The Integration Gap that AI SOC Gets Wrong

One witness isn’t a case

There's a question I ask every team evaluating AI SOC technology: 

How many data sources does it actually investigate across?

The answer is usually far fewer than they’d expected when they signed the contract. Most tools anchor to the EDR, sometimes paired with an email gateway. When an attacker moves across identity, endpoint, and productivity apps in the same attack, a single-source AI catches one piece and closes the ticket on what it can see.

That gap is what this blog post is about. Whether the system has enough of the picture to make the right call. In my experience, most deployments don’t.

Good investigators don’t work a case from one angle. A signal fires, they pivot to adjacent evidence, test the hypothesis against what each source says, cycle back as new questions surface. Each pass either tightens the picture or opens a new branch.

An AI SOC wired to one data source runs that loop once. It validates within its own dataset. It closes the ticket and moves on.

Let’s walk the same attack through three single-source perspectives and you’ll see exactly what gets missed.

The attack

At 9:47 AM, a finance employee clicks what looks like a Microsoft security notification. It’s an AiTM phishing kit proxying legitimate M365 authentication. MFA completes. The session token is captured.

Over the next fourhours, the attacker accesses Exchange Online, enumerates SharePoint, downloads a document containing service account credentials, authenticates to an on-premises server, installs persistence, creates forwarding rules on the compromised mailbox, and sends a wire transfer request to an external account. Endpoint POV

Day two. EDR fires on unusual process execution on an on-prem server. The analyst traces it to a service account login from an unfamiliar source IP, calls it credential compromise, remediates the endpoint, rotates the service account.

Case closed.

Except the session token is still active in M365. The attacker still has Exchange access. The forwarding rule is still running. The wire transfer went out seventeen hours ago. Two more employees clicked the same link.

While the endpoint was remediated, the incident wasn’t contained.

Productivity POV

The email security platform flags an unusual forwarding rule on the finance mailbox. DLP fires on anomalous SharePoint download volume from the same account. An analyst pulls the forwarding rule and notifies the data owner about what was downloaded.

The SharePoint auth looked legitimate — valid session token, nothing in their logs pointing to compromise. The service account pulled from that downloaded document is still running persistence on the on-prem server. Nobody has touched the endpoint.

Two tickets were closed yet the incident still wasn’t containedIdentity POV

Sign-in logs show an auth from an unusual IP. MFA was satisfied because AiTM proxies a real session. Conditional access didn’t trigger because token and device state looked normal. The analyst resets the user's password and marks the account clean.

Password reset doesn’t invalidate active session tokens. M365 access continues. The SharePoint download already happened. Persistence is running under a service account that wasn't part of this review. The forwarding rule is exfiltrating mail right now.

Another ticket closed. The attacker is still enjoying their access. 

What you see when all three surfaces connect

No single source tells that story. you don’t just remediate the endpoint. You invalidate every active token, audit every application the session reached, account for every service account touched in that window.

The data problem The AI SOC debate keeps circling the autonomy question: how much should these systems do without human review? That's worth asking. But I keep coming back to a more immediate problem that gets less attention: what data are they actually workingfrom?

An AI SOC wired only to your EDR makes triage decisions on endpoint telemetry alone. It has no way to check whether the authentication behind lateral movement is still active, or what the attacker accessed before touching the endpoint. It recommends remediation on an incomplete picture.Faster triage on partial data isn’t an improvement. It's a faster path to false confidence.

And the more autonomous the system, the worse the problem gets. A human working a partial picture knows they’re working a partial picture. They ask questions and flag gaps. An automated system working a partial picture doesn't know what it's missing. It closes what it can see and moves on.

The investigation has to span the attack

Attackers move across identity, endpoints, and the productivity stack because that’s how the environment is built. The investigation has to follow the same path.

Command Zero runs investigation workflows across all three surfaces from the start. An endpoint alert doesn’t kick off an EDR-only investigation. It pulls identity context for every account that touched the affected system, checks productivity data for access patterns tied to those accounts, and builds the correlated timeline before the analyst makes a call. The analyst sees the complete picture, not the first piece of it.

Would you hand a detective one witness statement and call the case closed? Don’t accept an AI SOC that does the same thing.