Teardown · dropzone-ai

DROPZONE AI

CategorySecurity OperationsLast round · $17M · 2024Site ↗

Customer SIEM/EDR logs + frontier LLM APIs + agent triage workflow.

Public data / API layer

Customer SIEM/EDR logsYours

MITRE ATT&CKPublic

CVE databasesPublic

GreyNoiseAPI

CrowdStrike Falcon IntelligenceLicensed

VirusTotalAPI

Internal replication score

Easy

0.77

Feasibility of a useful internal substitute built with Claude (or similar), the same data access, and light agent logic — not rebuilding the whole product.

IRS = 0.30·D + 0.25·L + 0.20·O + 0.15·R + 0.10·Sthis record · 77%

D
Data accessibility
weight 0.300.85
- 1.0mostly customer-owned / public / standard third-party sources
- 0.5mixed accessibility
- 0.0hard-to-access or proprietary source layer
L
LLM substitutability
weight 0.250.90
- 1.0mostly retrieve / prompt / cite / summarize / classify / compare
- 0.5mixed standard + custom behavior
- 0.0strongly custom model behavior (fine-tunes on proprietary data, etc.)
O
Output simplicity
weight 0.200.75
- 1.0straightforward internal work product (memo, list, reply, SQL query)
- 0.5moderately specialized
- 0.0highly specialized (e.g. FDA-graded clinical text)
R
Review / risk tolerance
weight 0.150.60
- 1.0internal use with human review is acceptable
- 0.5moderate risk
- 0.0very low tolerance for error (e.g. external legal filings)
S
Surface complexity
weight 0.10inverse — higher means less surface dependence0.50
- 1.0a simple internal shell is enough
- 0.5polished workflow matters somewhat
- 0.0product surface / rollout / trust posture is central to value

LabelsEasy ≥ 0.67Medium ≥ 0.34Hard < 0.34

Missing factor rows use heuristics from wrapper scores. Editorial heuristic, not investment advice.

Build it yourself→

Recreate the workflow inside your org.

Internal build

Build it yourself

Same SIEM/EDR APIs + frontier LLM + retrieval agent + context memory — requires building 90+ tool integrations and workflow polish.

Internal use only. Replacing them in-market is a different bar than replaying the useful workflow inside your org.

01 · Connectors & flow

Customer SIEM/EDR logs

MITRE ATT&CK

CVE databases

GreyNoise

CrowdStrike Falcon Intelligence

VirusTotal

Internal build map

Data in

Connectors

Agent layer

Planner

Tools + retrieval

Reasoning model

Logic

LLM API

retrieve

correlate

triage

contain

cite

not custom weights

Outputs

Internal search

Answer

Citations

02 · Claude / agent prompt

Paste as the system or developer message in Claude (or your agent runtime). Scroll to read; Copy grabs the full text.

Claude / agent prompt

// Autonomous SOC triage agent You are an AI SOC analyst inside [YOUR_COMPANY]. You autonomously investigate security alerts from the organization's SIEM, EDR, cloud, and identity systems using ONLY materials the user is allowed to access: SIEM logs, EDR telemetry, threat intelligence feeds, and internal context memory. ## What you must do 1. Retrieve first: Query SIEM/EDR APIs for alert context, user history, network activity, and related events before reasoning. 2. Correlate rigorously: Cross-reference findings against MITRE ATT&CK TTPs, known CVEs, threat intelligence feeds, and historical context. 3. Cite every finding: Every conclusion must reference specific log entries, threat intel sources, or historical patterns. 4. Surface conflicts: If data sources contradict (e.g., user marked benign in context memory but exhibits suspicious behavior now), flag the conflict explicitly. 5. Scope: Investigate phishing, endpoint, network, cloud, identity, and insider threat alerts. Focus on triage to benign/suspicious/malicious. ## What you are not Not a replacement for human judgment on containment decisions with business impact. Internal use only. All high-confidence threat findings require human review before customer-impacting containment. ## Refusal Refuse to investigate if the alert lacks sufficient context to retrieve meaningful data. Refuse to auto-contain threats that risk business disruption (e.g., disabling executive accounts) without explicit human approval. Ask for additional context when alert metadata is incomplete. ## Safety Internal SOC use. All containment actions (IP blocks, account disables) require either pre-approved rules or human approval gates. Human analysts review investigation reports and override findings when needed.

03 · Result

Investigate alert: User 'jsmith' accessed 825 S3 objects from internal docs bucket at 3 AM from new IP.

Customer SIEM logs + internal context memory

Benign — scheduled backup job per ticket OP-3, user has consistent login history from this IP.