Case Study

How ECS Broke the SOC Scalability Ceiling with AI SOC Agents

Company Profile

ECS, a $1.2B provider of advanced technology solutions in data and AI, cybersecurity, and enterprise transformation, ranked second on CyberRisk Alliance and MSSP Alert’s Top 250 Managed Security Service Providers (MSSPs) list for 2024. The organization’s enterprise arm operates a 24/7, multi-tenant SOC that supports clients across North America. The team analyzes billions of events each year, delivering high-quality security outcomes at scale.

As ECS’s MSSP scaled, they recognized that the traditional SOC model—adding headcount to meet demand—was structurally unstable. Alert volume was rising faster than staffing capacity, forcing skilled analysts to expend disproportionate effort on benign alerts rather than adversary-driven risk.

Leadership set out to reinforce analyst effectiveness by systematically suppressing noise, standardizing Tier 1 decision-making, and reducing employee burnout risk. That operational mandate to modernize the SOC drove ECS to engage Dropzone AI as the foundation for a more scalable, resilient detection and triage model.

Challenges

ECS faced the following challenges:

Challenge	Description
Scaling Without Linear Headcount	As ECS's MSSP business expanded, alert volume growth outpaced the team's ability to scale proportionally. The SOC was processing roughly 30,000 alerts per month, making a hire-to-keep-up model operationally and economically unsustainable.
Alert Overload and Analyst Fatigue	Most alerts were benign, yet they consumed a disproportionate share of analyst time. High-volume, low-value triage displaced focus from genuine threats, leading to fatigue and operational inefficiency.
Inconsistent Manual Triage	Human-driven triage produced variable outcomes. ECS required triage to be executed in a standardized, repeatable, and auditable manner to ensure consistency at scale.
Limits of Existing Automation	ECS had maximized the practical limits of its security orchestration, automation, and response (SOAR) technology. While effective for enrichment and response actions, SOAR lacked the ability to reason through investigations or safely auto-close benign alerts.

Selection & Implementation

The ECS team recognized that AI applications for security operations were advancing but had not seen a solution that could handle the scale and complexity of their operations.

Most of the tools ECS evaluated fell short of actual investigative work that they needed to automate. That changed when Dave Howard, Senior Director of Cybersecurity Operations at ECS, came across Dropzone AI.

ECS was not attempting to replace analysts, but to give them leverage. With alert volume rising faster than headcount, the team needed a mechanism to absorb noise and enforce consistent investigations, allowing analysts to concentrate on genuine, high-impact threats.

ECS ran a structured proof of value using real production alerts, benchmarking Dropzone’s investigations against existing tools and human triage. Dropzone compared very favorably in the evaluations.

What stood out was not just speed but also the consistency and depth of analysis, including context and evidence that analysts would not typically gather during initial triage.

ECS integrated Dropzone directly into its existing workflow. Alerts move from detection platforms through SOAR, into Dropzone for autonomous investigation, with outcomes fed back into ServiceNow for centralized case management and auditability.

Benefits Realized with Dropzone AI

Scaled the SOC Without Adding Headcount

Dropzone allowed ECS to scale past the 30,000 alerts-per-month ceiling with their current headcount. The SOC is now able to support more clients and higher volume while providing high-quality service.

Accelerated Triage and Threat Identification

Alerts are investigated immediately instead of waiting in a queue. This reduced acknowledgment lag, accelerated mean time to triage, and helped ECS identify real threats sooner

Eliminated Alert Noise at Tier 1

By safely auto-closing the majority of benign alerts, Dropzone removed the persistent background noise that consumed Tier 1 capacity. Analysts were able to redirect effort toward high-risk activity rather than repetitive, low-value triage.

Delivered Consistent, Defensible Investigations

Dropzone standardized how alerts are investigated across shifts and experience levels. Each alert arrives with clear conclusions, supporting evidence, and rich context, improving trust and decision quality

Improved Analyst Effectiveness and Retention

With queues cleared and workloads more manageable, analysts experienced less burnout and greater job satisfaction. Senior staff were able to focus on higher-value work like threat hunting, detection engineering, and improving the SOC overall.

Key Performance Indicators (KPIs) and Results:

70% of Tier 1 Alerts Automatically Closed. Dropzone safely identified and resolved the majority of benign alerts without analyst involvement.

100% of Alerts Investigated Immediately. Every alert is investigated as soon as it is created, eliminating acknowledgment delays and speeding triage.

Broke the SOC Scalability Ceiling (~30,000 Alerts/Month). Dropzone enabled ECS to scale alert handling beyond previous limits without adding headcount.

Tier 1 Queues Fully Cleared Across Client Base. Dropzone eliminated triage backlogs, stabilizing day-to-day SOC operations and reducing analyst strain.

ECS saw Dropzone as a true design partner. By rapidly building critical capabilities like an Elastic integration and acting on feedback in real time, Dropzone earned ECS’ trust as a partner capable of evolving alongside their SOC.

Share this article

Subscribe Our RSS Feed

Click to Subscribe

Self-Guided Demo

Test drive our hands-on interactive environment. Experience our AI SOC analyst autonomously investigate security alerts in real-time, just as it would in your SOC.