USE CASE
SOC Efficiency & Incident Investigation Intelligence
Security operations metrics have gotten more sophisticated over the past decade. MTTD, MTTR, false positive rates, analyst utilization — the operational performance of security operations centers is now measured with the rigor of any other business function. And when those metrics are analyzed, a consistent pattern emerges: a disproportionate amount of analyst time is spent on data assembly rather than analysis.
An analyst investigating a suspicious alert needs to pull log data from multiple sources, cross-reference user identity records, check asset information for the systems involved, review prior alerts on related entities, and correlate timeline data across sources. Each of those data pulls requires a different query, a different system, and a different syntax.
Why Mean Time to Detect Stalls in Most SOCs
Security operations leaders have invested in SIEM platforms, SOAR automation, and threat intelligence integration to address this problem. Those investments have made real improvements. What they haven't solved is the fundamental data fragmentation problem: when the authoritative version of an investigation-relevant question requires joining data across systems that weren't designed to talk to each other, the analyst becomes the integration layer.
A Level 2 analyst who can ask any question about an incident and get the answer in seconds is doing five times the analysis of an analyst who has to query three systems to get each piece of the picture.
Genie and Lakewatch for SOC Investigation
Genie serves as the agentic interface within Lakewatch, leveraging the advanced reasoning of Anthropic Claude models to deliver agentic security operations. By integrating Claude’s reasoning capabilities, Lakewatch can correlate complex signals across security, IT, and business data in seconds. This allows analysts to deploy defensive security agents that don't just search for data, but understand the context of the investigation to surface high-fidelity threats faster than manual workflows ever could.
Genie serves as the agentic interface within Lakewatch, allowing analysts to pivot from human-in-the-loop to human-at-the-helm. Instead of writing complex SQL or learning proprietary search languages, analysts use Genie to orchestrate autonomous agents that can hunt, summarize, and cross-reference petabytes of data in seconds.
Genie enables security operations teams to ask investigation questions in natural language across their full security data environment. An analyst can ask: 'Show me all authentication events for user X in the past 7 days, the systems they accessed, any associated file access events on sensitive data stores, and any related alerts from our EDR.' That investigation synthesis surfaces in a single conversational response.
The MTTD Math: From 200 Days to Minutes
Reducing MTTD isn't just a goal; it's a survival requirement. As Ali Ghodsi, co-founder and CEO of Databricks, highlighted during his RSA keynote, we are witnessing a massive secular shift in the threat landscape. The Zero Day Clock shows that in 2018, the average time from CVE to weaponized exploit was over two years. Today, that window has collapsed to just 1.3 days.
This 1.3-day exploit window is the 'architectural dead end' for legacy SIEMs. While recent data suggests the median breach detection time has compressed dramatically, that median often masks a 'long tail' of sophisticated threats that remain undetected for months due to visibility gaps. Humans alone cannot keep up with this speed of weaponization. We are facing swarms of AI agents that attack anywhere, while defenders are still constrained by manual workflows and the 'security tax' that forces them to discard up to 75% of their data.
Metric | Full Name | Definition | Business Significance |
MTTD | Mean Time to Detect | The average time it takes for your security tools or team to identify a potential security incident. | Critical: High MTTD indicates a "visibility gap" where attackers can operate freely (the "long tail" problem). |
MTTR | Mean Time to Respond | The average time from when an alert is triggered to when the initial response or mitigation begins. | Measures SOC agility and the effectiveness of your automated playbooks. |
MTTC | Mean Time to Contain | The average time it takes to isolate a threat and prevent it from spreading further across the network. | The primary metric for limiting the "blast radius" and potential data exfiltration. |
MTTI | Mean Time to Investigate | The average time an analyst spends verifying an alert and determining its root cause and scope. | Highlights the "analyst bottleneck" caused by manual data joining across fragmented systems. |
To fight a swarm, you need a swarm. Lakewatch and Genie represent a fundamental shift. Lakewatch deploys swarms of defensive agents that automate detection, triage, and investigation natively where your data lives. We are moving from human-paced triage to machine-speed defense, positioning the defender at the helm to orchestrate autonomous defense across the enterprise.
DATABRICKS GENIE · KEY DIFFERENTIATORS
Built for your data, governed by your rules, answerable to any business leader.
- Unified security data lake: All security telemetry in one place — SIEM, EDR, NDR, IAM, CSPM data in a single query environment.
- Timeline reconstruction: Genie can assemble chronological event timelines across data sources — reducing the manual work of incident reconstruction.
- Entity context: User, device, and application context is always available alongside event data — investigations get enriched context automatically.
- Analyst-level access controls: Junior and senior analysts access the data appropriate to their role — investigation capability scales with appropriate governance.
See What Genie Can Do for Your Team
Databricks Genie is available today. See how your industry peers are using it to reimagine how they access and act on their data.
Instagram Engineering
Shopify Engineering