Nearly 40% of enterprise security alerts go completely unattended -- and the data to prove it is finally here. Monzy Merza, Co-Founder and CEO of Crogl, joins Sean Martin and Marco Ciappelli at RSAC Conference 2026 to talk about what AI-enabled SOC operations actually look like when the theory meets enterprise reality.
The security operations center is under pressure from every direction -- rising alert volumes, fragmented data environments, and a skills gap that no amount of hiring fully closes. At RSAC Conference 2026, Monzy Merza of Crogl sat down with Sean Martin and Marco Ciappelli to talk about what the AI-enabled SOC actually looks like when it is working at enterprise scale.
Crogl recently published the State of the AI SOC report, a survey of more than 600 organizations. The headline finding: nearly 40% of alerts go completely unattended. Not triaged. Not escalated. Just missed. The report also found that a large share of respondents rank the security of an AI system above its raw capability -- trust before performance. Merza says the goal of the report was part data, part demystification, and part empathy building -- giving security leaders permission to recognize that everyone is dealing with the same problems.
Crogl's knowledge engine is built on a foundational premise: data is fragmented in the enterprise, and that is not going to change. Rather than requiring data normalization before analysis, Crogl builds an enterprise semantic knowledge graph that maps relationships across data lakes, SIEMs, and SOAR platforms, wherever the data lives. Analysts no longer need to navigate schemas or query languages. Crogl handles the investigation and surfaces what matters.
Merza describes two compressor effects his customers experience. A competency compressor allows any analyst to draw on multiple data lakes at once. A domain knowledge compressor lets Crogl work across alert types -- phishing, endpoint, and beyond -- rather than routing each to a specialist. The result is a team that operates well above its apparent headcount. One customer example: a CISA advisory that would take hours to manually parse can be uploaded into Crogl and assessed across the enterprise footprint -- IOC mapping and detection coverage -- in sub-hours. The same logic extends to compliance, where audit data calls that once required manual query-by-query execution can now be executed by Crogl against a full 500-query data call at once.
On the jobs question, Merza takes a clear position: AI will create more security jobs, not fewer. Every new AI deployment is a new attack surface. Every new footprint needs to be defended. The repetitive tier-one work is going away -- but the volume of meaningful security work is expanding and the entry level is rising. The organizations getting ahead of this are already standing up AI review boards and putting security capability at the center of how they evaluate new AI tools.
This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight
GUEST
Monzy Merza, Co-Founder and CEO, Crogl
LinkedIn: https://www.linkedin.com/in/monzymerza
RESOURCES
State of the AI SOC Report (free download): https://www.crogl.com
Crogl: https://www.crogl.com
AI SOC Summit: https://aisocsummit.com
Are you interested in telling your story?
▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full
▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight
▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight
KEYWORDS
Monzy Merza, Crogl, Sean Martin, Marco Ciappelli, brand spotlight, brand marketing, marketing podcast, brand story, AI SOC, security operations center, SOC automation, AI in cybersecurity, alert fatigue, security data lakes, SIEM integration, enterprise knowledge graph, threat intelligence, CISA advisory, Volt Typhoon, RSAC Conference 2026, RSAC 2026, cybersecurity AI, autonomous investigation, SOC analysts, security workforce, CISO strategy
AI-Enabled SOC Operations: From Alert Overload to Autonomous Investigation | A Brand Spotlight at RSAC Conference 2026 with Monzy Merza, Co-Founder and CEO of Crogl
[00:00:10] Sean Martin: All right, Marco.
[00:00:12] Marco Ciappelli: Sean,
[00:00:13] Sean Martin: do you have any pizza for lunch?
[00:00:14] Marco Ciappelli: I don't have any pizza with me, but I know where to find a good one.
[00:00:19] Sean Martin: Yeah.
[00:00:19] Marco Ciappelli: Yeah,
[00:00:20] Sean Martin: I think, did you have a good one here last time?
[00:00:22] Marco Ciappelli: Not really. They told me it was a good pizza, and then it turned out to be a Detroit pizza and I felt like it wasn't a pizza. So sorry, Detroit.
[00:00:36] Monzy Merza: You should choose your advisors more carefully.
[00:00:38] Marco Ciappelli: I know. Exactly. Also, don't try to sell a pizza in Italian. It is not real pizza.
[00:00:44] Monzy Merza: I think that was the first fail move.
[00:00:48] Marco Ciappelli: Oh man. Yeah. We're not here to talk about food though.
[00:00:50] Sean Martin: It wouldn't be a Crogl conversation if we didn't talk food. We haven't talked wine yet, but I'm sure we'll get there at some point.
