Stellar Cyber unveiled their human-augmented autonomous SOC platform at Black Hat 2025, transforming security operations by reducing thousands of alerts to manageable dozens while empowering analysts through AI-driven automation.
Stellar Cyber Revolutionizes SOC Cybersecurity Operations with Human-Augmented Autonomous Platform at Black Hat 2025
A Stellar Cyber Event Coverage of Black Hat USA 2025 Las Vegas
An ITSPmagazine Brand Story with Subo Guha, Senior Vice President Product, Stellar Cyber
____________________________
Security operations centers face an unprecedented challenge: thousands of daily alerts overwhelming analyst teams while sophisticated threats demand immediate response. At Black Hat USA 2025 in Las Vegas, Stellar Cyber presented a revolutionary approach that fundamentally reimagines how SOCs operate in the age of AI-driven threats.
Speaking with ITSPmagazine's Sean Martin, Subo Guha, Senior Vice President of Products at Stellar Cyber, outlined the company's vision for transforming security operations through their human-augmented autonomous SOC platform. Unlike traditional approaches that simply pile on more automation, Stellar Cyber recognizes that effective security requires intelligent collaboration between AI and human expertise.
The platform's three-layer architecture ingests data from any source – network devices, applications, identities, and endpoints – while maintaining vendor neutrality through open EDR integration. Organizations can seamlessly work with CrowdStrike, SentinelOne, Sophos, or other preferred solutions without vendor lock-in. This flexibility proves crucial for enterprises navigating complex security ecosystems where different departments may have invested in various endpoint protection solutions.
What sets Stellar Cyber apart is their autonomous SOC concept, which dramatically reduces alert volume from hundreds of thousands to manageable numbers within days rather than weeks. The platform's AI-driven auto-triage capability identifies true positives among thousands of false alarms, presenting analysts with prioritized "verdicts" that demand attention. This transformation addresses one of security operations' most persistent challenges: alert fatigue that leads to missed threats and burned-out analysts.
The revolutionary AI Investigator copilot enables natural language interaction, allowing analysts to query the system conversationally. An analyst can simply ask, "Show me all impossible travel incidents between midnight and 4 AM," and receive actionable intelligence immediately. This democratization of security operations means junior analysts can perform at senior levels without extensive coding knowledge or years of experience navigating complex query languages.
Identity threat detection and response (ITDR) emerged as another critical focus area during the Black Hat presentation. With identity becoming the new perimeter, Stellar Cyber integrated sophisticated user and entity behavior analytics (UEBA) directly into the platform. The system detects impossible travel scenarios, credential attacks, and lateral movement patterns that indicate compromise. For instance, when a user logs in from Portland at 11 PM and then appears in Moscow 30 minutes later, the platform immediately flags this physical impossibility.
The identity protection extends beyond human users to encompass non-human identities, addressing the growing threat of automated attacks powered by large language models. Hackers now leverage generative AI to create credential attacks at unprecedented scale and sophistication, making robust identity security more critical than ever.
Guha emphasized that AI augmentation doesn't displace security professionals but elevates them. By automating mundane tasks, analysts focus on strategic decision-making and complex threat hunting. MSSPs report dramatic efficiency gains, scaling operations without proportionally increasing headcount. Where previously a hundred thousand alerts might take weeks to process, requiring extensive junior analyst teams, the platform now delivers actionable insights within days with smaller, more focused teams.
The platform's unified approach eliminates tool sprawl, providing CISOs with real-time visualization of their security posture. Executive reporting becomes instantaneous, with high-priority verdicts clearly displayed for rapid decision-making. This visualization capability transforms how security teams communicate with leadership, replacing lengthy reports with dynamic dashboards that convey risk and response status at a glance.
Real-world deployments demonstrate significant operational improvements. Organizations report faster mean time to detection and response, reduced false positive rates, and improved analyst satisfaction. The platform's learning capabilities mean it becomes more intelligent over time, adapting to each organization's unique threat landscape and operational patterns.
As organizations face increasingly sophisticated threats powered by generative AI, Stellar Cyber's human-augmented approach represents a paradigm shift. By combining AI intelligence with human intuition, the platform delivers faster threat detection, reduced false positives, and empowered security teams ready for tomorrow's challenges. The company's commitment to continuous innovation, evidenced by rapid feature releases between RSA and Black Hat, positions them at the forefront of next-generation security operations.
Learn more about Stellar Cyber: https://itspm.ag/stellar-cyber--inc--357947
Note: This story contains promotional content. Learn more.
