Security, Privacy, and Trust

Many organizations have legitimate questions about AI-driven solutions. At Dropzone AI, we believe these concerns are not just valid—they’re essential. We built our solution with accuracy, explainability, and data privacy in mind, so you can feel confident in integrating our AI SOC analyst into your security operations. 

Architecture
Data Privacy
Security
Accuracy and Explainability
Common Questions

Architecture

The Dropzone AI solution is an autonomous multi-agent AI system that is pre-trained to replicate the work of a Tier 1 SOC analyst. The main components are:

  • A dedicated cloud tenant hosted in AWS; no data co-mingling
  • An optional connector for the purpose of reaching on-premises security tools
  • LLM-as-a-service providers like Anthropic, Azure OpenAI, Perplexity, and others
A diagram of a computer network with a blue and purple color scheme.
Figure 1. Dropzone AI architecture

Customer Data Used by Dropzone AI

Data Sources

Dropzone AI uses the same security tools and IT systems as human analysts do to perform investigations, using APIs to retrieve alerts, scan content, and query data. 

Dropzone AI integrates via API with existing security tools and IT systems:

  • Cloud providers
  • Email systems
  • Endpoint Detection & Response (EDR)
  • Data loss prevention (DLP)
  • Identity management systems
  • Network security tools
  • Productivity platforms like Microsoft 365 and Google Workspace
  • SIEM systems
  • Ticketing platforms
  • Vulnerability management systems
Data Residency

Dropzone AI deployments are normally located in AWS us-west-2, with optional regional deployments available to comply with privacy and regulatory requirements. 

EU customers can request in-region deployments to comply with GDPR.

Access Controls

You have control over what types of access you provide to the Dropzone AI solution. We default to read-only access. In some cases you may want to add write access, such as when writing to ticketing systems. 

Data Stored by Dropzone AI
  • Investigation data (alerts, evidence, findings)
  • User information (email addresses, IPs)
  • Chat interactions (queries and responses)
  • User interviews conducted via Slack
  • Operational logs retained for 30 days in AWS CloudWatch
  • Anonymous user experience logs (e.g. dashboard viewed, investigation result changed)
  • Integration configuration (server names, filters, priorities)
Model Training

No customer data is used to train Dropzone AI or sub-processors' models. Dropzone AI’s LLM providers are contractually obligated not to store or retain your data beyond immediate query processing.

GDPR and PII

Dropzone AI has achieved SOC 2 Type 2 certification. Customers in the European Union may request in-region deployments to accommodate GDPR data transfer laws. 

Dropzone AI handles data such as email addresses and IP addresses, primarily through alerts or during alert investigation analysis. This data is encrypted at rest and in transit (see Data Security Matrix).

How Dropzone AI Secures Data

Network Security

Each Dropzone AI SaaS tenant runs in its own isolated AWS subnet. Security groups and network ACLs restrict which access is allowed. Anything not specified is denied by default. Currently all API calls initiated from the Dropzone AI solution, either directly from the cloud hosted tenant or via the on-premises connector, use HTTPS. 

Data Security Matrix

The following describes Dropzone AI's handling of data.

Type of Data Dropzone AI SaaS Tenant Dropzone AI Connector
Encryption of Data at Rest EBS encryption with AWS KMS (AES 256) N/A (no data persistence)
Encryption of Data in Transit TLS 1.2 or greater TLS 1.2 or greater + ECDSA SSH (256-bit ed25519 keys)
Data Retention Investigation data is retained until contract end or upon request; logs are stored for 30 days N/A (no data persistence)
Authentication Methods Salted PBKDF2 with SHA-256 with 256-bit derived key (salted-pbkdf2-hmac-sha256) with 24,000 iterations
Or federation with Google, Microsoft, or a SAML IDP of your choice 		348-bit key
Platform Authentication and User Roles

Customers can securely manage user access via local login, Microsoft SSO, Google SSO, or SAML IDP integration. 

User permissions align to three user roles available in the Dropzone AI solution:

  1. Administrator: Capable of all activities, including user management
  2. Member: Capable of all activities, excluding user management
  3. Restricted Read Only: Read-only access with no ad-hoc chat capabilities
Third Party Assessments
SOC 2 Type 2

SOC 2 Type 2: Dropzone AI has achieved SOC 2 Type 2 certification. The SOC 2 findings document can be made available under NDA.

Third Party Penetration Tests

Dropzone AI engages a third party penetration tester annually. The latest was in December 2024. This test identified no critical, high, medium, or low severity vulnerabilities.

Accuracy and Explainability

The Dropzone AI solution is engineered with a specific focus on: 

  • Explainability so that humans can easily verify decisions and the criteria on which they were made
  • Data lineage to provide an audit trail, giving users confidence in Dropzone AI’s evidence-based analysis
  • Guardrails to protect against hallucinations
  • Continuous internal sandbox/lab testing and validation

How it Works

The following diagram and table explains how Dropzone AI performs autonomous alert triage and investigation.

