A report released today by
Swimlane found that enterprise adoption of AI and automation in security operations is well underway, with 87% of organizations having deployed both technologies and continuing to invest in them.
The issue teams face now is not adoption, but strategy. The agentic AI security automation platform maker found that 92% of the 500 IT and cybersecurity executives surveyed said automation has met or exceeded expectations, and 78% said AI is delivering greater financial returns than automation.
However, only 32% in the report,
The Perception Gap: Why AI and Automation in Security Operations Aren’t Delivering What Leaders Think, said they apply AI and automation to different tasks, which is causing workflow bottlenecks across 91% organizations.
It’s a gap that needs closing, according to Swimlane executives.
It’s this type of gap between tool adoption and use that
Command Zero is looking to address. The startup, which offers an automation and AI-powered security operations center (SOC) platform, today introduced a set of API endpoints and a Model Context Protocol (MCP) server that are designed to change how security teams can run their investigation and remediation efforts.
'A Fundamental Architectural Shift'
“SOCs consist of dozens of separate tools and need seamless connectivity to overcome complexity,” company executives
wrote in a blog post, noting that teams now can wire Command Zero’s platform directly into their SOAR operations, internal tools, and orchestration efforts. “This represents a fundamental architectural shift: investigation is no longer just a destination analysts must visit, but a callable capability embedded natively within existing automated workflows.”
According to
Alfred Huger, Command Zero’s co-founder and chief product officer, the API lets SOAR platforms, case management systems, ticking tools, and similar function open an investigation, retrieve the results and reasoning path, and feed all of that back into their workflows.
“The local MCP server exposes the same investigation capability to AI agents, Claude, customer-built agents, or third-party agents, so they can request a full Command Zero investigation as a callable capability rather than rebuilding investigative reasoning themselves,” Huger told MSSP Alert.
Automating Investigations
Historically, investigations have been a part of SOCs, but are often difficult to automate and integrate. There are multiple security functions, but the reasoning that connected alerts to decisions “lived in analysts’ heads,” he said.
“We're making that reasoning callable,” Huger said. “For organizations, it means existing investments in Tines, XSOAR, Sentinel, or homegrown tooling can trigger and consume Command Zero investigations natively. For agent builders, it means they don't need to reimplement cross-domain investigative reasoning to build something useful.”
Addressing Scale, Differentiation for MSSPs
For MSSPs, the APIs and MCP server address what he called two “structural problems”: Scale and differentiation.
In terms of scaling, MSSP analysts may deal with dozens of client tenants with different tools, making manual investigations difficult to scale. Through the API, an MSSP can connect Command Zero investigations into their case management or ticketing systems and have investigations run automatically by tenant or alert type, followed by the delivery of the investigation’s verdict.
“The analyst reviews completed work instead of starting from a raw alert,” he said.
Pointing to differentiation, Huger said MSSPs compete on the quality of analysis, not just coverage hours.
“An MSSP using the MCP server can build their own agents and workflows on top of Command Zero custom triage logic, vertical-specific investigation patterns, and branded reporting without rebuilding the underlying investigation engine,” he said. “It turns Command Zero into a capability they can wrap and resell, rather than another tool they're forced to surface to customers.”
He added that “the API lets MSSPs scale investigation capacity without scaling headcount, and the MCP server lets them build differentiated services on top of investigation as a primitive.”
API Endpoints Cover Different Jobs
The API endpoints cover investigations, letting teams start, extend, update, and retrieve them, with related SIEM alerts automatically consolidating into single cases, and business context, pulling identity and asset data from ServiceNow and other systems to make investigations context-aware.
They also address remediation as well as catalog and schemas to align external systems with the platform’s native data model. The MCP server “serves as a wrapper around the APIs that lets Claude and other MCP-compatible agents interact with Command Zero directly,” they wrote in the blog post.
Gaining Leverage
The new capabilities address what Huger called a problem of asymmetry, where the breakout times for bad actors are accelerating rapidly and, with AI, can run dozens of intrusions at the same time.
“Defensive investigation has stayed human-paced, typically 90-plus minutes per case before response begins,” he said.
The gap gets closed through automation, taking the mechanical work off the analysts’ shoulders and, with the API and MCP server, initiating investigations programmatically the moment an alert fires, with the human working with a completed investigation to make decisions.
“That's the point of leverage,” Huger said. “We're not trying to outrun the attacker on every keystroke; we're collapsing the time between alert and informed decision.”
