Qevlar AI lands $30M to push autonomous SOC beyond alert triage
France-based Qevlar AI raised $30 million to extend its AI security operations platform. The round was co-led by Partech and Forgepoint Capital International, with participation from EQT Ventures. The plan: deepen automated investigations, add analytics that expose root causes, and help teams fix the issues that keep alerts coming back.
The operations problem
Alert volume keeps climbing while staff stays flat. Most teams spend a big slice of their day triaging, enriching, and correlating signals before any real decision gets made. That creates backlogs, inconsistent outcomes, and a narrow focus on closing tickets fast instead of making incidents stop recurring.
What Qevlar AI is building
- Automated investigation: enriches alerts, correlates across tools, and flags patterns that point to common sources.
- Consistent reporting: generates structured outputs so analysts can compare cases and spot trends.
- Focus shift: frees analysts to work on threat hunting, incident response planning, and long-term hardening.
According to Qevlar, managed security providers and large enterprises use the platform to improve investigation consistency and resilience. Early results include shorter investigation times, continuous automated analysis, and the ability to go deeper on each alert while handling more volume.
From speed metrics to prevention
Qevlar's co-founder and CEO, Ahmed Achchak, argues that SOC success is often measured by how many alerts are handled and how fast they close-useful, but incomplete. He says the next step is an intelligent AI SOC that spots patterns and stops repeat incidents. "We're putting out the fire and finding out what started it to make sure it doesn't happen again."
What this means for your runbooks
- Pick high-noise use cases first (phishing, EDR malware alerts, identity anomalies). Baseline current triage time and accuracy.
- Instrument outcomes: mean time to investigate, false-positive rate, and, critically, recurrence rate by alert category.
- Codify decisions: convert frequent analyst judgments into machine-readable rules and feedback loops.
- Connect investigations to corrective action: patching SLAs, identity hygiene tasks, and control tuning should trigger from patterns found.
- Audit depth over speed: require evidence of enrichment and correlation steps in every report, automated or human-led.
- Map findings to a shared threat model like the MITRE ATT&CK framework to track gaps across teams and tools.
Why operations leaders should care
- Capacity planning: automation absorbs L1/L2 noise without scaling headcount linearly.
- Quality control: standardized investigations reduce variance between analysts and shifts.
- SLOs that matter: move from "time-to-close" to "incidents prevented" and "repeat alerts reduced."
- Posture visibility: analytics surface weak controls, brittle processes, and tooling overlaps you can actually act on.
What to watch next
The new funding is earmarked to extend the platform beyond alert investigation into analytics that uncover underlying issues and guide corrective action. If delivered, that shifts AI from ticket throughput to measurable posture improvement-exactly where operations teams win budget and credibility.
Next steps
- Run a 60-90 day pilot on two noisy use cases; measure time saved, false positives reduced, and recurrence cut.
- Schedule weekly pattern reviews to turn repeated findings into engineering work (patching, hardening, access cleanup).
- Update incident SLOs to include prevention metrics and hold owners accountable for closing root causes.
If your team is building skills for AI-driven SOC operations, explore the practical training here: AI Learning Path for Cybersecurity Analysts and AI Learning Path for IT Managers.
Your membership also unlocks:
