Company Profile
Command Zero was founded in 2022 and is headquartered in Austin, Texas, USA[1].
The company was co-founded by three seasoned cybersecurity experts—Dov Yoran, Dean De Beer, and Alfred Huger—who have held senior technical positions at renowned companies such as Cisco, IBM, and McAfee. They have also successfully established and sold multiple cybersecurity startups. In July 2024, Command Zero announced the completion of a $21 million funding round led by Andreessen Horowitz, with participation from Insight Partners and over 60 angel investors in the cybersecurity field [2].
RSAC has commented on Command Zero as follows: “Command Zero is an autonomous and AI-assisted investigations platform, built to transform security operations. It empowers analysts to run advanced investigations and threat hunts in complex environments. The platform reduces mean time to understand and respond — delivering expert outcomes at scale.” [3]
Product Background
Command Zero raised the issue of “the last mile problem in security operations” [4]. One of the co-founders, Dov Yoran, said, “Modern enterprise security environments generate 100,000s to millions of security related signals daily. While significant progress has been made in automating tier-1 detection and triage, escalated cases still demand thorough human analysis. Tier-2 and tier-3 analysts—along with incident responders—are highly skilled yet underserved. They too need automation, collaboration tools, and expert content to thrive.”
Difficulties in security incident investigations [5]
Command Zero believes that in today’s cybersecurity landscape, even though intrusion detection and threat intelligence tools are becoming more advanced, the investigation process still heavily relies on manual analysis. Security teams need to extract information from multiple data sources such as authentication systems, vulnerability scanners, and log platforms, a process which is both time-consuming and prone to mistakes. Command Zero aims to simplify this complex process through automation and natural language processing technologies, thus speeding up investigations and improving accuracy.
Solution Features
Based on Command Zero’s promotional materials, its plan may include the following features:
1. Script arrangement
Command Zero refers to its pre-built investigation processes as “Facets,” which are constructed in natural language without the need for coding. The company claims that “they act like intelligent roadmaps, ensuring that no critical issues or data are overlooked during the investigation process” [5].
Command Zero’s Facet management interface [6]
We speculate that solution of Command Zero might be similar to an “AI-driven SOAR solution that doesn’t execute any response actions.” The solution involves two alternating states:
- Asking questions based on known clues. These questions can be generated by LLM, determined by pre-configured investigation templates, or posed by users themselves.
- Querying data to answer the questions and uncover new clues. This process is primarily carried out by the LLM Agent.
A “Facet” for password spraying [5]
Command Zero claims that its Facet-based approach can standardize what might otherwise be a chaotic investigation process, ensuring that all analysts follow consistent best practices and avoid time-consuming repetitive tasks [5].
However, the real key to the solution’s effectiveness might lie in the number of pre-built playbooks it offers, as well as the quality and practical performance of these playbooks. Unfortunately, we cannot find any publicly available information that discloses these details.
2. Autonomous question-asking
This is a crucial feature of the Command Zero solution: the system’s ability to ask questions and drive the investigation forward on its own.
In its promotional materials, Command Zero explains, “First, we maintain a comprehensive and continuously updated repository of investigation knowledge vectors, covering our questions and Facets. We use natural language processing (NLP) techniques to extract context and generate metadata that describes intent and relevance… We will also incorporate access to historical investigation reports, analyst* behaviors, notes, and details… Based on this information, we generate a tactical and actionable query that serves as input to the vector repository. The results are then filtered and ranked, applied to various clues, and executed. This process is repeated…” [7]
*Note: The term “analyst” usually refers to a human, but in this context, it may also refer to certain automated analysis devices/systems.
Process of autonomous question-asking [7]
From this description, it seems that calling the feature “autonomous question-asking” might not be accurate. Command Zero doesn’t simply let the LLM generate questions at will. At this stage, the LLM’s role is more about analyzing users’ intent and generating vectors for RAG queries. The actual questions posed are then selected from a pre-defined set based on some weighting strategy.
Suspected selection interface of Command Zero’s predefined question [6]
We believe it is an excellent approach that balances efficiency and accuracy. Current LLMs still have certain limitations. If we were to let the LLM fully take the lead in the process (as with AutoGPT), it might struggle to identify issues in its own planning and could end up going down the wrong path of investigation—or even get stuck in a loop. By using RAG queries to select from pre-defined questions, Command Zero leverages the LLM’s reasoning capabilities while keeping the investigation on a reasonable track, which is truly impressive.
3. Multi-source heterogeneous data processing
Command Zero’s promotional materials also emphasize that “the platform doesn’t need direct access to systems or profound technical knowledge. Instead, it abstracts complexity. We use a federated data model to connect directly to data sources via existing APIs, allowing analysts to query any system using pre-built natural language questions.” [6]
As we all know, currently, in security operations practices, when dealing with multi-source heterogeneous data, the norm is to perform targeted adaptation processing on each type of data and ultimately achieve normalization (normalization) of the data structure.
Command Zero’s approach is different. It leverages the LLM’s tool-calling capabilities to access each distinct raw data source directly. This method only requires that all data be accessible via APIs, eliminating the need to normalize multi-source heterogeneous data.
However, there are reasons why data normalization becomes a widely adopted practice. If Command Zero’s solution entirely relies on the LLM to access data, it may face challenges in which conventional code-based data processing cannot participate. The LLM must be able to independently, reliably, and correctly handle data formats which are not covered in its training phase, and it may encounter data sources with complex authentication and interaction processes—which is no small feat. For example, some data sources only support passive push, and actively querying via API might face difficulties in feasibility or performance.
We’re not sure if Command Zero has implemented some kind of unified interface mechanism similar to MCP internally. Moreover, as of the time of writing this article, there don’t seem to be any publicly available materials indicating how Command Zero’s data processing methods perform in real-world scenarios. Only time will tell.
4. Comparison with other common solutions
In its promotional materials, Command Zero repeatedly emphasizes that its solution is “question-based investigation”. They claim that this approach has several advantages over conventional methods [8], including:
- Compared with AI chatbots: Command Zero’s solution unifies the investigation process through structured input, making it easy for the LLM to understand and subsequently access multiple data sources in a predictable manner. In contrast, chatbots require users to clearly articulate their needs, and the results are often uncertain.
- Compared with (manual) query-based methods: Command Zero’s solution eliminates the need for users to understand the query languages and data structures of each data source, allowing for quick data retrieval from multiple sources. Manual querying, on the other hand, requires higher skills and more time to achieve the same results.
- Compared with AI SOC analyzers (agent-based): Command Zero’s solution focuses primarily on “escalated” events that have already been initially categorized, offering better transparency and auditability. Its workflow parallelism also provides performance advantages. AI SOC analyzers, however, are only good at handling simple tasks and struggle with more complex cases.
Of course, if we only focus on the advantages of the Command Zero solution, the above statement is roughly reasonable. However, AI chatbots are obviously more flexible and the analysis quality of manual queries is obviously better. AI SOC analyzers have many engineering implementation solutions other than LLM Agent, so they cannot be generalized.
Moreover, Command Zero might need to be compared more closely with various SOAR solutions that incorporate AI. These solutions not only have the capability to conduct investigations but can also automatically handle some remediation tasks.
Summary
Command Zero’s innovative automated investigation platform addresses the common issues of inefficiency, error-proneness, and lack of standardization in traditional security incident investigations. The company’s natural language-driven approach, integration of multiple data sources, structured processes, and built-in knowledge base enable security teams to respond to cybersecurity incidents more quickly and accurately.
The efficient collaboration between human experts and LLMs has long been a key area of exploration in the industry. We believe that Command Zero’s solution is a strong exploration of this direction, providing powerful support for enterprises. It is definitely worth paying attention to and trying out. This is perhaps one of the important reasons why it has successfully made it to the final of this year’s RSAC Innovation Sandbox.
References
[1] Inc. Command Zero. About, 2025[EB/OL]. (2025). https://www.cmdzero.io/about.
[2] Maria Deutscher. Command Zero launches with 21M to speed up breach investigations, July 2024[EB/OL]. (2024-07). https://siliconangle.com/2024/07/09/command-zero-launches-21m-speed-breach-investigations/.
[3] RSA Conference LLC. Finalists Announced for 20th Annual RSAC™ Innovation Sandbox Contest 2025 | RSA Conference, April 2025[EB/OL]. (2025-04). https://www.rsaconference.com/library/press-release/finalists-announced-for-20th-annual-rsac-innovation-sandbox-contest-2025?postID=16630572594.
[4] Dov Yoran. Command Zero Named Top 10 Finalist for RSAC 2025 Innovation Sandbox: A Milestone in Our Mission to Transform Security Operations, April 2025[EB/OL]. (2025-04). https://www.cmdzero.io/blog-posts/command-zero-named-top-10-finalist-for-rsac-2025-innovation-sandbox.
[5] Dean De Beer. Leveraging RAG for question selection in cyber investigations, September 2024[EB/OL]. (2024-09). https://www.cmdzero.io/blog-posts/leveraging-rag-for-question-selection-in-cyber-investigations.
[6] Alfred Huger. Navigating complexity with structure: Using pre-built sequences for security investigations, December 2024[EB/OL]. (2024-12). https://www.cmdzero.io/blog-posts/navigating-complexity-with-structure-using-pre-built-sequences-for-security-investigations.
[7] Dean De Beer. Revolutionizing cybersecurity investigations with expert questions and AI, January 2025[EB/OL]. (2025-01). https://www.cmdzero.io/blog-posts/revolutionizing-cybersecurity-investigations-with-expert-questions-and-ai.
[8] Dean De Beer. Transforming cyber investigations: The power of asking the right questions, July 2024[EB/OL]. (2024-07). https://www.cmdzero.io/blog-posts/transforming-cyber-investigations-the-power-of-asking-the-right-questions.
