The Latest News from Triad Secure

Hello everyone, My name is Tyler Arnone. I am the founder of Triad Secure, An AI-powered software that I have designed with the vision of reforming how cybersecurity analysts perform their daily operations. There are a lot of companies that are racing to create AI-powered Security tools right now, between the industry giants like Splunk, Palo Alto, and CrowdStrike, who are trying to use AI to improve security detection, and Upstarts like myself with Triad Secure, who are trying to implement the power of AI into the Triage, Response, and Remediation workflow. While I am not the only one who is trying to accomplish this task, the vision I have for Triad Secure is unique, as it comes from a place of real-world, tactical-level experience.

AI is an incredibly powerful tool, and the implementation of AI into the Cyber Security space is an obvious direction for Security tool providers to take. Having said that, AI is not enough to fix the existing problems with Cybersecurity operations, and the primary reason that AI cannot replace a SOC analyst is that the AI is not capable of collecting all of the context required to make informed decisions on Security events. So, if we really want to start using AI in a more meaningful capacity, we first need to fix the underlying issues of Scattered data investigation. This is one of the big ways that Triad Secure differs from its startup competitors. New companies like Prophet Security and Dropzone AI are working on bringing their own solutions to market but with a different philosophy than mine. While my competitors are trying to automate the entire SOC triage process, I do not believe that the majority of the market would agree that AI solutions are reliable enough to completely hand off those operations. My goal with Triad Secure is to build a base level that improves security integrations and augments the workflow with powerful AI assistance, to be built as a stepping stone to facilitate the goal of triage autonomy in the future. It's important that we as Security infrastructure providers, do not put the cart before the horse. As I said previously, AI is an incredibly powerful tool, but we cannot simply expect AI to replace a professional security analyst without the proper infrastructure. The AI needs to be able to see all of the relevant data, active and passive threat intelligence, access to feedback and network knowledge, and most of all, it needs oversight and accountability.

My experience in Cyber Security is with working in Security Operations Centers for managed service providers or "MSPs". These MSPs are responsible for providing Security triage and response to Security alerts coming from multiple enterprise customer environments, where our teams are expected to be experts on a plethora of different tools, adapt and familiarize ourselves with multiple environments, and understand at a glance what normal activity in any of those given networks look like. Every customer that comes to an MSP usually brings in their own Security tools, has different detection rule sets, and different expectations and policies, which are expected to be known and understood by every analyst in the SOC. While many tools allow for multi-tenancy, or the ability to add multiple data sources to a single tool while keeping that data segregated, no tool brings all of the different tools a SOC may be using together in a way that is easy to read and reduces the cognitive load on analysts.

When I became a technical lead and became directly responsible for reviewing the accuracy and quality of the work being performed by the analysts on my team, was when I really started to understand how serious the issue of data silos became. Every member of our team was industry-certified, and we had spent so much time training our analysts on how to use all of the different tools, yet inaccuracies and inconsistencies were present in almost half of the write-ups I reviewed. I wanted to know why this was still an issue, so I started researching and comparing different write-ups on security events from every analyst and comparing work that was performed for alerts from every different tool we used. From my investigation, I noticed that the quality of write-ups varied from analyst to analyst significantly based on the individual's understanding of the tool they are working with. That seems almost obvious, after saying it out loud, but it's a complex problem to solve as a leader in a technical environment. SOC teams are heavily restrained due to response time requirements and alert volume, making it difficult to ensure time for in-depth individual training.

I doubt there is a single Security analyst or engineer alive who would be surprised by this revelation. It's almost like saying the reason there is traffic on the highway is because of all the cars. It made me wonder though, why hasn't this problem been addressed effectively? There is no shortage of companies trying to create software for the cybersecurity space, and almost all of these different Security tools have robust APIs that are not being effectively used.

Before anyone jumps into the comments saying that there are plenty of tools that integrate with those API tools already, I know and I have worked with a few of them such as SwimLane, Data Dog, Kibana, etc. None of those tools took this integration to the level that I wish I had.

