An air traffic surveillance company thwarted advanced persistent threats, boosted DevSecOps automation and ducked $2 million in incident response costs with agentic AI tools.
Generative AI adoption is still at an early, awkward stage among mainstream enterprises, while agentic AI -- in which autonomous software components execute multi-step workflows independently -- remains a bleeding-edge technology. However, some of the first tools driven by generative and agentic AI have been used for security operations (SecOps), and some of the earliest enterprise agentic AI adoption has been in security operations centers.
One early user of agentic AI for SecOps is Aireon, a global satellite network operator that tracks air traffic control data. It sells software to air navigation service providers and other companies in the aerospace industry, such as Boeing. Aireon's 66-satellite network spans the globe, but its workforce is relatively small at fewer than 200 employees, according to the company's CISO, Peter Clay.
"We do have a full-time IT service desk that manages our customer stuff, but for corporate computing and cybersecurity, I have a total staff of five," Clay said. "So doing threat hunting across 130 to 150 million log events per day is not trivial."
Compounding this challenge is a general SecOps skills gap in the industry. New SecOps professionals enter the industry every year, but candidates with intermediate skills accrued over five to 15 years are in much shorter supply, Clay said -- all while cyberattacks grow more costly, frequent and sophisticated.
To address these gaps, Clay turned in 2024 to an open source large language model (LLM), WhiteRabbitNeo, which was trained to identify and remediate security vulnerabilities. Eventually, Aireon also purchased a product from WhiteRabbitNeo commercial sponsor Kindo.ai that provides a framework to automate DevSecOps workflows using runbooks and AI agents.
"The power of this stuff is, I'm able to take really smart, engaged people that understand the basic concepts of what we're after and upskill them very rapidly to achieve the outputs that we need," Clay said. "In my experience, it takes five to seven years to create a threat analyst that can do a true hunt and deliver valuable information. We were able to cut that down to a couple of hours."
The evolution of generative AI into agentic AI presents both new capabilities and new challenges.
From SecOps upskilling to DevSecOps agents
WhiteRabbitNeo helped Aireon's SecOps team learn threat hunting skills and uncover advanced persistent threats lurking in the company's networks. In part, this is due to the probabilistic nature of AI systems, which make decisions based on an evolving analysis of probabilities rather than more rigid and definitive deterministic rules. This makes predicting the behavior of malicious AI agents difficult using traditional rules-based systems, while a set of defensive AI agents is better suited to the challenge, Clay said.
"We're able to not just pattern match but also pull together and aggregate a ton of information and go, 'Well, wait a minute. Our network was running this way for 12 months, and three days ago, it started doing this. What does that mean?'" he said. "[Then we can] start to run some deeper queries [and] start to understand this a little bit better. Being able to do that at scale is really interesting, particularly for small and midsized businesses."
Since deploying WhiteRabbitNeo and Kindo.ai, Clay's team caught two active advanced persistent threats -- one trying to get into the company's network and one that was already inside the environment -- and shut them down before the attacks could advance.
"Speed kills problems," Clay said. "The faster I find something, the faster I fix it, the less impact on the organization as a whole."
A member of Clay's team built a set of AI agents using Kindo that captures and queries the company's security plan documentation for developers as they work. The SecOps team uses this same set of agents to upload new versions of the documentation, track queries and identify which developers need help implementing security controls.
"Instead of saying, 'Read this 400-page document, and we will do a really boring one-hour training on it,' [we're] able to be there when the developer goes, 'How many critical, high, medium or low vulnerabilities can I have in my code to move to the next step?'" Clay said. "That freed up a ton of people's time and gave them really, really focused feedback."
Aireon uses another agentic AI tool from Derive for finance automation, risk management and compliance, which Clay tapped to measure the effectiveness of WhiteRabbitNeo and Kindo.
"Derive is able to ingest your controls and then output financial modeling that allows you to say, 'We implemented this control and our risk exposure, in dollar terms, rose or fell from here to here,'" he said. So far, Derive has estimated that the AI agents Clay deployed have helped the company avoid $2 million in risk exposure.
"The savings came from our expected loss with where we were versus the expected loss, with the implementation controls and [expected] outcomes we have now," he said. "My CFO can look through the numbers [and be] comfortable talking in these terms."
Agentic AI risks, rewards and roadmap
Agentic AI, like any nascent technology, comes with risks. Open source AI and Kindo's self-managed software eliminated some of Clay's primary concerns about data privacy with a SaaS tool or commercial AI model.
In addition to data privacy, governance and output quality issues with GenAI models, technology providers must also address cybersecurity worries specific to AI agents. For example, Google's agentic AI security team published a blog post Jan. 29 about its efforts to defend against indirect prompt injection attacks on Google's Gemini AI systems. Some cyber defense experts have also expressed concern that AI will benefit nation-state attackers more than defenders.
But in Clay's view, while a human in the loop remains necessary, agentic AI is already a force multiplier for adversaries, and defenders must also harness it if they hope to keep up.
If we keep doing business the same way we have always been doing business, it's going to end badly.
Peter ClayCISO, Aireon
"If you're leveraging a lot of the same capabilities and same tools that your attackers are, you're able to shift as fast as they are, because you have one huge advantage, hopefully, that they don't have -- and that is, you know your own system.," he said. "If we keep doing business the same way we have always been doing business, it's going to end badly."
That said, there are plenty of opportunities to improve the performance of agentic AI systems, especially in the realms of data management and threat intelligence, Clay said. Traditional deterministic tools make it difficult to understand the ways threats might disguise their true source, such as using a VPN.
"Having an understanding of where something is coming from can give you a clue as to motivation and help you understand maybe what they were after, but we don't really have that," Clay said. "What we have is a weird gray area where we blame China for everything, because that won't get anyone fired … we really need to think about that from a data standpoint."
Instead, looking at more detailed data about the behavior patterns of an attacker might lead to a different conclusion than simply identifying an IP address, according to Clay. It's also just as important to figure out how to put such data into action using agentic AI tools, he said.
Because Aireon is a data analytics company, Kindo's customizability will allow Clay's team to use in-house data management expertise to optimize agents and workflows.
"At the end of the day, it's about how you're able to pull information together and make sure that you're not just dumping other people's presuppositions into your model," he said. "Having access to PhD-level data scientists helps you understand this stuff … but without Kindo and WhiteRabbitNeo, we wouldn't have the infrastructure to realize any of this."
Beth Pariseau, senior news writer for Informa TechTarget, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.