Guest:
Subo Guha, Senior Vice President Product, Stellar Cyber | https://www.linkedin.com/in/suboguha/
Resources
Learn more and catch more stories from Stellar Cyber: https://www.itspmagazine.com/directory/stellarcyber
Learn more and catch more stories from our Black Hat USA 2025 coverage: https://www.itspmagazine.com/bhusa25
Learn more about ITSPmagazine Brand Story Podcasts: https://www.itspmagazine.com/purchase-programs
Newsletter Archive: https://www.linkedin.com/newsletters/tune-into-the-latest-podcasts-7109347022809309184/
Business Newsletter Signup: https://www.itspmagazine.com/itspmagazine-business-updates-sign-up
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Sean Martin: Here we go. Subo. Hey. Nice to meet you again. We're in Vegas. Yeah, I know. We're Vegas. I know the energy here. Outside in. Side, it's off the charts. Yeah. While it's steaming outside. It's all the steaming gear. Blackout. It's a warm one. Triple digits. Yeah.
Yeah. So at least it's cool in here. But the vibe is good. A lot of innovation, a lot of research, a lot of cool stuff happening. I'm excited to talk to you about all the stuff you're doing with Stellar Cyber. And the human augmented autonomous SOC. Absolutely. Really, really sounds really cool. So I'm excited to learn more about that.
Yeah. A few words about yourself before we dig in your role at the company and, sure.
Subo Guha: Sure. So, I'm part of Stellar Cyber. I'm the Senior Vice President, Products. So I'm responsible for all product directions and strategies and some of the things we announced at RSA as well as here are kind of what we're showing off.
Sean Martin: Right. So maybe give us an overview of the company, just maybe like the quick elevator pitch, and then we'll talk about the announcements and then I want to dig in to understand how they fit into the existing SOC, maybe some of the changes and the outcomes that come from that.
Subo Guha: Yeah, so Stellar Cyber has a security operations platform. It's a unified platform, but we talk about it is, it's open, it's human, it's unified, meaning you don't have to have multiple tools to do security operations. It's all completely unified. And what we announced this year was the concept of autonomous SOC, which is the next generation of automation, as well as more focused around human augmented. Because we truly don't believe that you can just turn the lights off and everything works well, right? So it's a very interactive, making the SOC analyst more intelligent. That's why we call it human augmented. Right, so that we can make the SOC more intelligent and learning, but it can interact with the SOC analysts to make more augmented decisions.
Sean Martin: So the decision to do that, I mean, I think from a tech company building stuff, it's easy to say, I want to build tech and put innovations out there to take workload off the analyst. But tell me about the thought process behind augmenting the SOC with humans. Because it's a slightly different message than I'm hearing from others.
Subo Guha: Yeah. So, and just to kind of lead in, in terms of how our platform works, we have three layers. One is the layer of how we ingest, we can ingest any thresholds, whether it's a network device, whether it's an application, whether it's an identity that we need to protect, as well as with endpoints.
So one of the things we pride is we are an open EDR, meaning we don't restrict you to one EDR versus the other. Right. So if you have Sophos, if you have SentinelOne, if you have CrowdStrike, we integrate and our entire platform is AI driven, meaning we take all the alerts, the AI kicks in to be able to take the alerts into cases.
So extremely case centric. Now your question in terms of how is the human part of this in the traditional tools, traditionally security operations divisions had to hire a lot of SOC analysts to go through thousands of alerts to figure out which ones are true positives versus false positives. Because you can get thousands of false positives, but it takes a human a lot of time.
That's why we introduced the autonomous SOC concept, which is auto triage, which triages all the alerts, all the cases, and only the ones that you need to be focused on, but we don't just give you a response. We interact with human. So we also introduce this concept of a copilot, which is AI investigator, which is available, which is something we also announced.
Okay. And it interacts with the human. And when it interacts with the human, it tries to figure out is it truly an issue or what should be the action? Make the system learn. It becomes an intelligent system by these agentic AI talking to the human and making the system more intelligent.
Sean Martin: And I'm going to go out on a layman guess that some of the AI work that you're doing in the ingestion and creating the cases also helps translate that into human understandable.
Subo Guha: Yeah. So natural language. Yeah. So you can interact in natural language so you don't have to know exactly how, you don't have to be a programmer to talk to the system. Right. Which in a lot of cases, analysts have to be engineers and write code and the other.
All integrated. It's not like you have to learn and work in one screen and then go to another screen. It's all integrated into our platform, and the AI layer basically does all the detections and correlations to synthesize where you should focus. And then the autonomous SOC on top has the intelligence to even further auto triage.
So whether it's a phishing email attack, which is something we've announced here, or if it's a major case, you go down from thousands of cases down to hundreds to the few that you need to focus on, but it continually interacts and the human can also ask in plain English, right. Okay. Show me all the impossible travel that has happened between midnight and 4:00 AM.
And you'll be able to gather that information. The AI will be able to understand. So the whole idea is make it simple, but make it intelligent so that especially the mid-size customers, MSSPs, don't have to hire a lot of junior analysts. We want to have junior analysts become senior analysts focusing on the more core issues and let the platform do all the magic in terms of efficiency.
Sean Martin: So talk to me a bit about that interaction where the intelligence is driven by the analyst. The analyst has the insight from the platform to help them guide the economy, right?
Subo Guha: So typically, if you look at any of our customers, whether it's an enterprise or MSSP, they have tiers of analysts, right? You have the senior analysts who are the most experienced, and then you have the junior analysts who are kind of slogging day in, day out, hour after hour, all trying to understand all these different alerts. We're trying to eliminate that busy work, right with the agentic framework as well as with our AI capabilities.
And that reduces the number of hours and number of people you need. Right. But it is intelligent with the agentic AI, that it gives you more clarity why we score something high versus low, right? So you can focus on the high alerts with more detailed information and then interact with it. Clarify, okay, did we cover all the things we should be worried about?
And then you can respond. You can do different things like you want to block an IP, block a user because of phishing attack.
Sean Martin: See, one thing that I think about often is if you're basically resetting what entry level, what junior level is if you're doing that busy work. But the understanding of that layer of analyst work. Yeah. And automating the task. But traditionally an analyst learns that stuff and then moves on to the next level. How do you help them ensure that they maintain that knowledge that's now being done autonomously for them? Yeah. So they continue to be intelligent at the next level.
Subo Guha: Yeah. I mean there's always this fear AI's going to displace workers. That's not what's happening here. Got it. What we're trying to do is automate a lot of the mundane but detailed tasks, so even the junior analysts can become senior more faster, and you don't have to hire hundreds of junior analysts because of the volume of ingestion, of alerts of cases.
Right. So you don't lose the onboarding and knowledge base. You need to know how to do security operations. You just do it more smarter. Right. You don't have to do 10 tasks. You only have to do three, but those three are the most critical to make a decision.
Sean Martin: Got it. Can you describe one or two, you don't have to name company names, but a case where their traditional SOC before Stellar Cyber autonomous SOC comes in. And what that day looks like or that case looks like versus one now and as much detail as you can provide. Yeah, like this breach was absolutely initiated by this and some research had to be done and tracking back whatever it is.
Subo Guha: So typically what we've seen is in two, three years ago, you have to, based on the volume of alerts and cases you had to proportionally hire the number of SOC analysts just to work through those. Yeah, just to support, you know, because the customers want to know immediately what's going on. Only way you can be more responsive is put more bodies to solve the problem. What we see now is our MSSPs are getting smarter with our platform and they're tuning the platform to do things faster. So if you had like a hundred thousand alerts.
Yeah, to get down to thousands, as I talked about, it would probably take a week, you know, or weeks. Right now they're doing it within days, and so they don't have to hire as many junior analysts. So there's a reduction in terms of what they need to do to scale, because scaling is good, right? Meaning they're getting more customers, they're getting more revenue, which we like, right?
But what we're making them is smarter and then more efficient, right? That's the key thing. So we're just seeing more efficiencies with our customers.
Sean Martin: And then so the outcomes of that, so the efficiency, what are they focusing more on? Are they turning it to more...
Subo Guha: They're focusing more on automation, how to do better response, and how to reduce the time to fix a problem. Right? So it's more about getting towards the results oriented versus trying to do the needle in a haystack problem.
Sean Martin: Got it. And when they're reporting to, so the team or the manager of the SOC reporting to the CISO, for example, how are they reporting that success and measuring it?
Subo Guha: Well, the good thing is because we're able to create the visualization of what's important as well as alerts to cases, to what's the most, you know, we call it verdicts, right? So they, what the execs now focus on is how many high verdict things should we be focusing on? So the communication also becomes much more faster, and you don't have to really do formal communication. It's all visualized in the platform.
So that also improves time to market in terms of communication back to the CISOs. Absolutely. And the CISO will also be able to know exactly when there's an issue. The agentic AI will give more descriptive information through the AI technology that they'll have much more confidence. Okay, that is the right path. I want to do X, Y, Z steps to stop the attack. Got it.
Sean Martin: So talk to me a bit about the identity piece that you're also talking about.
Subo Guha: Yeah, so we also did an announcement around ITDR. We actually have a very strong user analytics, UEBA capability in the platform. We also have ITDR, right? So we wanted to make sure all our partners as well as prospects knew that identity is central to our platform.
We don't sell another product like other vendors do. It's integrated and it's integrated in terms of, it's not just important, like where the attack happened, like at an endpoint or a network, but what happened? Who's the person attacking? Right. So we announced, for example, the auto triage for phishing, which is always the first door entry to many attacks.