Thats when I decided that I would stop wishing for a better tool and started building the tool I wish I had had all this time. I had a small amount of experience in the fundamentals of web development from a Web Dev Boot camp I had done called General Assembly, and a subscription to ChatGPT. So, I started experimenting, When I came across something that took too long or something that I found to not be intuitive at work, I would note it, and then after I clocked out from work, I would work with AI to engineer a practical and simple solution.

At the time, I was not sure how far I would end up taking things. I started very small at first, creating a simple OSINT (open source intelligence) tool because going to multiple web pages to cross-reference the reputations of every public IP, file hash, or domain was an obvious inefficiency. I thought about what this tool needs to provide to be better than what already exists. I thought critically about not only the information that we as analysts need, but also how the formatting of that data is just as important as the data itself. I needed the data presented in a way that allows for the most amount of data to be displayed in a single frame as possible because we take screenshots of our evidence and research to corroborate our analysis. By using AI to write code, I overcame my inexperience as a developer and designed a tool rooted in a deep understanding of exactly how this tool would be used. When I finished, I was really happy with the results but it led me to keep pushing. What else could I do? I really wished that I could use AI for specific questions but due to data privacy and protection requirements, AI tools like ChatGPT were not authorized for use. So I decided to create an offline and secure AI chat tool that could be used safely and securely, without risking the exposure of network or customer information for SOC teams. And hey since I already created the OSINT platform, I can integrate the AI, with the existing OSINT tool so the AI can give direct contextual awareness of IP or file hash reputations directly from a raw log passed to it. That worked well too, which encouraged me to keep pushing for creative solutions to existing problems.

After doing the same process of identifying pain points, and engineering solutions for over a year, I ended up creating what I believe to be a transformative tool for the Cyber Security industry, Triad Secure. With this tool, SOC analysts will be able to perform the majority of, if not all, of their workflow operations from a single tool. Triad Secure became a Next-Generation Extended Detection and Response (XDR) platform, where all of the heavy liftings of tracking down scattered data from multiple tools is performed automatically via a proprietary backend workflow dubbed "OneSoc", where all of the available data related to a given alert is automatically queried from every available data source a tenant or customer may have, and presented to the analyst and the AI in an organic environment that is reconstructed from the ground up with data from any connected tools.

Let's create an example scenario. Let’s imagine a Fortune 500 client—“Customer A”—using multiple security tools: an SIEM (Splunk), an EDR solution (CrowdStrike), vulnerability scanners, firewalls, and cloud security. When Splunk generates an alert, it provides only basic information: the rule that triggered, source and destination IPs, user details, and a bit of context. From there, an analyst must run additional queries in Splunk’s query language (SPL) to dig deeper. If the logs in Splunk don’t paint a complete picture, the analyst then pivots to CrowdStrike’s EDR to investigate host-level activity, process trees, and other forensic details—requiring a different query language (FQL). Meanwhile, the analyst may also need to check various OSINT sources for IP reputation or other indicators of compromise, juggling multiple browser tabs, user interfaces, and syntaxes. All of this happens under strict time constraints. Faced with so many steps and so little time, analysts sometimes have to make quick judgment calls on whether to dig further or move on, which can result in inaccurate conclusions or overlooked threats.

Now, let’s see how Triad Secure streamlines that same investigation. When Splunk flags an alert, Triad Secure ingests it via the Splunk API. During processing, Triad Secure’s OneSoc backend automatically checks the rule that fired, identifies the affected internal asset, and queries every connected data source behind the scenes—no manual pivots needed. Once complete, the analyst sees a unified alert page displaying event graphs, logs, process trees, vulnerability reports, and related cloud activities. Triad Secure’s built-in AI can provide a comprehensive summary of the alert, outline remediation steps, map relevant data to the MITRE ATT&CK framework, and even assess the potential severity with remarkable speed and accuracy.

