Executive Summary
The average enterprise SOC receives over 4,400 security alerts per day. Large organizations face 10,000 or more across 28+ integrated tools. Yet 67% of those alerts go uninvestigated, because manual correlation simply cannot keep pace with volume. The result: 61% of SOC teams have ignored alerts later confirmed as genuine compromise.
Attack Path Discovery (APD) is the capability that breaks this cycle. Where SOAR platforms execute the same rigid playbook steps regardless of context, and where natural language overlays merely speed up the same manual process, APD autonomously traces how threats propagate across tools and time, delivering structured, L2-quality investigation reports in under two minutes per alert.
D3 Morpheus AI is an AI Autonomous SOC platform that performs multi-dimensional APD on every incoming alert. It correlates vertically into an alert’s origin tool and horizontally across the full security stack, building a unified threat narrative that mirrors what an experienced analyst does manually, but at machine speed, without fatigue, and with consistent depth regardless of whether the alert fires at 3 PM Tuesday or 3 AM Saturday.
This paper explains what Attack Path Discovery is, why it represents a structural shift beyond SOAR-based triage, how Morpheus AI implements it, and what the measurable impact looks like in production SOC environments.
Table of Contents
- The Triage Problem: Why SOAR Platforms Have Reached Their Ceiling
- What Is Attack Path Discovery?
- APD in Action: VP of Finance Phishing Attack
- Why Natural Language Overlays Don’t Fix SOAR’s Structural Limits
- How Morpheus AI Implements Attack Path Discovery
- Measured Impact: APD in Production Environments
- Questions for Your Evaluation
- Next Steps
The Triage Problem: Why SOAR Platforms Have Reached Their Ceiling
For over a decade, SOAR platforms have relied on static playbooks to handle alert triage. A SOAR architect designs multi-step workflows (often 250 to 500 steps per complex investigation) that execute the same predefined logic every time an alert fires. This model brought structure and repeatability. It also introduced five structural limitations that define a ceiling for the entire SOAR category.
Five Structural Limits of SOAR-Based Triage
SOAR Architect Dependency
Every playbook requires a specialized, expensive engineer to design, test, and maintain. When that person leaves, their institutional knowledge leaves with them.
Playbook Sprawl
A mature SOC runs hundreds of playbooks. Each requires updates as threats evolve, tools change, and procedures shift. Maintenance burden grows linearly and often outpaces team capacity.
Static Logic, Dynamic Threats
A phishing playbook runs the same 15–20 steps whether the target is an intern or the VP of Finance, and whether the attacker has already moved laterally.
Silent Integration Failures
Vendor API updates break playbooks without warning. Hours or days pass before anyone notices. The single most frustrating operational reality of SOAR deployments.
The L1 Analyst Gap
Playbooks are designed by experienced engineers but executed by junior L1 analysts. When an investigation deviates from the prescribed path, the analyst has no investigative framework to guide the next step.
The consequence is measurable: 40% of alerts are never investigated, and 61% of SOC teams report ignoring alerts later proven to be genuine compromise. These are SOAR’s design constraints, baked into the architecture itself.
What Is Attack Path Discovery?
Attack Path Discovery is the autonomous, multi-dimensional correlation of security telemetry to trace how a threat propagates across tools and time. Rather than executing a static checklist, APD follows the evidence, the way an experienced L2 analyst would, to construct a complete threat narrative for every alert.
APD is the core capability that distinguishes the AI Autonomous SOC model from SOAR. Where SOAR runs predefined playbooks, APD investigates from first principles. No prebuilt workflow required.
Morpheus AI performs APD along two axes simultaneously on every incoming alert:
North–South (Vertical)
Deep inspection into the alert’s origin tool:
- Process trees and parent-child relationships
- Registry keys and file system telemetry
- Tool-specific artifacts and indicators
- Behavioral patterns within the source system
East–West (Horizontal)
Correlation across the full security stack:
- EDR, SIEM, and cloud log correlation
- Identity system and access pattern analysis
- Network telemetry and lateral movement tracing
- Linking disparate indicators into unified narrative
The combination produces what no SOAR playbook can: a contextual, evidence-based investigation report that accounts for the specific threat, the specific target, and the specific environment, every time.
