Expel adds agentic AI to Ruxie security operations

Expel has expanded its Ruxie AI security operations manager with new agentic AI functions, now in use across customer managed detection and response deployments.

The changes extend Ruxie across more stages of the threat lifecycle, including alert enrichment, investigation, detection engineering, response actions and reporting. The update comes as security providers face pressure to cut the time between an initial alert and a decision on whether to contain an incident.

Ruxie is used within Expel's managed detection and response service, where it works alongside human analysts rather than replacing them. The new functions are designed to address workflow bottlenecks, particularly when analysts must gather context from multiple tools before deciding whether an alert is benign or dangerous.

New automation includes pre-enriching alerts with telemetry and threat intelligence, assembling investigation context from live asset and user data, generating detection rules when coverage gaps appear, and carrying out targeted response steps once a threat is confirmed. The system also documents closed alerts and incidents automatically in plain language.

The expansion reflects a broader shift in cyber security operations, as suppliers use generative and agent-based AI systems to handle growing alert volumes and shorter attack timelines. Expel argues that attackers are using AI to reduce the time between initial access and impact, increasing pressure on conventional security operations centres that still rely heavily on manual review.

Workflow changes

Ruxie now pulls data from more than 160 integrated security tools and external intelligence sources to enrich alerts before they enter an analyst queue. It also correlates threat data across endpoint, identity, cloud and network environments to identify what Expel described as unified attack campaigns and patterns that may not be visible in a single product.

Several workflows focus on identity and malware alerts, where AI systems assess evidence and recommend how an alert should be handled. In some cases, the software can classify and close identity alerts automatically or evaluate malware alerts that have already been blocked, leaving analysts to spend more time on incidents that require judgement.

Detection engineering is another area covered by the update. Agentic workflows review new vendor alerts against existing detection approaches to find gaps and create new rules for customers where needed.

In Expel's Workbench product, investigations can now sync with Slack and Microsoft Teams for incident collaboration. That gives customers and analysts a shared channel for alerts, questions, decisions and response actions while an investigation is under way.

Justin Bajko, Chief Strategy Officer at Expel, outlined the rationale for the changes.

"AI-powered attackers don't pause between initial access and lateral movement. They're operating at machine speed," Bajko said. "Ruxie's job is to match that pace at every stage. These new agentic capabilities extend our AI coverage to specific and intentional stages of the threat life cycle, so there's no gap left for attackers to exploit."

Customer view

Expel also pointed to customer demand for a mix of machine automation and human review rather than a fully autonomous model. That reflects a persistent concern in cyber security operations that false positives and missing business context can still undermine AI-only approaches.

Jason Waits, Chief Information Security Officer at Inductive Automation, described that balance in operational terms.

"Having AI workflows for context, then relying on a human expert to make the final call, offers a level of security we can't get from an AI-only approach," Waits said. "Automation and AI catch things in real time, and human expertise helps understand context, make nuanced decisions, and avoid false positives that disrupt operations."

The new functions have been incorporated into existing managed detection and response deployments rather than being offered as a separate product. That means customers already using the service receive the expanded workflows within their current environments, including across cloud, identity, email, software-as-a-service and on-premises systems.

The update places Expel in a crowded part of the cyber security market, where providers are trying to show that AI can improve the speed of security operations without removing analyst oversight. Its argument is that broader automation across enrichment, triage, investigation and response can reduce operational friction while keeping a human decision-maker in the loop where needed.