The conventional setup is familiar to anyone who has spent time inside a SOC (security operations center). Cyber threat intelligence (CTI) arrives through structured feeds, gets ingested into a SIEM, and surfaces as alerts that analysts work through in something resembling priority order. At the end of that chain sits a case management system where artifacts get logged, tickets get cut, and reports get generated.
It is largely a one-way pipeline, and for most teams it is barely keeping pace.
Jonathan Cran, founder of Mallory, a startup building what he describes as an intelligence-driven security operations platform, puts the problem plainly: the traditional model keeps information in silos that analysts have to mentally bridge on their own. Threat intel lives in one tool. Asset inventories live in another. Cloud configurations somewhere else. “The fundamental idea,” Cran says, “is to un-silo the information so that it can be brought into the context window for the agent to be able to operationalize it.”
The Emergence of VulnOps
Cran says customers have begun coining their own term for this operational shift: VulnOps, or vulnerability operations. It is a recognition that vulnerability management and threat intelligence can no longer be treated as separate disciplines handled by separate teams with separate tools. Modern attacks don’t respect those boundaries.
Related:
, and CYBR.SEC.Media
The practical architecture Mallory is building starts with continuous ingestion of roughly 3,000 sources spanning social feeds, ISAC (information sharing and analysis centers) data, vendor advisories, GitHub security disclosures, and structured government feeds to be analyzed, enriched, and mapped against a threat graph. But ingestion alone is table stakes. What separates VulnOps from conventional CTI is what happens next: automatic mapping of that global intelligence to the organization’s specific assets, pulling context from cloud environments, code repositories, and infrastructure-as-code configurations. When a new vulnerability surfaces, the system doesn’t produce a briefing document. It produces detections, routes tickets to the appropriate teams, and in some cases takes direct action, subject to whatever policy guardrails the organization has configured.
“When there’s a new vulnerability that affects an environment,” Cran explains, “one runs an investigation and either cuts a ticket or does the right thing; whatever the right thing is as defined in a skill file that the user has provided to the system.”
Threads, Not Cases
One of the more consequential changes in this model is how investigations are structured. In conventional case management, analysts feed information into a case: artifacts in, reports out. The analyst is the integration layer.
Mallory’s strategy is to replaces the case with what Cran calls a thread. In those threads, each investigation is a collaborative exchange between the analyst and an agent working the same problem simultaneously. “Every investigation, every action, is a thread,” Cran says. “There’s an agent in there too. You’re able to collaborate with an agent in the form of a thread, and that’s how we really see agents plus humans being able to operationalize a lot of this information.”
The L1 Future
This is where the model carries its most significant workforce implications. The tasks that define Level 1 SOC work, such as alert triage, initial investigation, ticket routing are precisely the tasks this architecture automates.
The roles that remain, as well as the new ones that emerge, look different. What gets elevated is policy and guardrail design: defining what the system is authorized to do autonomously, and under what conditions it escalates to a human. Alongside that sits the work of supervising and tuning AI-driven routines, understanding when the system’s judgment is sound and when it needs correction. “Some roles are going to change or go away,” Cran acknowledges, “but you have teams of people who understand security context and these systems their to maintain the data.”
SOC in “Monitor Mode”
The end state Cran describes is a security operations function that has shifted away from perpetual fire drill. “SOC teams are working hand in hand with agents, handing off as much as they can to routines that are un-siloed across their environment and able to intelligently act,” he says. “The SOC goes into monitor mode to a degree.”
In that system, the CISO functions less as an incident commander and more as what Cran calls “a router and a trusted source of information” busy translating between AI-enabled operational teams and business leaders, with security context as their primary value add in investigations and response.
Several components, particularly the asset correlation layer and user-customizable skill files are still maturing. Cran is targeting Black Hat for a full demonstration of Mallory’s capabilities. The teams best positioned for this transition are those that start thinking now about which decisions belong to policy, which belong to supervised automation, and which still require a human in the loop. That’s because the pipeline that has defined security operations for the past two decades is being rebuilt around a fundamentally different set of primitives.
