Every investigation starts with a simple question: What happened?
But if you’ve ever worked in a SOC, you know it’s never that simple. You’re staring at a wall of alerts, logs pile up and you’re pulling threat intelligence from multiple sources, all while the SLA clock is ticking.
The challenge isn’t a lack of information, it’s making sense of it fast enough. Analysts are under constant pressure to connect the dots and determine why something happened but that takes time, and time is exactly what SOC teams don’t have.
That’s why we introduced Massi, the newest member of our SOC team. who behaves like an experienced analyst: bringing together alerts, logs, and threat intelligence, digging into the “why,” and delivers clear, explainable answers
In this blog, we’ll explore how we built Massi and how it’s changing the way SOC teams approach investigations in a world where every second counts.
It Started with Context
When we introduced Inovaguard’s Incident Automation, our goal was to make the first stage of the investigation process effortless for SOC teams.We focused on eliminating the repetitive, manual work that slows analysts down, gathering contextual data, correlating threat intelligence, and triaging endless alerts.
The result was a system that automatically delivered analysts a complete, enriched view of every alert before they even began their investigation. (You can read more about how we built it here).
But enrichment and triage, while critical, are only half the battle. Even with every piece of context at their fingertips, analysts still face the hardest part of the process, understanding what actually happened. They have to connect dozens of signals, reason through data, and interpret threat activity to determine whether an incident is benign, suspicious, or truly malicious. all under intense time pressure.
It’s a cognitive task that demands time, expertise, and context awareness, something that automation alone couldn’t fully solve.
That realization led to our next step: Building Massi
From Context to Insights
While Inovaguard’s Incident Automation gave analysts all the context they needed, Massi takes that foundation and transforms it into actionable insight.
Massi is an AI investigation agent that was designed to behave like an experienced security analyst. Powered by Octodet specialized language model (Kindi) fine-tuned on cyber security data and investigative workflows.
Think of Massi as the newest member of our SOC team, a teammate that helps analysts in their daily work, handles the heavy lifting of incident analysis, and gives them more time to focus on what really matters: making the right security decisions.
Massi doesn’t just automate tasks, it collaborates. It analyzes context, reasons through incidents, and communicates findings the way an analyst would. Whether it’s piecing together scattered clues or explaining why an event matters, Massi works side by side with our SOC team to accelerate investigations, helping reduce the mean time to investigate (MTTI) and, in turn, reduce the mean time to respond (MTTR) while maintaining clarity and consistency.
The following is an illustration of how Massi accelerates investigations and saves time for SOC teams.
Learn more about the language model that powers Massi in our deep dive blog here ( link to Why Octodet built a Security-Specialized Language Model blog).
Analysts are under constant pressure to make sense of alerts and logs in minutes. Massi tackles that challenge by reviewing evidence, connecting signals, and prioritizing findings, almost like a seasoned security analyst. The agent investigates across multiple signals, indicators, and threat intelligence data to uncover the full picture behind an incident.
It provides detailed, explainable findings that answer the core investigative questions, presenting the investigation clearly:
Massi is fully transparent in its reasoning. Every investigation includes a traceable explanation that clearly links evidence, logic, and classification, so analysts can verify the findings and trust the outcome.
What makes Massi truly powerful is that it doesn't replace human analyst judgment but amplifies it .
Massi works alongside analysts, not instead of them, analysts can review, validate, and build on the agent’s findings , their feedback feeds directly into the reasoning process, prompting the agent to reinvestigate and refine its conclusions for greater accuracy and depth, combining model speed with human expertise for stronger, more confident investigations.
Here’s how it all comes together: Inovaguard’s Incident Automation sets the stage by collecting and enriching alerts, then Massi steps in, reasons through the data, and works with analysts to complete the investigation. The diagram below shows the full process in action.
By combining automation from Inovaguard’s incident automation with the reasoning capabilities of Massi, we’re closing the gap between data enrichment and analytical insight. SOC teams can move from enriched alerts to fully reasoned investigations seamlessly, intelligently, and at scale.
What’s next
This is just the beginning. Our vision is to create a collaborative SOC environment where AI Agents and analysts work side by side, sharing context, validating results, and continuously improving investigation outcomes. By combining AI reasoning with human expertise, we aim to build on these capabilities to further accelerate threat identification and ensure more accurate, timely responses to security incidents