How APD Differs from Manual Correlation
An experienced analyst investigating a suspicious endpoint alert would manually query the EDR console, check SIEM logs, pivot to identity systems, examine network flows, and build a mental model of the attack chain. This process takes an average of 70 minutes per alert. Morpheus AI completes the same multi-tool correlation in under two minutes, with consistent depth regardless of alert volume or time of day. The structural difference: APD moves investigation intelligence from the playbook author to the platform itself. This is what makes the AI Autonomous SOC a replacement for SOAR, not an add-on.
APD in Action: VP of Finance Phishing Attack
Consider a phishing alert targeting the VP of Finance. A SOAR playbook would run its standard 15–20 steps (check URL reputation, scan attachment, query sender history) regardless of who was targeted, what the payload does, or whether the attacker has already moved laterally.
Vertical Discovery: Morpheus AI identifies a novel document containing a macro that downloads a second-stage loader. It traces the process tree from the email client through the document application to the loader execution, identifying command-and-control (C2) communication.
Horizontal Correlation: The platform pivots across the security stack and discovers the attacker used the VP’s compromised credentials to access a sensitive M&A file share. Identity system logs reveal a new MFA registration from an unfamiliar geography. Network telemetry confirms data exfiltration to the C2 domain.
Generated Playbook: Based on the discovered attack path, Morpheus AI generates a bespoke response:
- Isolate the compromised endpoint immediately
- Revoke all active sessions for the VP’s credentials
- Block the identified C2 domain across all perimeter controls
- Scan the M&A file share for unauthorized access and exfiltration indicators
- Notify legal and compliance teams given the sensitivity of accessed data
- Initiate board notification procedures per data breach protocol
A SOAR phishing playbook would have closed the alert at the email layer, missing the lateral movement, credential compromise, data exfiltration, and compliance implications entirely. APD followed the full attack chain. The entire investigation and playbook generation completed in under two minutes, producing a structured report with step-by-step reasoning that an analyst can review, challenge, and learn from.
Why Natural Language Overlays Don’t Fix SOAR’s Structural Limits
Across the SOAR market, vendors are bolting general-purpose LLM interfaces onto existing static playbook engines and marketing the result as AI-powered triage. These overlays provide genuine quality-of-life improvements: faster playbook authoring, natural language data querying, and better accessibility. But adding an AI chat layer to a SOAR platform does not make it an AI Autonomous SOC. The playbook engine underneath remains unchanged.
SOAR + Overlay vs. AI Autonomous SOC with APD
| Capability | SOAR + NL Overlay | AI Autonomous SOC (Morpheus AI) |
|---|---|---|
| Threat investigation | Answers questions when asked; does not initiate investigations | Autonomously traces lateral movement, correlates signals, builds threat narratives |
| Playbook model | Speeds authoring of same static playbooks | Generates contextual playbooks at runtime from evidence |
| SOAR architect need | Still required to design, test, version, maintain workflows | Eliminated. Intelligence embedded in platform |
| L1 analyst guidance | Helps ask questions faster; doesn’t teach which questions to ask | Provides investigative framework with full reasoning chain |
| Integration failures | No mechanism to detect API drift or generate corrective code | Self-healing integrations detect and repair autonomously |
| Novel threats | Adapts only when humans update playbooks | Adapts in real time to novel patterns and context |
The root cause of this industry pattern is economic: replacing SOAR requires building a purpose-built cybersecurity LLM, redesigning the investigation model, and eliminating the static playbook generator entirely. Most vendors chose the faster, lower-risk path of adding a chat layer to their existing SOAR architecture.
How Morpheus AI Implements Attack Path Discovery
Morpheus AI is an AI Autonomous SOC platform built from the ground up around a purpose-trained cybersecurity LLM. It is not a SOAR platform with AI bolted on; it is a SOAR replacement. Every alert triggers a complete APD investigation automatically, without playbooks, without SOAR architects, and without manual correlation.
Purpose-Built Cybersecurity LLM
D3 Security invested 24 months and 60 specialists (red teamers, data scientists, AI engineers, and SOC analysts) building a domain-specific LLM that understands how attacks propagate at a structural level. A general-purpose model can generate text about cybersecurity. Morpheus AI’s LLM understands the progression from phishing payload to credential theft to lateral movement, recognizes how compromised credentials enable endpoint-to-identity-to-cloud transitions, and distinguishes between benign PowerShell administrative tasks and fileless malware indicators.
