Faster SOC investigations, less alert fatigue: Sumo Logic boosts Doja AI with new agents and bring-your-own AI support

Sumo Logic's Doja AI adds three new pieces for faster, cleaner security ops

Sumo Logic announced major updates to its Doja AI platform for security operations. The release adds three components: a SOC Analyst Agent (beta), a Knowledge Agent, and a Model Context Protocol (MCP) server. The goal is simple: speed up investigations, reduce alert fatigue, and give teams a cleaner workflow.

What's new and why it matters for Operations

• SOC Analyst Agent (beta): Uses AI reasoning to triage and investigate alerts, then returns a severity verdict with context. Expect faster first-pass triage, prioritized queues, and fewer handoffs. Keep human review in the loop until your false-positive rates are proven stable.
• Knowledge Agent: Natural-language answers for your analysts. It pulls from documentation, runbooks, and prior cases to speed onboarding and enable self-service. Think "what's the playbook for suspicious Okta logins?" and it returns the steps.
• MCP server: Lets you integrate customer-owned AI models and third-party systems inside Sumo Logic's secure framework. This "bring-your-own-model" capability gives you flexibility without bolting on another data silo. Learn more about MCP here: Model Context Protocol.

Impact you can measure

• MTTD/MTTR: Faster triage and enrichment shrink detection and response times.
• Analyst efficiency: Higher alert throughput per person, fewer idle waits for context.
• Onboarding time: New hires reach baseline productivity sooner with the Knowledge Agent.
• Flexibility: MCP reduces vendor lock-in by letting you plug in internal or third-party models.

How to roll this out without breaking your day

• Pilot narrow use cases: Start with phishing triage, EDR alert enrichment, or failed login anomalies.
• Set clear decision boundaries: Define what the SOC Analyst Agent can auto-close vs. what must be escalated.
• Instrument the workflow: Track MTTD, MTTR, false-positive rate, re-open rate, analyst-to-alert ratio, and time-to-onboard.
• Feed the Knowledge Agent: Centralize runbooks, SOPs, response checklists, and tool docs. Review and update weekly.
• Wire up essentials via MCP: Connect ticketing (ServiceNow/Jira), identity, EDR/XDR, and messaging. Test with non-critical paths first.
• Keep a human in the loop: Especially while the SOC Analyst Agent is in beta. Require analyst confirmation for closures.

Governance and guardrails

• Data handling: Confirm how data is stored, retained, and masked when using customer-owned models.
• Auditability: Ensure every AI action and verdict is logged with inputs, outputs, and the reasoning chain if available.
• Change control: Treat prompts, policies, and integration mappings like code with versioning and approvals.
• Quality checks: Run weekly spot checks on false positives/negatives and drift. Add rollback paths.

Questions to bring to your next ops meeting

• What alerts can we safely auto-triage today, and what criteria force escalation?
• How are verdicts explained to analysts? Can we see the evidence and steps taken?
• What's the failure mode if an integration is down? Do we degrade gracefully?
• Which internal models or third-party systems should we connect first via MCP?
• What's our target reduction in MTTR and false positives over the next 90 days?

The bigger shift

Security teams are drowning in alerts. This update leans into automation for the repetitive parts so analysts can focus on high-signal threats. The MCP server also signals a move to more flexible, customizable stacks that work with your tools, not against them.

If you're upskilling your team on practical AI for operations and security, explore curated options here: AI courses by job role.