[00:00:57] Monzy Merza: Exactly. Have to think about food. It's important.
[00:01:00] Sean Martin: Well,
[00:01:01] Monzy Merza: Monzy, good to see you again. Good to see you, Marco.
[00:01:04] Sean Martin: Good to have Crogl doing some cool stuff in the SOC, my friend.
[00:01:08] Monzy Merza: Yeah, it's been an exciting, exciting couple of days.
[00:01:11] Sean Martin: Yeah. With the show floor, what are you hearing? What are you seeing?
[00:01:16] Monzy Merza: I think contrasted through the last couple of years, it feels like the community is starting to get more oriented towards the usefulness and the practicality of what AI in security operations means. So we're getting different kinds of questions -- more pointed questions around how do you do it, what problem do you solve?
For us specifically, we are seeing strong attraction from folks around our construct of being air-gapped, bringing multiple language models and having choice for customers on language models. The concept that you shouldn't have to normalize your data -- those are underpinnings of the challenges we started to solve.
Meeting with customers and customers saying things like, yeah, human in the loop, but maybe not always human in the loop, because if you keep including human in the loop, then you're going to get bounded by the human bandwidth again. So I think people are starting to come around to some of those concepts. In some cases it's like nobody wants to do some of these jobs anyway -- take the human out of the loop for some of those things. So it's been very energizing.
[00:02:25] Sean Martin: Yeah. And I'm wondering -- you had the AI SOC Summit, which was a huge success.
[00:02:31] Monzy Merza: Yes. Thank you. Yeah.
[00:02:32] Sean Martin: And then very close to that, you did some research and produced an AI SOC report. What's in there? How does that connect to what you're seeing?
[00:02:42] Monzy Merza: Yeah, so we found that there was a lot of confusion in talking with people in the community. So we sponsored a State of the AI SOC report that we published. It's freely available on the website at crogl.com, and we surveyed over 600 different organizations to try to figure out what are the things that they care about.
Some of the key notable things were that there are close to 40% of alerts that just go completely unattended. That was pretty significant -- that's a lot. Also on that side was when we talk about AI, a lot of organizations are starting to use AI, but at the same time a lot of organizations said that the security of the AI system is more paramount than the capability of that AI system. So that was an interesting insight from the report. I invite everybody to go download the report and see how that aligns with what other people are seeing.
[00:03:56] Sean Martin: Sometimes the reports are interesting and fun to read. What will people take from it that they can actually drive a change in how they view things?
[00:04:06] Monzy Merza: I would say there are maybe two big things that will be useful, which is why we sponsored the report in the first place. One was -- I think there's a lot of conversation but there's not enough data. For different people within the community, they don't know: am I the only one with this problem? When a whole bunch of organizations come and say roughly 40% of alerts are not being attended to, it's like, okay, maybe I'm not the only one. So I think that was part of why we wanted to get the word out and present some data to the community around what that is.
And I think the other part of it is just this demystification -- there are lots of people looking at AI, there's a lot of skepticism, but at the same time there are some good outcomes that people are experiencing and there's a pattern to how people can approach that and get those benefits. So I would say part demystification and part almost like empathy building -- as a community, we're all dealing with a lot of similar things.
[00:05:05] Marco Ciappelli: Talking about demystification -- you were taking a position about maybe, according to you, AI is not really going to take jobs but is actually creating jobs. I'd love to hear more about that.
[00:05:26] Monzy Merza: Yeah, so the basic thesis is: if we rewind the clock back a few years and we say, are there going to be more security professionals in the world than there were 10 years ago? Well, the answer is yes. Now there's a labeling problem here. People say, well, I won't have a tier one or tier two kind of thing. I think with AI we have a net new construct. We have a net new footprint that needs to be defended, and there are going to be more problems and more usage. So the jobs will evolve into different jobs, and I think we are in the sweet spot right now where there are going to be more interesting jobs for security professionals.
In aggregate, my point of view is that more AI in businesses will create more jobs for security professionals to secure that AI and also to defend that AI against attackers because now you have a net new footprint. So I'm a strong believer in that. There are some base principles here -- there's more usage, there's a new footprint, and therefore there are going to be more people who are going to try to understand it, more systems, and somebody is going to deploy those systems and protect those systems and create new patterns for investigations, response, and detection.
[00:06:57] Marco Ciappelli: Well, you know, historically technology has been following this pattern anyway. This is a big moment.
[00:07:08] Monzy Merza: Yeah.
[00:07:09] Marco Ciappelli: But I'm with you. I don't see how AI is going to take all the jobs the way the headlines are saying. Then it really is the end of humanity.
