Qevlar AI
Discover our CEO's mathematical take on remediation: a deterministic function bon from complex investigation
In cybersecurity, many tools focus on automating remediation, assuming it is the main bottleneck in Security Operations Centre (SOC) processes. However, remediation is only as effective as the investigation that precedes it. Once the investigation of an alert is completed, the analyst holds all the necessary cards to proceed with a remediation process. Without a robust investigation, any remediation effort risks being incomplete or misdirected.
Remediation is only as effective as the investigation that precedes it
After detection comes investigation. Investigation is about depth. It involves collecting, analysing, and making sense of multiple data points to reveal critical insights for an effective response. This process requires manual examination of unstructured data in various forms and across multiple sources, such as parsing through logs from different network devices, analysing CTI reports, or cross-referencing user activity patterns from disparate systems. Due to its complexity and variability, automating investigation has historically been challenging.
Conversely, remediation is inherently deterministic. It functions through two key parameters:
Remediation is inherently deterministic
We express the remediation phase as R(TO, CO) to illustrate that this process follows predictable rules based on the findings from the investigation. It does not involve intelligence but simply executes based on the derived inputs. The quality of remediation depends directly on the quality of the investigation. When investigation is thorough and accurate, the resulting list of remediation actions is well-informed and precise. Conversely, a weak investigation leads to incomplete or ineffective remediation.
Tools that focus solely on remediation are not solving the problem; they are merely addressing the symptom. Remediation without robust investigation is like prescribing medication without a diagnosis—it might alleviate surface-level symptoms but fails to address the root cause. Historically, attempts to automate investigation have fallen short because they've relied on deterministic, playbook-based approaches like SOARs and workflow automation. These static methods cannot capture the uniqueness and complexity of every investigation, as each scenario is different and requires a tailored approach.
Attempts to automate investigation have fallen short because they relied heavily on deterministic, playbook-based approaches
However, advancements in AI now present a real opportunity. By enabling dynamic, context-aware automation, AI can transform the investigative process and adapt to unique situations in a way that previous methods could not. This opens the door to automating what truly needs automation: investigation itself. To enhance security meaningfully, we must build solutions that improve how we uncover entities, understand relationships, and connect facts. Only then can we produce remediation outputs that are reliable and effective. Ultimately, it is the investigation that drives effective remediation.
