How a 60,000 Employee U.S. Healthcare Provider Scaled Its SOC with Prophet AI

The Problem

This large, multi-entity U.S. healthcare provider operates across multiple business lines, tenants, and tens of thousands of endpoints has chosen Prophet Security to scale SOC capacity through agentic AI. Its Security Operations team protects a complex environment built on Microsoft Defender XDR and Sentinel, supplemented by Proofpoint for email security, Obsidian for SaaS threat monitoring..

Despite heavy investment in tooling, the SOC was hitting a ceiling. Alert volume from across the stack was outpacing the team's capacity to investigate. Some tools delivered alerts hours after the underlying activity occurred, creating middle-of-the-night escalations about events that had already gone cold. And while AI-powered features were increasingly embedded in their existing tools, the team found that most of it only summarized or visualized incidents rather than doing real investigative work.

The Director of Security Operations put it plainly: the team didn't need AI to summarize an incident. They needed it to actually investigate, correlate evidence across tools, and reach a defensible conclusion, correctly and in real-time.

At the same time, any new solution had to respect the team's operational reality. Microsoft Defender was the center of gravity for their SOC workflow, and the team didn’t have budget or cultural tolerance to add "yet another tool" to the already "heavy investment" in tooling.  At this point, anything they add would be scrutinized.  It needed to have a bullet-proof ROI.

The Solution

Agentic AI SOC platform that investigates with the depth and accuracy of an expert analyst at machine speed

The organization deployed Prophet Agentic AI SOC Platform with three clear objectives: 

• reduce alert noise and manual triage volume
• complete investigations in under five minutes with consistent depth and reasoning
• and integrate across their full stack

Prophet AI ingested alerts from Proofpoint, Microsoft Defender, Sentinel, Obsidian, and EntraID. Rather than simply enriching alerts with additional data, Prophet AI conducted full investigations autonomously, gathering evidence across multiple sources, correlating signals, and reaching a determination of benign, malicious, or inconclusive for each alert.

Prophet AI provided investigation notes back to the customer's alert queue, just like a human analyst, and closed the investigations automatically. Malicious findings were escalated into a dedicated review queue with full audit trails, recommended next steps, and deep links back into XDR, so analysts could validate and act without switching consoles.

The team also used Prophet AI’s Guidance system to coach the platform like a new analyst on day one, correcting conclusions when local context mattered (for example, clarifying that a third-party contractor domain should be treated as an associated entity rather than a potential impersonation). Once taught, Prophet AI remembers and applies the customer's organizational context to all future investigations. Alerts initially flagged as inconclusive could then be re-run as full investigations with the essential evidence needed to reach a final conclusion.

The Results

95% reduction in investigation time (19x productivity increase)

Prophet AI investigated 11,065 unique alerts during a three month period, each of which would have required manual analyst effort across multiple tools. By autonomously completing these investigations, Prophet reduced investigation time by 95% or a 19x productivity increase for the SOC team. 

~14,750 hours of analyst time returned annually

By handling alert investigations autonomously, Prophet AI eliminates the need for analysts to manually pivot between tools, gather enrichment data, and construct timelines, tasks that typically take 20 minutes per alert. With an annual projection of 44,260 investigations, Prophet AI is set to absorb approximately 14,750 hours of investigative labor. Based on standard capacity metrics where one analyst handles about 4,200 investigations annually with 5.6 hours of active daily investigation, this volume is the equivalent of adding 10.5 full-time analysts focused entirely on alert investigation.

96% noise reduction

Of all alerts investigated during that time, 96% were autonomously resolved by Prophet AI as benign, requiring zero analyst involvement. Only a small subset of investigations were escalated for human review, freeing the team to focus exclusively on confirmed threats and edge cases that required expert judgment.

223 verified true positives surfaced

Prophet AI identified and escalated 223 confirmed malicious alerts for immediate analyst attention. These weren't buried in a queue of thousands. They were prioritized, investigated, and delivered with full context, giving the team a clear line of sight to the threats that mattered most.

Under 4.3 minutes from alert to investigated

Prophet AI's mean time to investigate was ~4minutes, 11x faster than the average attacker's 48-minute breakout time. This speed advantage translates to a massive and measurable reduction in the customer's Mean Time to Respond (MTTR), meaning the team can act decisively before adversaries have a chance to move laterally.

"We didn't need AI to summarize an incident. We needed it to actually investigate, correlate evidence, and reach a defensible conclusion. Prophet AI delivered that in the first month."

— Director of Security Operations, Major U.S. Healthcare Provider