New capabilities on display at RSA Conference 2026
Graylog, the AI-powered SIEM built for lean security teams, announced advances in explainable AI and automated investigation workflows that help small-to-mid-sized security teams detect real threats faster, investigate with confidence, and cut the manual documentation work that consumes analyst time.
Also Read: CIO Influence Interview with Gihan Munasinghe, CTO of One Identity
“Lean security teams don’t have the luxury of analyst bench depth or months of automation tuning,” said Andy Grolnick, CEO of Graylog. “Every capability we are showing at RSA is designed around the same principle: rapidly detect, decide, and document from one command center, so analysts spend time on real threats, not busy work.”
Graylog’s latest innovations deliver AI-driven threat prioritization, agentic AI workflows through its open MCP Server, and upcoming Spring 2026 release capabilities that automatically launch investigations when asset risk crosses defined thresholds.
AI and Automation Capabilities
Graylog is showcasing new AI and automation capabilities designed to help lean security teams prioritize threats, accelerate investigations, and reduce manual analyst work.
- Threat Prioritization Engine: Groups related alerts using entity context, asset criticality, vulnerability data, and threat campaign intelligence to surface what matters most and suppress what doesn’t.
- Context-Aware Incident Response: Automates evidence collection and workflow orchestration. AI Summarization turns gathered evidence into step-by-step response recommendations, reducing investigation time by up to 50 percent compared to manual methods.
- MCP Server – Conversational AI Across Security Environments: Connects any compatible LLM to Graylog’s security data using the Model Context Protocol. It enables queries such as:
- “Show me assets that increased in risk score this week and are linked to open investigations,”
- “Summarize the top MITRE ATT&CK® techniques in failed logins over the last 24 hours,” and
- “Create an investigation for these three alerts and assign it to the SOC team.”
The MCP Server is available across all Graylog versions – Open, Enterprise, and Security – at no additional cost. Queries are scoped to each user’s licensed functionality and role-based access controls. These capabilities also enable a new class of agentic security workflows built on Graylog’s MCP Server.
Agentic AI Workflows: What Customers Are Building on the MCP Server
The MCP Server is designed to support agentic security workflows. Teams can build agents guided by Graylog’s published MSP tools, such as:
- A triage agent that correlates Graylog alerts with identity provider, EDR, and other security tool data and automatically triggers containment actions.
- A compliance agent that maps detection coverage against MITRE ATT&CK®, PCI, or NIST and generates a cross-tool compliance report.
- A false positive analyzer that reviews triggered events against historical patterns and returns tuning recommendations to sharpen detection quality over time.
- An event procedures agent that reads investigation evidence and generates dynamic, context-specific response steps, or hands them directly to a triage agent to execute.
All agents using Graylog’s MCP Server operate within Graylog’s existing role-based access controls for transparency, traceability, and compliance. The analyst stays in the loop, but only for decisions that require human judgment.
Catch more CIO Insights: CIO as Orchestrator of Cross-Functional Digital Strategy
[To share your insights with us, please write to psen@itechseries.com ]
