Security, Privacy, and Trust
Many organizations have legitimate questions about AI-driven solutions. At Dropzone AI, we believe these concerns are not just valid—they’re essential. We built our solution with accuracy, explainability, and data privacy in mind, so you can feel confident in integrating our AI SOC analyst into your security operations.
Architecture
The Dropzone AI solution is an autonomous multi-agent AI system that is pre-trained to replicate the work of a Tier 1 SOC analyst. The main components are:
- A dedicated cloud tenant hosted in AWS
- An optional connector for the purpose of reaching on-premises security tools
- LLM-as-a-service providers like Anthropic, Azure, OpenAI, Perplexity, and others
Security
Network Security
Each Dropzone AI SaaS tenant runs in its own isolated AWS subnet. Security groups and network ACLs restrict which access is allowed. Anything not specified is denied by default. Currently all API calls initiated from the Dropzone AI solution, either directly from the cloud hosted tenant or via the on-premises connector, use HTTPS.
Data Security Matrix
The following describes Dropzone AI's handling of data.
Platform Authentication and User Roles
There are two user roles available in the Dropzone AI solution:
- Administrator - Capable of all activities, including user management
- Member - Capable of all activities, excluding user management
Third Party Assessments
SOC2
Dropzone AI has achieved SOC 2 Type 1 certification and will begin SOC 2 Type 2 certification in November 2024. Our SOC2 Type 1 audit was performed by Sensiba, LLC, and certification was delivered in November 2023.
Third Party Penetration Tests
Dropzone AI engages a third party penetration tester annually.
Data Privacy
Dropzone AI implements a number of measures to ensure the confidentiality of customer data.
- Single-tenant architecture - The Dropzone AI platform is built following a single-tenant architecture in AWS. This assures a physical segmentation between all customers so there is no chance of data commingling.
- No training on your data - Your data is not used to train our models, either at Dropzone or our sub-processors. In addition, Dropzone AI has zero-data-retention agreements in place with our LLM providers to not store customer data.
Customer Data Used
Dropzone AI uses the same security tools and IT systems to perform investigations as human analysts do to retrieve alerts, scan content, and query data.
Alert and data source categories used by Dropzone AI include:
- Cloud service providers
- Email systems
- Endpoint detection and response
- Identity
- Network security products
- Productivity
- SIEM
- Ticketing systems
- Vulnerability management
You have control over what types of access you provide to the Dropzone AI solution. We default to read-only access. In some cases you may want to add write access, such as when writing to ticketing systems.
GDPR and PII
Dropzone AI has achieved SOC 2 Type 1 certification and will begin SOC 2 Type 2 certification in November 2024. Customers in the European Union may request in-region deployments to accommodate GDPR data transfer laws. We operate with least privilege regarding customer environments and data, supported by strict internal policies for data access, handling, and usage.
Accuracy and Explainability
The Dropzone AI solution is engineered with a specific focus on:
- Explainability so that humans can easily verify decisions and the criteria on which they were made
- Data lineage to provide an audit trail, giving users confidence in Dropzone AI’s evidence-based analysis
- Guardrails to protect against hallucinations
- Continuous internal sandbox/lab testing and validation
How It Works
The following diagram and table explains how Dropzone AI performs autonomous alert triage and investigation.
User Input and Context Memory
As you use the Dropzone AI solution more, the quality of the investigations improves as the AI SOC analyst learns about the company and environment. Importantly, this context memory is built and exists solely within the customer’s tenant and cannot be mixed with other customers’ deployments.
Users will commonly add facts to context memory such as:
- Owned IP ranges
- Allowed VPN services and policies
- Users that conduct security testing
- Hosts with special functions
- Internal tool names and their purposes
- Cloud IAM roles used for automation and administration
- Office locations
As a result of investigations, Dropzone AI will infer details such as which AWS roles have which permissions.
Avoiding Hallucinations
Dropzone AI uses multiple independent agents (expert modules) that limit the scope of what is being asked of each individual agent and avoid hallucinations.
- Expert knowledge - Each expert module combines LLM reasoning capability with expertise, derived from authoritative sources such as product documentation.
- Up-to-date information - Expert modules have access to up-to-date information by accessing internal systems, security tools, threat intelligence, and public tools such as the WHOIS and NVD databases.
- Specificity - When an alert is received, Dropzone AI will strategize and plan the investigation, assigning specific tasks to expert modules pre-trained to complete that type of task.
Common Questions
Who determines which alert and data sources are enabled?
The customer is in ultimate control of which alert and data sources are enabled. Alert sources send alerts to Dropzone AI. Data sources are data stores that contain information needed during investigations. This access is mostly provisioned during the onboarding phase, but can be adjusted by the customer at any time.
Does Dropzone AI make a copy of all my logs?
No. Dropzone AI continuously pulls security alerts when configured and on-demand fetches a subset of logs from different data sources and security systems during an investigation.
Does Dropzone AI's LLM providers train on my data?
No. Dropzone AI's contracts with its LLM providers precludes both training on the data and on storing the data for any amount of time—as soon as a query is complete the LLM provider deletes all data.