Security teams are dealing with relentless alert volumes, tighter response expectations, and environments that keep getting more complex. Sumo Logic’s latest expansion of Dojo AI is focused on reducing that friction by embedding agentic AI directly into the security workflows analysts already use, rather than layering on another tool.
The update adds three core components to Dojo AI: a SOC Analyst Agent, a Knowledge Agent, and a Model Context Protocol (MCP) server. Together, they are designed to speed investigations, improve decision quality, and give teams a clearer path from alert to action.
Why These Agents Are Different
The AI-for-SOC space has become crowded, but Sumo Logic is pointing to where its agents sit in the stack as the real differentiator. Instead of operating on exported data or limited alerts, Dojo AI works natively inside the Sumo Logic platform.
Chas Clawson, vice president of Security Strategy at Sumo Logic, told MSSP Alert, “Most AI for the SOC tools bolt onto someone else’s data. Dojo AI is different because it’s built inside the Sumo Logic platform, so agents operate directly on Insight-level context, correlated signals, and the schemas analysts already use.”
That placement matters. Because the agents work on the same data, correlations, and schemas that analysts trust today, they can generate summaries and guidance that align with how investigations actually unfold. Clawson said this reduces handoffs and accelerates pivots inside the investigation itself, rather than pushing analysts out to another interface. The result, he added, is a tighter loop between context, analytics, and automation.
Moving Beyond First-Generation Copilots
Sumo Logic says this release reflects a reset after early GenAI copilots that focused more on answers than outcomes. The company rebuilt Dojo AI on an agentic foundation, with MCP and AWS AgentCore playing a central role.
“We started with a true agentic foundation and wrapped it around one conversational experience called Mobot,” Clawson said. By abstracting agents away from customer environments, Sumo Logic can introduce new capabilities without creating deployment or maintenance headaches for users.
That foundation enables focused agents to take on specific tasks. The SOC Analyst Agent, now in beta, assists throughout the investigation lifecycle, from early triage to understanding blast radius and recommending next steps. The Knowledge Agent complements that work by pulling institutional knowledge such as playbooks, runbooks, and detection guidance directly into the case, removing the need for analysts to search across systems.
Faster Investigations, Measured in SOC Metrics
The clearest gains show up in alert handling, where time pressure is highest. Clawson said customers are seeing a sharp reduction in manual effort. “What used to take about 60 minutes per alert can compress to minutes when Insight-level summaries, targeted queries, and natural-language orchestration remove manual stitching,” he said.
Importantly, these improvements are measured using metrics SOC teams already care about, including time-to-triage, time-to-closure, and case completeness. Sumo Logic has also built transparency into the system so analysts can see how conclusions are reached.
“The SOC Analyst agent shows the queries it generates and the data it used,” Clawson said. That visibility allows teams to validate results, refine detections, and maintain control, which is critical for long-term trust in AI-assisted investigations.
Governed Model Integration at Scale
As SOCs experiment with external models and multi-agent setups, governance quickly becomes a concern. Sumo Logic built Dojo AI on Amazon Bedrock, using guardrails and governed retrieval to set clear safety boundaries. The MCP layer adds control and auditability across agents and tools.
“For multi-agent environments, AgentCore Gateway helps unify access behind a single policy surface,” Clawson said, simplifying identity management and permissions as systems scale. The company emphasizes that this approach avoids training on customer data while still allowing teams to benefit from evolving AI models.
For MSSPs supporting multiple customers and environments, Dojo AI is aimed at consistency and scale. Clawson pointed to faster Tier-1 triage, standardized investigation narratives, and the ability for partners to bring their own agents into the workflow through the Sumo Logic MCP server.
Because all of this runs on Sumo Logic’s analytics backbone, each new agent adds value across the platform rather than creating another isolated capability. For service providers trying to balance speed, accuracy, and trust, that compounding effect is becoming increasingly important.