And then with our capability, not only can you identify if there was an issue, right, there's an attack or somebody changed passwords or reset that the admin didn't do. But once they enter the problem is really the lateral movement. So then they start going into other networks and others. So we have a concept of which is very popular in security's impossible travel.
Somebody logged in from Portland, 11:00 PM right? 11:30. They're logging in from Moscow. We know the guy couldn't be in Moscow in 30 minutes. Right. So those types of use cases, identity is now becoming the new perimeter, right? It's not important just to stop them when they enter, but also understand what's happening once they enter and how to prevent that and put a stop to that.
So we think ITDR is a core foundational pillar of our platform. We talk about next-gen SIEM, which is our next generation SIEM. We have the capability to do threat hunting and response. Now we're saying we're going to put a spotlight on identity. Because we think that's a key concern of our customers that they have.
Sean Martin: And with that, the behavior.
Subo Guha: Yes.
Sean Martin: Which clearly AI kind of analyzing that.
Subo Guha: So ITDR and UEBA, which is behavior analytics is all integrated. We'll know who the suspect is. We'll understand if they're a trusted version because we integrate with the traditional IDPs like Okta and all the other Azure, you know, and all the different Azure things.
So we know who's trusted and who's not. We're all integrated, but then we understand what the security, bad things are happening to prevent it.
Sean Martin: And in terms of identity, what's the scope of the identity? Humans, you look at machines as well?
Subo Guha: So that's a good point. Identity can be human or it can be non-human, right? One of the biggest threats why we think identity is a problem. People are now using LLMs like a lot of the hackers, and just creating lots of different credential attacks much faster than anybody could do. So it could be a human attack or a non-human attack. So the threat has become even more exaggerated, that there could be more potential, you know, people trying to enter your network, especially with the Gen AI technologies, that's making it easier for hackers to create more credential and attack capabilities. So identity becomes even more critical.
Sean Martin: So we have a couple minutes left here. I want to, we're going to go go back and forth between the two. We'll start with the identity piece because we're right there. I'm wondering, it's going to be the same question for ITDR as well as the autonomous SOC, but what are some signals that CISOs and their team should look for to say we need to look at identity and or this autonomous or our SOC operations differently, or maybe there's a signal missing that will flag that they need to change the way they're operating.
Subo Guha: Yeah, so I mean, every CISO wants to make sure they can be able to look at every point of surface attack, so the platform that they're looking at needs to be able to look at the whole spectrum of where the threat would come from, from an endpoint, from a network, from a server application in the cloud, right?
So another thing is you want to be able to be flexible. This is why we pride ourselves that we have an open EDR technology, right? So if the customer likes CrowdStrike or they like, like one of our strategic partners, SentinelOne, you know, they have the choice to pick the right EDR and then if they are able to switch if they need to, or mix and match if they need to.
So the main point is the CISOs looking for, can I get all surface attacks? Including identity. Second is they want, it's all about time, right? How fast can you solve an issue and keep their customers up and running, especially in MSSP. So having a unified platform, they don't have to learn multiple tools and different ways to do the entire security operations.
That's where we believe we have the strength. All of our capabilities are unified and integrated. We don't try to nickel and dime sell you multiple products. We believe you should have a unified single security operation capability. And then the on top of what we call our birthday cake is the icing, is the autonomous SOC.
So we are now going to hyper automation to be able to identify and auto triage things faster, whether it's a phishing email or it's a case, and then be able to do response very quickly. So that's what a CISO's looking for. Yeah. Make sure they can see all types of attacks, including identity, be able to analyze it and detect it, correlate it. And then automation helps them improve their effectiveness to solve things faster.
Sean Martin: Yeah, sounds good. Yeah, sounds good. Like, I mean, even since RSA, you guys continue to innovate. Yes, absolutely. That's an important thing and I presume you get a lot of feedback and interaction with your customers to help you shape some of these technologies.
Subo Guha: Yeah, so we're a fast moving company. We were built from the ground up from day one to be AI based. And so we're very fortunate to be ahead of the curve. We've always innovated. And everything we do, we always question how can we innovate to be better, which is why we announced Agentic AI very quickly and it's coming to market and it's integrated into our platform.
Sean Martin: Awesome. Subo always a pleasure chatting with you. Yeah, absolutely. Great to hear about the innovations and the outcomes that are driven from it. Yeah. And I hope everybody listening connects with Subo and the Stellar Cyber team and look for those efficiencies. Look for all those attacks you're trying to identify and be able to communicate that to the executive team in a more effective manner.
So you can measure and talk about how your operations are actually helping the business. So thanks everybody for listening. Connect with Subo and the Stellar Cyber team. Follow all of our coverage, itspmagazine.com/bhusa25 for all things here from Vegas and Black Hat. Subo. Thanks, man.
Pleasure.