In addition, Triad Secure still retains manual search capabilities: if the analyst wants to conduct deeper research, they can type a plain-language query (similar to a Google search) and let Triad Secure’s AI generate the tool-specific queries in the background. Our platform automatically normalizes fields from each source, then returns a consolidated view of all relevant data—complete with AI-driven summaries for each log entry. This feature moves the analyst from “data gatherer” to “expert reviewer,” applying human insight to validate the AI’s analysis and add nuanced context. By offering both automated correlation and intuitive manual querying, Triad Secure ensures that no stone goes unturned, while dramatically reducing the time and effort typically needed in a traditional SOC workflow.

If you asked a United States General, what makes the American military the most effective fighting force on the planet? The response would likely have something to do with superior situational awareness. The F35 lightning would not win a dogfight with an F22, but the F35 is the superior fighter because its network of sensors and computers are constantly providing its pilot with more data. While Triad Secure is certainly not a 2 trillion-dollar government fighter jet project, its goal is the same, to use data and situational awareness to defeat adversaries. As more features were built into Triad Secure, a solution was found to one of the biggest issues in the Cyber Security realm, how to effectively use Threat intelligence reports at a tactical level.

Triad Secure's built-in threat intelligence platform starts with data ingestion of Cyber News articles on breaches, vulnerabilities, threat actor movements, and more, combined with live connections to Critical vulnerability and exploit report sources. Our AI reviews and summarizes these articles, reports, and documents to keep an on-hand repository of current threat intelligence. The AI will automatically generate scheduled TLP White reports on this information for dissemination. This threat intelligence data is automatically correlated against environmental vulnerabilities identified by connected scanners like Nessus or Tenable, which is used by the AI to generate relevant and concise threat hunting queries, tuning or rule creation suggestions and insights within alerts automatically, and with deeper visibility than ever possible before. Not only does this free up time from personnel in the SOC, who used to manually curate threat intelligence, but it also allows for the live activity to be directly contextualized against new and emerging threats by the AI automatically. This in itself is a groundbreaking step forward for making threat intelligence more practical and valuable. And it's only one small part of how Triad Secure is aiming to change SOC operations.

Because Triad Secure serves as the orchestration and interface layer—rather than trying to replace existing products—it gains immediate advantages when these vendor tools improve. Whenever an SIEM or EDR updates its features or AI models, Triad Secure simply absorbs those capabilities via API, automatically passing the benefits on to analysts through a single, integrated console. This means customers never need to jump between siloed dashboards, nor do they have to learn new query languages or processes every time a vendor iterates.

In effect, Triad Secure “owns” the human relationship with the entire security stack. Teams log into our platform for daily workflows (e.g., alert triage, case management, investigative queries), and we abstract away the complexity of multiple tools behind a cohesive interface. As each underlying solution evolves, Triad Secure continues to consolidate and contextualize all relevant data in one place—reducing friction, confusion, and training overhead. Ultimately, this approach future-proofs your security posture by ensuring that you can seamlessly integrate new technologies and enhanced capabilities without overhauling your workflows.

No one can see exactly what the future holds, and not every security tool or organization will adopt new technology at the same pace. Triad Secure is positioned as a platform to facilitate whatever the future may hold. While not every tool will have built-in AI features, Triad can bridge that gap as a value addition to existing infrastructure. For the tools that do implement AI detection capability and improvements to how security events are identified, Triad is a downstream beneficiary of those improvements too. It is possible that in the near future, AI may progress to the point where we don't need a human analyst to review every event or alert. Triad Secure will be there as the platform to facilitate that too.

Triad Secure is not just another security tool, it’s a reimagining of today and a platform for the future. If you share this vision of more integrated, context-rich, and eventually autonomous security operations, I invite you to connect, collaborate, or invest in Triad Secure.

Tomorrow we will say; “Cyber Security WAS hard”

Like

Comment

Share