding, AIR uses specialized agents. That distinction is what makes the system reliable.

How an AIR investigation actually runs

Every AIR investigation starts with a raw event: an alert, detection, or event from a threat hunt that found a suspicious lead.

That event determines which AIR Investigation Profile should be used. The profile is not a static automation script. It defines the investigative questions that need to be answered, the baseline evidence required to answer them, and the areas where specialized agents may need to reason over incomplete or ambiguous context.

When Daylight builds an integration, our security experts define the relevant AIR Investigation Profiles based on how that class of activity should be evaluated in a real SOC investigation.

The investigation starts by collecting the must-have evidence for the case. This is the deterministic foundation. AIR uses deterministic queries and enrichment to gather the telemetry, entities, and indicators expected to matter for the investigation: users, devices, IP addresses, domains, files, cloud resources, SaaS applications, and other relevant objects.

As evidence is gathered, AIR evaluates what it has learned against the investigation objective. If the collected data answers the key questions, the investigation can continue toward summary and verdict. If something important is missing, unclear, or inconsistent, AIR can invoke a specialized agentic workflow to complete that part of the investigation.

For example, a user may need to be resolved across identity, HR, authentication, and business systems. A device may need to be connected to recent activity and ownership. A cloud resource may need to be tied to related workloads, configuration changes, or asset sensitivity. A suspicious code-related event may require finding the relevant GitHub pull request.

AIR also retrieves relevant telemetry, organizational context, and historical case context.

Daylight maintains customer-specific context repositories as part of the AI platform. The Daylight Data Lake stores telemetry, while the Daylight Knowledge stores organizational and historical context.

Organizational context includes business rules, policy exceptions, asset ownership, user roles, sensitive systems, and customer-specific operating knowledge. Historical context includes prior investigations, recurring false-positive patterns, known behaviors, previous decisions, and lessons learned from earlier cases.

AIR runs an agentic search to retrieve knowledge items relevant to the investigation. Organizational context is considered first, followed by historical context.

Once AIR has collected the required evidence, enriched the relevant entities, resolved missing context, and applied the relevant knowledge items, it generates a summary and then a final verdict. The verdict determines whether the activity is benign, false positive, suspicious, or a true positive.

Deterministic does not mean static

Some evidence is foundational for a given investigation type.

If a suspicious login investigation requires recent authentication history, MFA activity, device context, and user context, AIR should collect that baseline consistently. If a cloud investigation requires enrichment for a resource, identity, configuration change, or related workload, AIR should collect that baseline consistently.

That does not mean AIR knows every relevant fact before the investigation starts. Some evidence only becomes relevant after the system evaluates what it has already collected. But every investigation type has must-have evidence that should not depend on whether an agent happens to ask for it. That is what deterministic means in this context.

It does not mean the investigation is static. It means AIR starts with a reliable evidentiary foundation before using agentic workflows to resolve ambiguity, fill gaps, or reason across messy context.

That does not make the investigation less intelligent. It makes it more dependable.

Agentic workflows are used when reasoning is actually needed

Not every investigative task can be solved with a direct query.

Some tasks require interpretation: stitching together incomplete signals, understanding business context, or resolving entities that appear differently across systems. That is where AIR uses specialized agents.

A specialized agent is not asked to “investigate the alert.” It is asked to resolve a specific investigative question.

One agent may build a unified user profile by collecting identity, HR, authentication, and business context. Another may identify the relevant machine for a user. Another may find a GitHub pull request connected to suspicious activity. Another may analyze browser history. Another may collect context about a cloud resource, endpoint, SaaS application, or Kubernetes workload.

The orchestrator manages the investigation and invokes agents when the evidence indicates that a specific question cannot be answered confidently from deterministic collection alone. Agents perform actions, retrieve information, analyze specific evidence, and return their output back into the investigation.

This is where agentic workflows are most useful: not as open-ended exploration, but as focused reasoning over the parts of the investigation that are ambiguous, incomplete, or context-dependent.

AIR adapts by reasoning over evidence gaps

A common misconception is that an investigation is either static or fully agentic.

In practice, the stronger model is a combination of both.

AIR starts with deterministic collection for the must-have evidence. Then it assesses what the evidence does and does not answer. If the investigation can move forward with confidence, it continues. If a key question remains unresolved, AIR invokes the right specialized agentic workflow to complete that part of the investigation.

For example, an investigation may begin by collecting authentication activity, identity context, endpoint telemetry, cloud activity, and relevant indicators. As AIR evaluates that evidence, it may determine that the user context is unclear, the activity involves a sensitive system, the machine identity is ambiguous, or the business justification cannot be determined from structured telemetry alone.

When that happens, AIR can invoke an agentic workflow to gather the missing context. That may mean building a more complete user profile, finding the user’s associated machine, reviewing browser activity, identifying a relevant GitHub pull request, or collecting additional cloud or Kubernetes context to understand what the asset is and why the activity happened.

This is not a static investigation. The path changes based on what AIR learns from the evidence.

