SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia
Modern soc security ops center ai alerts analyst monitors cinematic
#
Firewalls
#
SIEM
#
Network Security

Graylog unveils explainable AI tools for lean SecOps

Thu, 19th Mar 2026
Author image
By Mark Tarre, News Chief

Graylog has announced new explainable AI features and automated investigation workflows for small and mid-sized security teams, with demonstrations planned at the RSA Conference.

The updates span threat prioritisation, incident response and conversational AI for security operations. Graylog also previewed its Security Spring 2026 release, which adds risk-triggered automated investigations.

"Lean security teams don't have the luxury of analyst bench depth or months of automation tuning," said Andy Grolnick, CEO of Graylog. "Every capability we are showing at RSA is designed around the same principle: rapidly detect, decide, and document from one command center, so analysts spend time on real threats, not busy work."

Threat prioritisation

A central element of the update is a threat prioritisation engine that groups related alerts and ranks them using contextual signals. It uses inputs including entity context, asset criticality, vulnerability data and threat campaign intelligence. The aim is to surface higher-priority activity while reducing noise from lower-value alerts.

Security teams often manage large volumes of alerts across endpoint, identity, network and cloud systems, while many organisations have limited security operations centre staffing. In response, vendors have been adding automated triage and enrichment features to SIEM and related tools.

Incident response

Graylog also introduced a context-aware incident response feature designed to automate evidence collection and workflow orchestration. An AI summarisation function converts collected evidence into step-by-step response recommendations.

Graylog said the feature can reduce investigation time by up to 50 percent compared with manual methods, but did not provide details on the testing methodology or the environments used to calculate that figure.

MCP Server

Another addition is an MCP Server that connects compatible large language models to Graylog security data using the Model Context Protocol. It is intended to provide a conversational interface for investigations and reporting.

Examples include searching for assets with increased risk scores linked to open investigations, summarising MITRE ATT&CK techniques seen in failed logins over a set period, and creating an investigation from a set of alerts and assigning it to a security operations team.

Graylog said the MCP Server is available across its Open, Enterprise and Security versions at no additional cost. Query access is limited by licensed functionality and role-based access controls.

Agentic workflows

Graylog is also positioning the MCP Server as a foundation for agentic AI workflows. Customers can build agents using published tools for use cases such as triage, compliance reporting, false-positive analysis and event procedures.

For triage, Graylog described an agent that correlates alerts with data from identity providers, endpoint detection and response tools and other security products, and can trigger containment actions. For compliance, it described an agent that maps detection coverage to frameworks such as MITRE ATT&CK, PCI or NIST and generates a cross-tool compliance report.

Other examples included a false-positive analyser that reviews triggered events against historical patterns and provides tuning recommendations, and an event procedures agent that reads investigation evidence and generates response steps or passes them to a triage agent.

Graylog said agents built on its MCP Server operate within existing role-based access controls, and that analysts remain involved in decisions that require human judgement.

Spring release

The next Graylog Security release, previewed by the company, includes risk-triggered automated investigations. Graylog said the system will automatically open an investigation when an asset risk score exceeds a defined threshold.

It said each investigation will include supporting signals and AI-recommended next actions without requiring an analyst to initiate the process. Graylog also said the feature does not require a separate automation platform or additional licensing.

Graylog positioned the changes as a response to operational pressure on smaller teams, where time spent on documentation and repetitive triage can reduce capacity for higher-impact incidents. Explainability and auditability have also become more prominent concerns as organisations adopt AI-driven security tools.

On explainability, Graylog said investigations will be "explainable, auditable, and traceable from trigger to resolution". The company has not detailed how the product captures and presents evidence, decision steps and model outputs.

At RSA Conference, Graylog said it will demonstrate the threat prioritisation engine, context-aware incident response and the MCP Server. It will be at booth S-3118.

Related stories
CIQ launches Linux compliance platform ahead of deadlines
Emerson & OPSWAT strike global reseller deal for OT patching
IWF & Cyacomb launch workplace abuse material scans
Cork Cyber adds automated mapping to Vantage platform
How Atomgate uses education and partnership to drive successful SonicWall upgrades

Top stories

Team Cymru launches Total Insights Feeds for threat data
FIRST conference highlights AI & CVE disclosure push
Protegrity launches AI Team Edition for secure inferencing
OpenAI launches Trusted Access for Cyber with major names
Anthropic launches Claude Opus 4.7 with stronger coding