_Dragos_Condrea_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop "How Agentic AI Can Boost Cyber Defense")
Cyberattack activity has increased to the point where even the largest of security analyst teams can no longer effectively measure the accuracy and quality of their investigations without some form of automation. For some organizations, relying on agentic artificial intelligence models that triage alerts and score severity and work alongside security operations center (SOC) analysts could be a viable option.
Global roadway operator Transurban is among the early adopters of virtual agents to address the common issue of SOC operators facing a growing volume of threats that have become more sophisticated. Muhammad Ali Paracha, Transurban’s head of cyber defense, discussed how his team implemented agentic AI models as part of the Transforming the Future of Cyber Defense with Agentic AI presentation at the Black Hat Middle East conference in Riyadh, Saudi Arabia, this week. Paracha explained the challenges he faced, the technology implemented, plans moving forward, and how AI improved efficiencies in the organization’s security governance process.
Paracha tells Dark Reading that alert volumes had become so overwhelming that Transurban’s SOC analysts were triaging 8% of the tickets generated. Senior analysts would enter data into Excel spreadsheets at the end of the month and find that the information in some tickets was not accurate, “so they sent them back to the analysts, but tickets were closed by that time,” Paracha says.
Hiring more security analysts wasn’t feasible due to the expense and difficulty of hiring and retaining them. Consequently, at the beginning of this year, Paracha and his security and development team developed and trained an agentic AI system based on large language models (LLMs) that enabled automated agents to assist with handling security tickets. The developers trained two agents to perform quality checks, ensuring improved real-time accuracy of all security events.
After evaluating various LLM modeling options, Transurban decided to use Anthropic’s Claude. Paracha says Transurban chose Claude because it integrated well with its Splunk SIEM, ServiceNow ticketing system and AWS Bedrock, the managed AI service for hosting foundation models like Claude.
The agentic AI model was designed in-house to traverse all incident and resolution nodes, ensuring incidents are handled within the respective playbooks. The model consists of two agents: one for categorizing incidents and another for verifying the resolution notes before closing tickets. The first agent reviews the fields of incident tickets, ensuring they are all categorized correctly, while the second agent resolves an incident before it is closed, Paracha explains. However, the agent doesn’t close tickets; instead, it sends the summary back to the human security analyst to address the suggested issues. Then, the agent model verifies that the problem has been rectified before closing the incident.
Paracha says that the models, which were extensively tested before deployment, provide 100% coverage of all incidents while maintaining a false positive rate of less than 3%. Since deploying it in September, alert triage times have been reduced by 60%, with an accuracy rate of 92%.
Adhering to service-level agreements and cyber response playbooks is essential at Transurban, which manages the operations of 22 toll roads in its home country of Australia, as well as some in the United States and Canada. Cyber resilience is vital because it has deployed technology on the roadways it manages that can affect traffic flow.
“Human safety is the most critical factor for us,” Paracha says.
Paracha says his team has only scratched the surface of what agentic AI can do to automate the entire mean time to detect (MTTD) and mean time to respond (MTTR) process. Plans call for expanding the system to incorporate external threat intelligence and automating triage and response processes using Anthropic’s Model Context Protocol (MCP) server to integrate with other systems.
Transurban is adding external threat intelligence and building solutions that will be integrated with the MCP server, Paracha says. He adds the next phase will be to automate the triage process, then add automated response, “so if we have to contain any impacted systems or networks, we can rely on agentic AI to make intelligent decisions and contain the systems as well.”
Paracha says that while these capabilities are relatively new, he believes they will quickly gain traction, which aligns with Omdia’s Cybersecurity Decision Maker Survey 2025. According to Omdia’s forecast, autonomous SOCs could reach full potential and become standard for CISOs within two years.
“Agentic AI is a rapidly maturing technology that SecOps teams are embracing as SOCs quickly become laboratories for advanced AI implementation,” noted Andrew Braunberg. “This adoption is revolutionizing operations more dramatically than any innovation since Next gen-SIEM platforms emerged.”