No amount of prompt engineering gives a general-purpose model this depth. It requires purpose-specific training data and 24 months of domain-focused development.
Customer-Expandable Intelligence
Organizations are not locked into D3’s base model. They can expand and customize the LLM for their specific environment, threat landscape, and SOC procedures. The result is a proprietary, customer-specific triage capability that improves over time. This becomes an intellectual asset that belongs to the organization, not the vendor. Every step of the reasoning is transparent, reviewable, editable, and overridable. No black boxes.
Capabilities That Amplify APD
Contextual Playbook Generation
Every APD investigation produces a bespoke response playbook tailored to the specific incident, the organization’s tool stack, and SOC preferences. No authoring, versioning, or emergency updates required.
Self-Healing Integrations
Morpheus AI monitors integration behavior across 800+ tools. When a vendor API update changes a response schema, the platform detects the drift and generates corrective code autonomously.
Records Filtering
Before APD begins, Morpheus AI filters out informational records that cannot contribute to attack path correlation. This prevents data explosion and focuses investigation on signals.
Built-In SOAR for Transition
Includes a full SOAR engine for organizations transitioning from legacy platforms. Run static playbooks for compliance requirements while APD handles autonomous triage, until SOAR is fully replaced.
Measured Impact: APD in Production Environments
Attack Path Discovery delivers measurable results across the metrics that matter to SOC leaders.
How Analysts Spend Recovered Capacity
| Activity | Before APD (SOAR Model) | After APD (AI Autonomous SOC) |
|---|---|---|
| Threat Hunting | Ad hoc, time permitting | Structured daily program |
| Detection Engineering | Reactive, post-incident only | Continuous optimization cycle |
| Red/Purple Team | Quarterly at best | Monthly or continuous |
| Architecture Review | Annual assessment | Ongoing advisory function |
| Root Cause Analysis | Superficial due to backlog | Deep forensic investigation |
| Compliance Monitoring | Last-minute preparation | Continuous posture monitoring |
| AI Model Validation | Not applicable | Core analyst competency |
Analyst Role Transformation
APD elevates the SOC analyst role. Analysts shift from ticket processors running SOAR playbook steps to strategic operators who review L2-quality investigations, validate AI decisions, conduct proactive threat hunts, engineer detection rules, and advise on security architecture. With 71% of SOC analysts reporting burnout and 64% considering leaving within the year, this transformation addresses retention at the structural level.
Questions for Your Evaluation
When evaluating whether your current SOAR-based triage model can keep pace, these questions surface the structural gaps that Attack Path Discovery addresses.
1. Investigation Depth
Does your platform autonomously trace lateral movement across tools and time, or does it wait for an analyst to manually pivot between consoles?
2. Staffing Dependencies
How many SOAR architects do you employ? What is their annual cost? What happens to your triage operation if they leave?
3. Playbook Maintenance
How many playbooks does your SOC maintain? What is the update cycle? How many are stale or untested?
4. Integration Reliability
How much time does your team spend detecting and repairing broken integrations? What is the discovery latency?
5. Off-Hours Coverage
At 2 AM on Saturday, does your platform investigate autonomously, or does it queue alerts until a human arrives?
6. Total Cost of Ownership
Are you running separate products for SOAR, case management, and AI tooling? What is the combined cost including SOAR architect staffing?
7. AI Validation
Have your vendor’s AI capability claims been independently validated? Can you measure accuracy metrics during a proof-of-value?
Next Steps
Personalized Platform Demonstration
See Attack Path Discovery on realistic scenarios: multi-stage phishing, lateral movement, contextual playbook generation.
Proof of Value (POV) Engagement
Measure Morpheus AI’s triage accuracy, speed, and investigation depth against your current SOAR platform.
Total Cost of Ownership Analysis
Compare: SOAR + case management + AI tooling + SOAR architects + integration labor vs. Morpheus AI as single platform.
Architecture & Migration Planning
Use Morpheus AI’s built-in SOAR engine for phased transition while progressively adopting autonomous triage.
