Introduction: From SIEM to SOAR—and What’s Next

Modern enterprises run on complex, interconnected software systems, making incident response a fact of life for both DevOps (focused on uptime and reliability) and SecOps (focused on security and compliance). Historically, organizations started with SIEM (Security Information and Event Management) solutions to gather and correlate vast amounts of security logs. As threats grew in scale and complexity, the industry saw the emergence of SOAR (Security Orchestration, Automation, and Response) platforms. These were a huge leap forward because they automated repetitive tasks through static workflows, essentially “flowcharts” triggered by certain alerts.

Yet while SOAR tools excelled at handling well-known, routine incidents, they struggled when the unexpected occurred. Precompiled logic trees don’t adapt on the fly. If an incident fell outside the predefined conditions, humans had to jump in, negating much of the promised automation. Additionally, many SOAR tools are cloud-based and don’t have native visibility into private, on-premises data and logs. This creates blind spots right when teams need complete information the most.

Why Static Workflows Fall Short

The static nature of most SOAR products stems from how they’re built: you design a workflow with a graphical interface or a script, specifying every possible path and condition upfront. This approach works well for commonly repeated patterns, such as blocking a known malicious IP or rotating credentials when a compromise is detected. However, it runs into serious limitations when facing novel incidents or multi-faceted scenarios. Key issues include:

• Rigid Logic: Once “compiled,” these workflows aren’t easily changed at runtime. If an unexpected condition pops up, the workflow can’t adapt.

• Limited Visibility: Many SOAR solutions can’t seamlessly access internal systems, logs, and configurations without cumbersome integrations—especially if they run strictly in the cloud.

• High Maintenance: Teams must continually update logic branches whenever they discover new incident patterns, creating significant overhead.

Kindo’s Agentic Approach: An AI-Native Alternative

At Kindo, we’re introducing an AI-driven system that rethinks automation by embracing agentic security behavior rather than static scripts. Our core idea is simple yet transformative: instead of creating an exhaustive blueprint for every possible outcome, you give an AI agent a goal—for example, “Diagnose and resolve the spike in 500 errors”—and provide the agent with the context and tools it needs. The agent then iterates in a loop, reasoning about what data to gather, analyzing that data, refining its plan, and continuing until it hits a terminal condition—like successfully fixing the root cause or hitting a scenario where it must request human help.

Working Inside Your Environment

One major differentiator of Kindo's is our self-managed option. That is, Kindo can run within your own environment, on a trusted machine that’s equipped with the appropriate certificates and credentials to access your systems. This addresses a common complaint about cloud-only solutions: they can’t always see everything happening inside private networks. By deploying Kindo on-premises, you ensure the AI agent can:

• SSH into servers to inspect logs or run diagnostics,

• Access network resources that require internal certificates,

• Integrate with existing DevOps or SecOps tools and data sources just like a human engineer would.

This local deployment means the agent isn’t “flying blind” when it needs critical insights from behind the firewall.

Real-World Incident Scenarios

DevOps Case: Surging 500 Errors

Suppose your monitoring system flags an unusual number of 500 (internal server) errors in one of your microservices. With a static workflow, you might have a predefined path that checks a few logs and restarts the service. But what if the cause is something you didn’t anticipate—like a bad code push or a resource shortfall?

A Kindo agent can dynamically decide what to investigate. It might:

1. Pull the relevant logs to see exactly where the errors are occurring.

2. Check traces and metrics in your observability stack to see if the issue is localized or systemic.

3. Inspect the Kubernetes environment to see if any pods are crash-looping or under-resourced.

4. Form a conclusion—for instance, maybe a recent code change is causing out-of-memory errors, so the fix is to either roll back that release or adjust resource limits.

Once the agent identifies the likely root cause, it can propose a fix that you approve with a single click.

SecOps Case: Permission Denied Errors Everywhere

In a security context, imagine you start getting thousands of “permission denied” errors across multiple services. A conventional SOAR workflow might kill a suspected malicious session or block an IP address, but what if the real problem is a deeper misconfiguration?