[00:07:22] Monzy Merza: Well, I think that's where it's important to be really practical about what we mean. I would argue on one side -- a reasonable person saying there won't be a tier one analyst in the future -- okay, let's just define that. The tier one analyst job today is very boring. You have to go to like 17 different places. No one will be doing that job in the same way.
Do we need more security engineers and more people doing security work in relation to AI? Yes, because there's more work to be done there.
[00:07:53] Marco Ciappelli: Maybe the entry level is just higher.
[00:07:55] Monzy Merza: Yeah, is higher. That's it. Exactly. How many phone numbers do you remember?
[00:07:59] Marco Ciappelli: Yeah, I barely remember mine and my wife's.
[00:08:05] Sean Martin: Here's the thing -- we might lose the penny at some point. Does that mean we're not going to charge $4.99 for something? No, we just won't use a penny. So maybe the 99 cents comes from digital. We change how we pay.
[00:08:22] Monzy Merza: Yeah, we see these inflection points. Way back in the day we had routers, then we got firewalls, then next-gen firewalls -- and we are not handwriting IDS rules anymore. We just keep going and more people do more things, and that's the evolution.
[00:08:39] Sean Martin: I agree. So I want to ask this -- what are you seeing when you're talking to people about their SOC? They want to transform, they want to do something better. What's the driver? What's the goal? What's the desired outcome? Are they approaching it to say, I want to cut people out, that's the objective, and I'm going to look for technologies to bring efficiencies? Or are they saying, I want to measure and produce better results? What are you hearing and how does that line up with what you're talking about here?
[00:09:20] Monzy Merza: Our customers tend to be either Fortune 500, Fortune 1000 kinds of operations, or they're high-consequence government organizations. In this customer community, what they're saying is: I have people, I hold my people accountable, I need them to do more. And from an AI perspective and from Crogl, the reason why these organizations are buying Crogl or partnering with Crogl is because they want those faster outcomes. They want the risk reduced for the organization. They want to bring to bear the resources that they have as fast as possible to the problem set.
So I'll give you a concrete example. Instead of an analyst being bounded by their ability to utilize one data lake, these customers are demanding and saying: I have multiple data lakes, I want the analyst to use all of them during the investigative process. And then they're taking it one step further, saying -- Crogl, what I want you to do is: don't have the analyst do the investigation. You do the investigation and only engage the analyst when that particular investigation needs to be escalated.
So immediately now what you have is a compression of the competency of the analyst, right? Because you can use multiple data lakes. You don't have to remember the schema, you don't have to remember the query language, you don't have to remember where email data is versus endpoint data. That's a competency compressor. And then you have a domain knowledge compressor, where before you may have one person who's really good at working on phishing alerts, another person really good at endpoint alerts. So you compress that domain knowledge -- Crogl is going to do both of those tasks, and then that person is going to get better because now they're going to get the full spectrum of what the analysis was.
So I think those are the two vectors across which customers are looking. The third important piece is choice. I was talking to one customer this morning and they said, I'm never going to put all my data in one place. I'm in a regulated industry, I'm a global financial services organization, I have lots of data lakes. I'm going to use the best tool for the job. And so my security analysts need to go to wherever that data is to do the work they need to perform.
[00:11:42] Sean Martin: Can't always bring the data to the analyst.
[00:11:45] Monzy Merza: No, exactly. They want to simplify. Now there's an opportunity because you can simplify those data pipelines -- you can leave the data where it is and still analyze it. It's not even about reducing it through a transport layer mechanism. You just leave it where it is and still be able to analyze it.
[00:12:03] Sean Martin: Super cool.
[00:12:04] Marco Ciappelli: That's pretty cool.
[00:12:06] Sean Martin: So what are some other scenarios, Monzy, where teams can be more effective? Clearly AI is not just scaling attacks but probably being a little more creative in how they maneuver and weave through the organization. Does the way attack methods change affect how SOC analysts need to work? And how does Crogl help with that?
[00:12:42] Monzy Merza: Yeah. And I think this has historically been true in the sense that defense follows offense. As offensive capabilities evolve, defensive capabilities are going to change, and the processes and procedures have to change.
So that brings two important elements. I'll give you a Crogl customer example. Imagine there's a CISA advisory that's been announced this morning -- let's say it's a 20-page advisory. Many of you in the audience may have seen the Volt Typhoon advisory that came out a while back -- that's a 20-plus, almost 30-page document. It takes forever for a human analyst to sit through, figure out what the IOCs are, what the patterns are, how do you query data, how do you do all of these other things.
So now a CISA advisory comes out. A Crogl customer today can take that advisory, upload it into Crogl, and immediately get an assessment across the footprint because Crogl knows where the different IOCs will be detected, where the different phases of attack will be detected, and can produce a report in sub-hours. That's a complete change in an operating model. You can act on high-value information right away.
