Command Zero is betting big on AI-native defense compressing response time

Cybersecurity has long been defined and dogged by the same problem. Defenders have to get it right every time. Attackers, once. AI has made that asymmetry more marked.

Attacks from AI-enabled adversaries increased by 89% from 2024 to 2025, according to CrowdStrike’s 2026 Global Threat Report, and the fastest observed breakout time — the speed at which an attacker moves from initial access to another system — was 27 seconds.

But Alfred Huger, CPO and cofounder of AI-native cyber investigation platform Command Zero, thinks that that asymmetry might now be shifting in defenders’ favor.

“AI is finally giving us the opportunity to get in front of a problem that we’ve always traditionally been well underneath,” he says.

“[AI] presents an opportunity to at least level the playing field. And that’s not a truth that I’ve had in the last 30 years of building products.”

The agentic security operations center (SOC) space is crowded in 2026, with Microsoft, Google, CrowdStrike, IBM, and a long tail of startups talking about autonomy, alert correlation, and mean time to respond (MTTR) compression. But what will it really take for that asymmetry to bend, and is it happening now?

On the attacker’s clock

An asymmetry also exists within defense. There is a difference between what a Tier 1 analyst can do with a set of alerts and what a Tier 2 or Tier 3 analyst can do with exactly the same data.

“The outcome is almost entirely dependent on the skill set of the person who’s in front of the problem, and that’s one of the things that AI helps level out for everybody,” says Huger.

Read Command Zero’s founding story: How Command Zero is redefining incident response in the age of autonomous cyber defense

In a typical breach investigation at a well-resourced organization, he says, it takes “anywhere from 90 minutes to four and a half hours to actually define whether you’re looking at an incident.” Command Zero compresses that to roughly seven minutes.

Set that against the average breakout time for an attacker in 2025: 29 minutes, a 65% increase in speed from 2024. AI enables defenders to respond on the attacker’s timescales, or better, whether they’ve been on the job for 10 days or 10 years.

Most of this time is taken up not with incident response, but actually figuring out what went wrong.

“It’s time lost scrambling…extracting the right data from the right places, finding out where to get it, who owns it, how to access it, and then trying to tie all of these disparate things together into one coherent narrative. When you’re dealing with 30 spreadsheets and a variety of data, that’s word of mouth, a Slack channel, et cetera.”

In other words, not work that humans really want to do. And it only really pays off when a senior analyst is doing it, because they have the experience and hard-won instinct to know where to dig and what to look for. Agents can now do all of that grunt work, while the human moves up the stack to judgment.

Encoded experience is the moat

That doesn’t mean Agents replace decades of expert investigative knowledge, but rather Agents are used to encode and scale it. And that, Huger believes, is the new moat.

“The barrier to entry for everything is both narrowed, and it’s very shallow. So the question is, how do you become successful when code is not the barrier?”

He thinks the answer is the business-specific context that makes an Agent useful in a specific environment. APIs and data integration, he argues, are the easy part.

Most data sources have APIs, they’re fairly well structured, and they’re easy to integrate with. The hard part is the institutional knowledge that turns telemetry into investigation — who owns the asset, why it matters, who the VIPs are, what normal looks like for this VIP user, and what the Agent should expect.

“We spend a lot of time codifying that knowledge and then marrying it against the business context of where we’re deploying,” says Huger. “And when you couple that up with experience from somebody who’s been through thousands of real breaches, you end up with an Agent that’s highly capable.”

“Nothing beats the hard-earned experience of an incident responder or somebody who has lived in these problems.”

Doing more with more

That’s why Huger doesn’t agree with the common narrative that AI in the SOC will immediately replace entry-level analyst roles.

“I’ve yet to meet a CISO who intentionally wishes to trim their budget. This is a space that has far more problems than hands, and that’s not likely to change anytime soon…I don’t think that the best approach right now is to…assume that you can cut staff with it. You can — but I don’t know that that’s the wisest decision to make.”

He frames it in terms of capacity rather than efficiency. Most Command Zero customers, he says, use the speed gain to do more, such as investigating issues they had previously triaged away, running threat hunts they couldn’t staff, and getting ahead of problems instead of always being on the back foot.

“They can certainly do more with less, but in many cases, they can simply do more with more.”

Over-reliance on automation could erode the exact investigation skills SOC teams need over the next several years. The Agent that handles archaeology ultimately depends on humans who have the expertise and judgment to correct it, retrain it, and tell it what to look for next.

Entry-level security analysts will no doubt find parts of their roles changing because of AI, but most organizations will want to continue employing them, because they are the future higher-tier analysts who will orchestrate the Agents.

As Dov Yoran, CEO and cofounder of Command Zero, put it last year, “You’ll certainly still need those Tier 2 and 3 [analysts] that have the experience…Where are those going to come from, if you all of a sudden kill your Tier 1 footprint?”

The end of asymmetry?

This is probably not the end of the fundamental asymmetry of cybersecurity. But there does seem to be a way of bending it in the defenders’ favor, and not in the way that “agentic SOC” makes you think.

It is a future more human than a fully autonomous SOC. The tools and platforms that actually bend the asymmetry will win on the depth of the context and expertise they carry into a specific environment, and how much the AI uplevels everyone on the team, regardless of experience. And it will depend on organizations that use what they gain in speed to do more, rather than using it as a license to do the same with less.

If the agentic SOC is anything, it is the freedom to do more with more.

*Editor’s Note: Insight Partners has invested in Command Zero.