ChannelLife US - Industry insider news for technology resellers
United States
Expel launches AI framework for security operations
Advanced Persistent Threat Protection SOCs RPA

Expel launches AI framework for security operations

Thu, 7th May 2026
Sean Mitchell
SEAN MITCHELL Publisher

Expel has published a framework for applying artificial intelligence across security operations, aimed at security operations centre teams.

Called Trust vs. Impact, the framework sets out when AI should automate tasks, when it should support human analysts and when people should remain in control. Expel also released an interactive tool that lets practitioners map their own workflows against the model.

The move comes as security teams face pressure to manage growing alert volumes while attackers use AI to speed up their operations. Expel said the framework draws on experience from its Ruxie AI and automation engine, which has been used in production for a decade across trillions of alerts.

The framework

The model uses two measures: impact, or what is at stake if AI makes an error, and trust, or how confident a team is that a system can handle a task correctly. Based on those measures, workflows can be divided into areas suited to autonomous AI, human-assisted AI or human-led decision-making.

The approach reflects a wider question facing cyber security providers and in-house security teams: where AI can reduce repetitive work without increasing operational risk. Rather than treating AI as a blanket solution, the framework is intended to give practitioners a way to decide which parts of the threat lifecycle are suitable for automation.

That lifecycle runs from alert generation and triage through investigation and resolution. In practice, many teams still spend significant time on early-stage work such as log review, identity alert handling and documenting incident outcomes for customers or internal stakeholders.

Recent tools

Alongside the framework, Expel highlighted several AI features added to Ruxie over the past year. These include agentic detection rule generation, AI-powered identity alert triage, AI-generated summaries, transparent disposition logic and improved descriptions for detections.

The detection rule generation tool is designed to identify gaps in security coverage and create draft detections for human review. The identity alert triage feature uses machine learning to categorise identity alerts. Expel said it operates with 99.7% confidence and reduces identity alert volume by about 10% by filtering out high-confidence benign alerts.

The summarisation and explanation tools address another persistent issue in cyber security operations: the volume of technical data analysts and customers must interpret quickly. According to Expel, these functions generate plain-language context for alert details, investigative actions and alert resolutions, including those judged benign.

Improved detection descriptions are intended to explain complex logic in more accessible language. That could matter for customers trying to understand what protections are active in their environment and why a particular event was handled in a given way.

Operational pressure

Managed detection and response providers have increasingly added AI features as customers look for ways to handle more alerts without matching increases in staffing. At the same time, buyers have grown more cautious about opaque models that automate decisions without clear explanations.

Expel's framework is aimed at that tension. It puts explainability and task selection at the centre of deployment decisions, rather than treating automation as an end in itself.

Justin Bajko, Chief Strategy Officer at Expel, said the company sees low-value manual work as an area where AI should now play a larger role. "Previously, manual actions like log review and alert triage were essentially dead. AI can and should handle that noise now so analysts can focus on the incidents that matter and deploy accurate defense at AI speed," he said.

He added that the system is intended to support both automation and human decision-making. "Ruxie not only handles those actions, but arms human analysts with AI capabilities that cut through the noise and speed decisive response actions. Our AI investments speed up decisive responses, shifting timelines from minutes to seconds so customers stay ahead of attackers," Bajko said.

Expel also cited customer feedback from Visa on the effect of AI-assisted triage in daily operations. "Expel's platform has significantly streamlined our security operations. Expel's AI-driven triage system effectively prioritizes alerts, allowing our analysts to focus on the most critical issues. This has greatly improved our overall operational efficiency," said Ragesh Menon, Senior Director of Security Architecture at Visa.

The framework, interactive workflow tool and latest Ruxie functions are available now.

Related stories
Google Cloud unveils AI security tools & fraud defence
Google Cloud launches Gemini Enterprise Agent Platform
Exabeam widens AI agent monitoring for Google tools
F5 & Forcepoint join forces on enterprise AI security
Morphisec adds AI defence to anti-ransomware suite
Top stories
Droplet warns legacy Windows Server backups may fail
Tech Mahindra & Cisco launch cyber resilience fabric
Celonis acquires Ikigai Labs to boost enterprise AI
OpenAI launches Deployment Company, agrees to buy Tomoro
Xero launches live Claude integration for customers