A flow chart of a process with the first step being investigation.
Obtain information Dropzone AI connects to your security tools and receives alerts. Customers can filter which alerts the Dropzone AI solution investigates.
Strategize and plan Dropzone AI is pre-trained to handle a wide-variety of alert investigations, such as phishing reports and detections from EDR, firewall, identity, SaaS, and cloud service providers. For each alert, Dropzone AI will formulate multiple hypotheses of why the alert fired and the lines of investigation that need to be pursued.Importantly, the Dropzone AI solution recursively reasons like a human. So after collecting and analyzing evidence, it will keep formulating additional hypotheses and lines of investigation until it reaches a final conclusion.
Collect evidence To pursue lines of investigation, the Dropzone AI solution collects evidence from the customer’s security tools and internal systems just as a human analyst would. Expert modules are pre-trained to replicate an analyst skill, such as composing Splunk queries. Dropzone AI also uses threat intelligence, reputation services, and other tools such as VirusTotal and the WHOIS database to enrich IOCs such as IP addresses and file hashes.
Analyze Dropzone AI replicates Tier 1 SOC analyst skills needed for analysis of data. For example, the expert modules can use Wireshark to parse network packet captures for Log4J exploit markers, identify obfuscation techniques in Powershell scripts, analyze phishing attachments, and reconstruct malware process trees from commands and files. An important feature of Dropzone AI is organizational context memory, which builds up the same type of institutional knowledge (understanding of your environment and business) that a human would. The Dropzone AI solution reads directory services, Jira tickets, and emails and perfectly recalls details when needed, such as why a SharePoint folder is OK to share with certain email addresses outside of the organization. Customers can add to this context memory inside of the Dropzone AI product by teaching the solution using a natural language interface.
Report Once the Dropzone AI solution has completed all the investigation steps, it composes a summary report that includes a recommended conclusion on whether the alert is benign, suspicious, or malicious. The conclusion is built from the findings that are explained along with data sources used, and human analysts reviewing the report have links to raw evidence (logs, etc.).
Respond Dropzone AI helps with response in three ways:Help human investigators quickly get answers for follow-on questions through a natural-language chatbot interface.Offer recommended remediation actions. Automate containment actions, such as quarantining an infected endpoint, disabling compromised user credentials, and blocking a malicious IP address. These automated actions are completely configurable.
User Input and Context Memory

Dropzone AI investigation quality improves as the AI SOC analyst learns about the company and environment Importantly, this context memory is built and exists solely within the customer’s tenant and cannot be mixed with other customers’ deployments. 

Customers will commonly add facts to context memory such as:

  • Company owned IP ranges
  • Allowed VPN services and policies
  • Individuals that conduct security testing
  • Hosts with special functions, such as Jenkins automation, critical application servers, data stores with sensitive information, and legacy infrastructure with known vulnerabilities that cannot be patched
  • Internal tool names and their purposes
  • Cloud IAM roles used for automation and administration
  • Office locations

As a result of investigations, Dropzone AI will infer details such as which AWS roles have which permissions.

Quality Assurance

Security domain experts employed by Dropzone AI manually review investigations to look for areas where we can improve the knowledge and tools available to the AI analyst. Read about our QA program.

Avoiding Hallucinations

Dropzone AI uses multiple independent agents (expert modules) that limit the scope of what is being asked of each individual agent and avoid hallucinations. 

  • Expert knowledge - Each expert module combines LLM reasoning capability with expertise, derived from authoritative sources such as product documentation. 
  • Up-to-date information - Expert modules have access to up-to-date information by accessing internal systems, security tools, threat intelligence, and public tools such as the WHOIS and NVD databases. 
  • Specificity - When an alert is received, Dropzone AI will strategize and plan the investigation, assigning specific tasks to expert modules pre-trained to complete that type of task.

Common Questions

Dropzone AI implements a number of measures to ensure the confidentiality of customer data. 
Who determines which alert and data sources are enabled?

The customer is in ultimate control of which alert and data sources are enabled. Alert sources send alerts to Dropzone AI. Data sources are data stores that contain information needed during investigations. This access is provisioned during the onboarding phase, but can be adjusted by the customer at any time.

Does Dropzone AI make a copy of all my logs?

No. Dropzone AI continuously pulls security alerts when configured and on-demand fetches a subset of logs from different data sources and security systems during an investigation.

Does Dropzone AI's LLM providers train on my data?

No customer data is used to train Dropzone AI or sub-processors' models. Dropzone AI’s LLM providers are contractually obligated not to store or retain your data beyond immediate query processing.

Does Dropzone AI support SSO?

Yes, customers can securely manage user access via local login, Microsoft SSO, Google SSO, or SAML IDP integration.

Copyright © Dropzone AI 2025. All Rights Reserved.
Architecture
Data Privacy
Security
Accuracy and Explainability
Common Questions