The Challenge
Before Daylight, LVT managed security operations internally. The team actively monitored its environment with an employee-based on-call rotation.
Alert volume was high, and signal quality was inconsistent. Many alerts lacked context, and detections required ongoing tuning that required ongoing effort.
The result was a familiar security operations challenge: too many alerts to investigate properly and limited time to improve detection quality.
Evaluating the Right Approach
LVT’s leadership believed recent advances in AI created an opportunity to rethink how security operations could be handled.
They evaluated AI SOC tools with the expectation that AI could extend their capabilities without additional headcount. Through that evaluation, it became clear the team needed more transparency into how detection decisions were being made and stronger reasoning behind each one.
Why Daylight Stood Out
Daylight offers a different approach, combining an agentic platform with a team of security experts with backgrounds in incident response, threat hunting, and detection engineering.
From the first interaction, LVT noted the level of expertise and engagement from the Daylight team. This gave LVT confidence that investigations would be handled with depth and clarity.
More importantly, Daylight removed the perceived tradeoff between automation and expertise. Instead of choosing between AI or humans, the team saw a model that integrated both. “What sold us on Daylight was not the automation by itself, but it was pairing agentic tooling with detection engineers who could explain their reasoning,” said Jake Schroeder, CISO at LVT. “That combination made Daylight the clear choice.”
Deeper Coverage Across the Environment
After implementing Daylight, the most immediate change was in visibility and detection coverage. Daylight introduced customized detection rules tailored to LVT’s environment, adding layers of detection on top of the team’s existing coverage.
Daylight also supported Tier 1 triage through automated end-user validation workflows, allowing suspicious activity to be confirmed directly with employees when appropriate. This helped LVT avoid unnecessary internal follow-up on activity that could be quickly validated, while still preserving a clear escalation path for activity that required security review.
As a result, alert volume increased, but the additional alerts were tied to areas where LVT wanted greater visibility. “When Daylight escalates, my team responds rather than re-triages. That collapses the time between an alert being raised and a decision being made, which is the number that matters when something real is happening,” said Schroeder.
Each alert was investigated with full context and a clear determination. Rather than simply forwarding alerts, Daylight provided an initial investigative layer that combined technical context, detection logic, and user validation where appropriate. Escalations became more focused and relevant.
Over time, the team developed a clear signal: if Daylight escalates an alert, it requires action. This also changed the on-call experience. Instead of reacting to noisy or unclear alerts, the team could trust that anything requiring attention had already been validated and was worth acting on.
A Scalable Model for Security Operations
With Daylight, LVT’s security team was able to move away from reactive alert handling and focus on higher-value work without additional hiring. “Standing up an equivalent operation internally would mean building a SOC with detection engineering, threat hunting, incident response, and round-the-clock monitoring. That is a multi-year organizational build. Daylight delivered that maturity on day one,” said Schroeder.

.avif)