A Kindo agent could:

• Check IAM policies across your AWS or on-prem environment,

• Review your Kubernetes/Vault configurations,

• Spot a mismatch between Vault policies and cluster setup that’s denying valid processes.

It can then generate a pull request to correct the misconfigured files. Upon your sign-off, the fix rolls out to restore normal operations—no manual detective work needed.

2025: The Year of Autonomous Agents

The capability to adapt on the fly is what sets autonomous agents apart, and 2025 is shaping up to be their breakout year. While DevOps and SecOps were early adopters of automation, traditional systems and workflows can’t keep pace with the complexity of modern infrastructures. Meanwhile, AI agents capable of on-the-fly reasoning and self-directed investigation are popping up in industries ranging from finance to healthcare. It’s a natural extension of current trends:

• AI Models are getting better at parsing logs, code, and config files in natural language.

• Complex Environments demand solutions that can pivot quickly rather than follow a fixed script.

• Human Resources are strained; teams don’t have the time to constantly update static workflows.

Addressing Pain Points of Traditional SOAR

Communities and forums are rife with complaints about how current SOAR solutions are rigid and how they require you to guess every possible scenario in advance. People also dislike wrestling with limited data access, especially when logs or sensitive information live behind the firewall. By contrast, Kindo’s agentic model:

• Minimizes Upfront Scripting: You focus on the high-level objective, not branching logic.

• Allows Dynamic Analysis: The agent can follow leads in the data, adapt its plan, and decide next steps on its own.

• Integrates Seamlessly: With on-prem deployment, the AI sees the entire environment—no more partial or stale data.

• Scales to Novel Incidents: New or evolving threats don’t derail the process; the agent simply charts a different investigative path.

A Human-AI Collaboration, Not a Takeover

One question that often arises is: “How much control does the AI have?” At Kindo, humans remain firmly in the driver’s seat. You choose which tools, logs, and systems the agent can access. By default, the agent proposes any changes or remediations it thinks are needed—such as updating a config file or rolling back a software version—and waits for your approval before executing them. We also provide controls like Data Loss Prevention (DLP) checks and code execution approvals to ensure the AI can’t do anything outside your comfort zone.

Long-Term Vision: Tackling Ambitious and Abstract Goals

Kindo’s ability to handle dynamic incidents today is just the start. Our long-term vision is to enable autonomous agents to take on big-picture challenges that go well beyond simple incident response. Imagine directives like:

• “Achieve 100% uptime”

• “Migrate our entire infrastructure from Azure to GCP”

• “Identify and fix all current vulnerabilities, and keep us secure going forward”

For an agent to accomplish such broad tasks, it must be able to ask clarifying questions—to realize what it doesn’t know and seek out the missing information or context. This is precisely how an experienced human engineer would approach a massive project. They’d want to see architectural diagrams, consult business requirements, check past incident runbooks, and confirm budget constraints or compliance requirements. An AI needs that same sense of curiosity and caution to stay aligned with your organization’s goals.

Unlocking True Collaboration

Our R&D teams are working on ways to foster this curiosity in AI, so agents:

• Recognize when they lack crucial information,

• Promptly reach out to humans for guidance (“call a human” as a built-in tool),

• Understand which decisions are mission-critical and shouldn’t be made unilaterally,

• Continually refine their plan based on both data and human feedback.

This approach transforms Kindo’s AI agents into genuine collaborators capable of handling large-scale transformations in a methodical, step-by-step manner—always checking for alignment and always ready to ask for help when needed.

Ready to Experience Kindo?

If you’d like to see how an AI-driven agent can revolutionize your DevSecOps incident response—without forcing you to script every possibility—click here to book a demo. We’ll walk you through how Kindo’s autonomy, on-prem deployment option, and human-in-the-loop oversight combine to handle both routine incidents and the curveballs that traditional SOAR workflows can’t catch.

Here’s to a future where we spend less time firefighting—and more time innovating.