Behind Vectra AI’s deliberate approach to building AI agents for cybersecurity

Many people talk about AI as if it were magic, but Sohrob Kazerounian, a distinguished AI researcher at Vectra AI, is down-to-earth about it because he’s building it every day. His team is developing a new generation of AI agents poised to take cybersecurity to levels beyond what humans can achieve alone.

In an era of increasingly sophisticated cyber threats, Vectra stands out by empowering organizations to detect and respond to advanced attacks in real-time. At the core of Vectra’s innovation is attack signal intelligence, an AI-driven threat detection system that analyzes behaviors across hybrid cloud environments, networks and identities. Unlike traditional security solutions that rely on rules-based detection and laborious deep packet inspection, Vectra leverages AI to scrutinize encrypted and decrypted traffic metadata in a dynamic and holistic way.

Cybersecurity is a high-value domain for AI, but also a very demanding one. While success at individual tasks may seem impressive, Kazerounian points out that the difficulty compounds when agents are required to perform multiple actions in sequence. “Even if you have a 99% success rate at each step, as you take more and more steps, you have an exponential falloff to guaranteed failure,” he said. In high-stakes domains like cybersecurity, healthcare and law enforcement, that isn’t good enough.

To set the curve for reliable AI agents, Vectra is taking a multi-faceted strategy to development and operation, which includes:

• A layered agent design;
• Adhering to the novel security paradigms of attack signal intelligence (ASI);
• Incorporating privileged access analytics (PAA);
• Committing to customer red-teaming;
• Carefully rolling out AI Agents.

How Vectra approaches agent design

Vectra takes a layered approach to agent design, using programmed constraints and guardrails and giving agents access to a knowledge graph that encodes a powerful store of curated expertise.  Knowledge graphs (KGs) are massive data structures that represent facts about objects, people, places and the rich inter-relations between them. KGs are used by data-intensive projects such as Google Search. Vectra’s KG ensures that each action taken by AI agents is backed by structured reasoning and validated against real-world data, similar to how human decisions are based on logic and experience.

Vectra’s AI agents are continuously learning and adapting to new threat patterns as they emerge. The system incorporates feedback loops from human analysts to refine its models, improving its ability to detect novel threats over time. This ensures that Vectra stays ahead of evolving attack vectors.

Competitors like Palo Alto Networks and Sophos also utilize continuous learning. Still, Vectra’s hybrid approach of integrating human insights with AI-driven learning provides a more dynamic defense.

Behind attack signal intelligence

Vectra’s attack signal intelligence (ASI) addresses a fundamental challenge in cybersecurity: Identifying actual threats amidst an overwhelming amount of data, alerts and false positives. Traditional security methods relying on signatures, rules and anomaly detection often generate excessive noise, leading to analyst fatigue and missed threats.

ASI focuses on attacker behaviors and tactics rather than just anomalies or known signatures, and follows three key principles:

• Think like an attacker: ASI uses behavior-based models to detect attacker tactics, techniques and procedures (TTPs), providing structured reasoning about how threats progress through the cybersecurity kill chain.
• Focus on malicious activities: By distinguishing malicious actions from benign ones, ASI minimizes alert noise, which is the bane of many security monitoring tools.
• Prioritize critical threats: ASI correlates detections across multiple domains — such as cloud, network and identity — to provide a unified view of prioritized threats.

Privileged access analytics is critical

Vectra AI recognizes that traditional zero-trust models — often reliant on one-time access decisions and predefined lists of privileged identities — can fall short, especially when attackers gain credentialed access or escalate privileges. To address this vulnerability, Vectra has introduced privileged access analytics (PAA) within its Cognito platform.

PAA continuously monitors the behaviors of user accounts, services and hosts after they’ve gained access, providing real-time assessments of their activities by scoring them for threat and certainty levels. This ongoing evaluation enables organizations to detect and respond to the malicious use of privileges as it happens, rather than relying solely on initial access controls.

By analyzing interactions across the network, PAA helps security teams identify unusual activities that may indicate compromised credentials or unauthorized privilege escalation. This continuous visibility offers a more dynamic and effective model that significantly evolves the zero trust paradigm in ways that are essential for the age of AI.

This has been transformative for Milos Pesic, a cybersecurity specialist who uses Vectra to monitor the activity of more than 7,000 employees of ED&F Holdings Ltd., which is distributed across 60 countries. “We can easily scrutinize the behaviors on each to see if they represent a significant risk to our organization,” he said. “This has significantly decreased our time to investigate from minutes to seconds.”

Commitment to red-teaming and adversarial testing

Vectra understands that robust cybersecurity isn’t just about deploying advanced technology — it’s critical to ensure that a system is operating well in reality as well as in theory. To that end, Vectra actively encourages its customers to conduct red teaming exercises to simulate cyber-attacks. By using Vectra’s AI-driven threat detection during these exercises, organizations can gain real-world insights into how their systems would hold up against genuine threats.

This proactive approach enhances the effectiveness of security measures but also fosters practical collaboration between AI tools and human expertise.

Phasing AI: A balanced approach

For customers looking to adopt AI agents into critical functions like security, a thoughtful, intentional approach is just as important as the technology itself.

Vectra is also taking a phased approach to rolling out its AI agents. Rather than replacing human security analysts, these agents are designed to collaborate. In the short term, Vectra’s AI will assist human teams by automating the detection of threats and handling repetitive tasks, while the human experts provide judgment, experience, strategic oversight and the contextual intelligence that models need to keep learning. This collaborative approach not only enhances the capacity of security operations but also preserves the critical role of human decision-making. It also allows for the long-term validation of AI agents so that they eventually can take over the ability to perform tasks on their own — although Kazerounian emphasized that Vectra is not planning this in the short term.

This phased adoption means that companies can integrate AI into their security operations gradually, allowing their teams to get comfortable with the new technology while ensuring that it adds value from day one.

Conclusion: Adopting AI with purpose

In an environment where many AI vendors promise rapid returns by automating jobs, Vectra’s deliberate, value-driven approach serves as a refreshing alternative. Their intentional, non-rushed approach allows businesses to adopt AI agents in a way that feels safe and effective. By starting small and using AI agents to assist human teams, companies can experience the benefits of AI without compromising on quality or control. Over time, as the agents prove their worth, the partnership between AI and human analysts will continue to deepen, driving innovation and improvement in cybersecurity outcomes.

Vectra is showing the industry that AI adoption doesn’t need to be rushed or forced. By taking a long-term, intentional approach, the company is building the cybersecurity agents of the future that will work alongside human experts to safeguard the digital world.