But it is also not a fully agentic investigation workflow where the system invents the process as it goes. AIR adapts inside a structured investigation architecture: deterministic collection provides the baseline, and agentic workflows resolve the questions that require reasoning.

That structure is important for reliability. AIR can adapt based on the evidence without making the entire investigation path open-ended, inconsistent, or difficult to improve.

Fully agentic investigations can reduce consistency and accuracy at scale

A fully agentic investigation workflow is appealing in theory.

An alert fires. An AI agent reviews the evidence. It decides what to check next, pivots across systems, and adapts dynamically until it reaches a conclusion.

That resembles how experienced analysts investigate difficult cases. They follow leads, change direction, notice gaps, and decide when a different question matters more.

But production investigations cannot depend entirely on open-ended reasoning. For many alert types, there is a known set of evidence that should be collected every time. A suspicious login investigation should not depend on whether an agent decides that authentication history, MFA activity, device context, user role, or prior similar cases are worth checking. If that evidence matters, it should be collected consistently.

When every investigation path is decided dynamically, two investigations for the same alert type can collect different evidence, follow different branches, and weigh different signals. At small scale, that variability can look like flexibility. At production scale, it becomes a reliability problem.

It also creates an accuracy problem.

Security investigations are not just reasoning exercises. They are evidence-gathering processes. If the system skips a required source, stops too early, follows an irrelevant branch, or over-weights a weak signal, the final verdict can be wrong even if the reasoning sounds plausible.

This is especially important in enterprise environments, where a single alert often requires telemetry context, organizational context, and historical context to interpret correctly. The investigation needs to know which evidence is mandatory, which context matters, and which questions must be answered before a verdict can be trusted.

Explainability is part of the issue, but it is not the whole issue.

A SOC cannot rely on investigations that are difficult to audit, difficult to reproduce, difficult to improve, or inconsistent across similar cases. The point is not whether AI can sometimes reach the right answer. The point is whether the investigation process can produce accurate, repeatable results at scale.

That is why Daylight does not assume that more agentic is always better.

Confidence is not just a feeling

In security operations, a verdict is not enough. AIR also needs to know how confident it is in that verdict.

For each investigation, AIR evaluates the evidence against analyst questions defined by the investigation type. Those answers contribute to the confidence score, which determines whether the verdict is reliable enough or needs expert review.

Most AI SOC systems have no systematic way to know when their investigations are getting worse. They may review individual cases, but miss broader patterns: repeated low-confidence verdicts, recurring evidence gaps, missing context, or investigation profiles that need refinement.

Daylight monitors confidence scores across investigation types and uses those patterns to drive structured updates to AIR Investigation Profiles, expert guidelines, procedures, and knowledge items.

This turns confidence from a score attached to a single verdict into a feedback loop for improving the investigation system over time.

Human experts improve the investigation architecture

The role of Daylight’s security experts is not limited to reviewing AI output.

They design AIR Investigation Profiles when integrations are built. They define required data collection. They determine which enrichment matters for each case type. They write the guidelines that shape the investigation. They identify where agentic workflows are useful and where deterministic steps are better.

They also review low-confidence investigations, tune profiles when there are issues, create and update knowledge items, and request pivots after verdicts when more information or a different investigative direction is needed.

In Daylight’s model, the expert’s highest-leverage work is improving the investigation architecture itself.

If a low-confidence investigation reveals a missing context item, that context can be added to Daylight Knowledge. If a profile repeatedly fails to collect the right evidence, the profile can be changed. If an agentic workflow is producing inconsistent output, the workflow can be inspected and improved. If experts repeatedly request the same pivot after a certain verdict, that learning can become part of the future investigation process.

The system becomes more accurate because expert judgment is not trapped inside individual tickets. It is encoded back into the investigation architecture.

The real question is not deterministic or agentic

The AI SOC market often frames the conversation as a choice between deterministic automation and agentic investigation.

That is the wrong question.

The real question is whether the investigation architecture can produce professional, high-confidence, accurate investigations at scale.

To do that, the system needs structure. It needs to know which evidence is required for each case type. It needs to retrieve only the context that matters. It needs to use agents for tasks that require reasoning, not for every step indiscriminately. It needs to make the investigation path visible. It needs to know when confidence is low. And it needs security experts who can improve the system when gaps appear.

That is how Daylight built AIR.

Not as a static playbook engine. Not as a fully agentic black box.

As an investigation engine that combines deterministic and agentic workflows in the places where each one works best.

That architecture is what makes AI investigations more consistent, more accurate, more explainable, and more reliable in production security operations.

Table of contents
form submission image form submission image

Ready to escape the dark and elevate your security?

Get a demo
form submission image form submission image

Ready to escape the dark and elevate your security?

Get a demo

Ready to escape the dark and elevate your security?

Stop settling for escalation factories. Get AI-native detection and response with senior experts and full accountability.

Book a Demo
moutain illustration
form submission image form submission image

Ready to escape the dark and elevate your security?

Get a demo
moutain illustration