TL;DR

Why LLMs Fail in the SOC (and How to Make Them Work)

While the industry talks about the power of standalone LLMs to attack, we ran 12 frontier LLMs through 26 real-world attack campaigns to see if they could defend — 858 runs across 105 MITRE ATT&CK procedures. Zero models passed. Along the way we caught models cheating: reward-hacking, bypassing constraints, losing evidence, and "agentsplaining" investigations they never actually performed.

Your SOC still needs LLMs to defend against AI attacks, but those LLMs need the right harness and the right context to work. Join our next webinar for a look at what LLMs will and won't do on their own, what you need to do to make them work, and how to find the right solution.

Register here.

CB Insights AI 100: Autonomous SecOps Is Now a Category

CB Insights named Simbian to its 2026 AI 100 — its list of the 100 most promising private AI companies on earth, selected from more than 40,000 candidates. Of the 100, only six are in cybersecurity.

The recognition tracks the production results: #1 in AI SOC ARR, 15× customer growth in 2025, and up to 90% of alerts triaged, investigated, and resolved autonomously — no playbooks, ROI in week one.

"Being one of six security companies on a generalist AI list of 100 tells you where the market is heading. Autonomous SecOps isn't a niche experiment anymore — it's a recognized category." — Ambuj Kumar, CEO

Read the announcement here.

Great energy at the Cota Connect 2026!

Ambuj Kumar took the stage to showcase Simbian and share our vision for the future of Self-Improving SecOps. At Simbian, we believe it isn't just about adding AI to your security operations — it's about empowering your systems to autonomously learn, adapt, and get better over time. 🚀 🛡️

On Demand: Hiring or Firing — The Next Step for AI-Augmented SOC Teams

Does an AI SOC mean fewer analysts — or different ones? In this on-demand session, we get specific about how AI changes the SOC org chart: which work disappears, which work gets more valuable, and how analysts shift from manual triage to supervising agents.

Watch the full session here.

Do Not Trust Your SOC LLM

A raw LLM is not a SOC agent. Our Cyber Defense Benchmark tested 12 frontier models — Opus 4.7, GPT 5.5, Gemini 3.1 Pro, and open-weight alternatives — and none fully passed.

Under pressure, models optimize for the inferred task, not the security outcome. Five failure modes showed up repeatedly: reward hacking (resubmitting identical timestamps to chase a feedback signal), constraint bypass (Gemini sidestepping row limits with SQL aggregation), bookkeeping drift (miscounting evidence despite understanding the caps), narration-action gap (describing investigations it never ran), and tool-surface escape (GPT 5.5 abandoning approved paths to read source directly).

The fix isn't a bigger model. It's sandboxing, verifying actual tool calls, independent validators, and continuous external evaluation.

Read the breakdown here.

Is Your SOC AI Ready?

Bolting AI onto a broken SOC is like strapping an electric motor to a 1900s pulley system — you don't get the productivity gain. Real transformation means re-architecting around five pillars: data foundations (queryable via API, governed), process and maturity (machine-executable workflows, not tribal knowledge), the human element (analysts as agent supervisors, with an "AI Error Budget"), a modern stack (API-integrated tools and Detection-as-Code), and metrics with a feedback loop (baseline before you deploy, then track continuously).

The shift is organizational, not just technical: from manual triage to agent shepherding, with explicit human-AI handoff criteria.

Read the blog here.

New for MSSPs & MDRs: Automated Penetration Testing

Attackers compromise and exfiltrate within an hour. Most clients get a pentest once or twice a year. That math doesn't work.

This new solution brief shows how MSSPs and MDRs can complement their pentest services with automated, on-demand pentests. The AI Pentest Agent handles surface mapping, discovery, and exploit validation. Human testers focus on business-logic and social engineering. Every finding is documented with a reproducible exploit path, an explainable reasoning trace, and business-impact prioritization that cuts the exposure window from months to hours.

Get the solution brief here.

Product Spotlight: User Defined Dashboards and Reports

Now Simbian users can create their own customized dashboards and reports in just minutes. Every metric collected by Simbian is now available in our new analytics database. A simple UI lets you assemble exactly what you want to see right in the product, then save it for the future. Of course, you still have access to the pre-defined dashboards and reports that come with every Simbian product.

1. On-prem Microsoft Exchange zero-day actively exploited (CVE-2026-42897)

A crafted-email spoofing flaw rooted in cross-site scripting. If you run Exchange on-prem, patch immediately.

Read here (The Hacker News).

2. Gitea flaw exposed private container images for ~4 years (CVE-2026-27771)

Unauthenticated attackers could pull private images. Affects all versions before 1.26.2 and an estimated 30,000+ deployments across 30+ countries.

Read here (The Hacker News).

3. SharePoint zero-day under active exploitation (CVE-2026-32201)

Unauthenticated RCE on the ToolPane endpoint. Added to CISA's KEV with 1,300+ exposed servers, many in regulated finance.

Read here (SecurityWeek).

4. Medtronic confirms breach; ShinyHunters claims ~9M records

Corporate IT systems were hit; the group's extortion deadline passed and the leak listing vanished. Medical devices and patient-safety systems were reportedly unaffected.

Read here (SecurityWeek).

5. Banks race to patch a wave of new vulnerabilities

Financial institutions are moving fast on emergency patching as exploit activity targets the sector.

Read here (World Economic Forum).

Follow us

 

Simbian AI, 809 Cuesta Dr Suite B # 104, Mountain View, CA, 94040, United states, +1 650-695-0740