Another example -- there are Crogl customers who are starting to experiment with taking policy documents, internal policy documents that have historically been very process-oriented and not technically backed. Now they can take a policy document and get an assessment based on it, or respond to a data call better. So if you're a financial services institution and you're going through 12 audits at any given moment, somebody comes in and does a data call and says, we need to validate how fast you operate, here are 500 queries in your favorite data lake, we need you to run that. Historically there would have to be a person who would run one at a time, store the result, and repeat. These customers are taking that document and saying, here's what the auditor wants -- just go execute it and give me a report.
So it's creating opportunities to change the process and procedures -- not just in the SOC environment, but now for compliance teams so that they can be more rooted in data-driven things. And going back to our previous comment about collapsing the competency gap and collapsing the domain knowledge gap -- people are able to do their jobs better and really focus on what's important, because ultimately the purpose of the audit is not to thumb somebody's nose. It's really about what is the next thing the organization needs to do to improve its posture -- and you can get to that outcome way faster now.
[00:15:30] Marco Ciappelli: And how does Crogl integrate with what a client already has? They decide, okay, I may need this product. How easy is it to start working with it?
[00:15:42] Monzy Merza: Yeah. So let's take a customer example. One of our customers has six data lakes, three different SIEMs, and two SOAR platforms.
[00:15:50] Marco Ciappelli: One organization. A hundred SOC analysts.
[00:15:53] Monzy Merza: Because somebody -- you read all the best practices and say, well, never do that. But never is not a choice. It's a business operation. There are reasons why that business runs that way. It's one thing to be arrogant and tell the customer how to run their work. It's another to say, hey, that is their world -- go support it.
So one of the important elements -- and what that creates -- is a hard base-principle problem: how do you connect to those different data stores? That's one kind of problem. Whether you're in the SIEM world, the data lake world, or the data pipeline world, you've got to connect. And then there was this problem of data normalization -- the old mantra was, you've got to normalize your data before you put it somewhere. And if you have multiple data lakes, good luck, because now you have to normalize across all of them.
So Crogl is a technology that flipped that model on its head. We said: assume a world where data is fragmented and data is not normalized, because that is the reality. How many times are we kidding ourselves? When we first founded the company -- and we just had our third birthday two days ago -- we decided that was the first problem we wanted to solve: operate in a world where data is fragmented.
So we filed a patent on this. We have the ability to build an enterprise knowledge graph to map the data inside of that enterprise semantic knowledge graph, so that you can leave the data where the data is, connect to whatever data store or data lake you want, and a human being can exercise their intuition without being bounded by that competency gap.
[00:17:36] Marco Ciappelli: Pretty cool.
[00:17:39] Sean Martin: So we're wrapping here. Maybe a final word on working with your team. I think we see a lot of opportunity with AI, and then we tend to say we need to control it a bit because it's going to get a little too wild or we don't have visibility. And when we do that, I feel we limit its capability. So from your perspective, how can CISOs and SOC managers take advantage of what's possible in a way that's going to support the business without going too crazy either?
[00:18:35] Monzy Merza: Yeah. AI in the enterprise brings a tremendous business advantage and business opportunity. I was at a panel a couple of days ago and somebody made this big statement: those who don't adopt AI are not going to be in business in the very near future. I think most business leaders recognize that's what's required. It can become a competitive advantage. Now you have to balance that -- how do you do it?
And I think this goes back to the question: are there going to be more security people or fewer security people? They're going to be more security people because now somebody has to assess how the AI technology fits into the business. How are they going to safeguard those technologies? So while maybe some parts of the security teams are starting to get smaller, other parts of security teams are going to have to get bigger and grow faster.
What I'm observing is that a number of our customers have AI review boards and they're prioritizing security capability through their review process, starting to come up with better mechanisms to assess the security capabilities for AI through those review board processes. I think the organizations who are taking that problem seriously and organizing themselves around it -- that's how CISOs can participate. I think it's a very interesting time for a CISO to make their presence and their influence in the organization even more prominent because they're sitting at a very critical inflection point in the technology space. And that's what we hear from our CISO customers.
[00:20:10] Sean Martin: That's my vision. Maybe AI is going to unlock my vision too. All right, Monzy, we did talk AI-enabled SOC and all the cool stuff that you're doing at Crogl. I would encourage everybody to connect with Monzy and the Crogl team -- that's C-R-O-G-L. Yeah, take your SOC to the next level and make your analysts more efficient and effective.
[00:20:53] Monzy Merza: Thank you. Thank you guys for taking the time. It's always great to hang out. Thank you all for listening.