As Indian enterprises accelerate AI adoption while navigating DPDP and rising board scrutiny, cybersecurity leaders face a sharper mandate: cut detection and response times, translate risk into business impact, and build operational resilience that holds up under real attacks. Gurucul, a unified security and fraud analytics provider, is positioning itself for this shift by combining machine learning, behavioral analytics, and new generative and agentic AI capabilities to modernize how SOCs ingest data, prioritize risk, and automate response.
Headquartered in Los Angeles, Gurucul recently introduced its AI SOC Analyst, which it says automates triage and response and can significantly reduce MTTD and MTTR. India is also emerging as a strategic hub for the company, with nearly 350 professionals across Pune, Bengaluru, and Chennai, and plans to expand talent, AI labs, and large-scale data infrastructure to support local innovation.
Founder and CEO
Gurucul
In this conversation with Jatinder Singh and R. Giridhar, Saryu Nayyar, Founder and CEO of Gurucul, explains why cybersecurity is moving from tool-centric defense to data-centric intelligence, how agentic AI is changing SOC economics, and what CISOs must do to stay ahead as attackers adopt AI and regulations tighten. Excerpts from the conversation follow.
CISO Forum: Many vendors talk about predictive security. For a CISO, what does “predictive” mean in operational terms, and where does GenAI and agentic AI genuinely move the needle beyond traditional ML?
Saryu Nayyar: There has been a massive shift. AI is not just an evolution; it is a revolution. In cybersecurity, it is a huge opportunity to finally reach goals the industry has been working on for years: faster detection, automated response, and meaningful reductions in MTTD and MTTR.
At Gurucul, we pioneered UEBA and have focused on machine learning and contextual analytics for over a decade. Now, with GenAI and agentic AI workflows, the breakthrough is in making security operations more actionable and less manual.
GenAI helps move toward a copilot mode that is more guided and more actionable. Agentic AI automates repetitive work and helps address analyst fatigue. There are too many alerts and too few analysts. Using LLMs, machine learning, and risk scoring, we can reduce mundane work and provide higher efficacy outcomes, including triage that supports L2 and L3 analysts and automated response for confirmed true positives.
We call this our AI SOC Analyst capability, combining GenAI and agentic AI.
AI is not an incremental upgrade to cybersecurity. It is the first real opportunity to move security operations from alert management to outcome-driven decision-making.
CISO Forum: SIEM is being redefined around data, analytics, and automation. In India, which customer profiles are you prioritising, and what security outcomes are they buying rather than which vertical they sit in?
Saryu Nayyar: Our go-to-market focus is Fortune 2000 enterprises and MSSPs.
We are not tied to a single industry vertical. We work across financial services and banking, healthcare, manufacturing, retail, government, and newer tech and fintech startups.
The government is an important business unit for us. We have teams that specialize in working with governments, including the US federal and national governments, as well as governments globally. MSSPs are also a big focus because they help us reach customers with small SOC teams or no SOC at all who need a partner to operate security effectively.
CISO Forum: Government environments tend to have stricter constraints on sovereignty, legacy platforms, and operating models. What are the most persistent challenges you see, and where do you believe you deliver measurable differentiation?
Saryu Nayyar: We see similar themes across many industries. Common priorities include faster and more comprehensive detection, faster risk identification, automated and faster response, and cost management.
One differentiated capability we offer is native data-pipeline management within our platform. Organizations often pay for SIEM data they do not actually need for detection and response. We can reduce data costs by at least 40 percent, and we guarantee it through better data controls and optimization, including agentic AI workflows.
Another major differentiator is data democracy. Large enterprises increasingly want to own their data and avoid vendor lock-in. SIEM replacements are often hard because vendors hold data hostage, and even pulling data out for compliance can be expensive.
We enable customers to run security analytics on their own data lake, or we help them build one. Even if they later stop using Gurucul, they can keep the data lake and work with any vendor. That creates a vendor-agnostic security architecture and reduces long-term lock-in.
In the AI era, data is everything. Enterprises should work toward owning their data because whoever controls it can train and improve models and avoid being trapped in a single ecosystem.
CISO Forum: If AI automates entry-level triage, we risk hollowing out the analyst pipeline. How should CISOs redesign operating models so that skills continue to develop without diluting accountability?
Saryu Nayyar: We are removing repetitive work, not removing human intelligence.
SOC work today often involves fatigue-driven tasks such as triage, repetitive alert handling, and meeting SLAs. Humans can be inconsistent because they are tired, overloaded, or under pressure. AI analysts do not take PTO, do not burn out, and can triage alerts quickly, 24/7.
What changes is where analysts begin. Instead of starting with mundane tasks, they start at a higher level with more sophisticated investigation, L2 and L3 analysis, and response. It becomes a different learning curve, but they will grow quickly because they are working on meaningful problems earlier.
Even in an autonomous narrative, we strongly believe in human-AI collaboration. We call our platform a self-driving SIEM, but the best outcome comes from collaboration between AI and human expertise.
CISO Forum: Attackers are already using AI for speed, scale, and deception. What failure modes worry you most, and what must change in detection and response to stay resilient when the adversary is adaptive?
Saryu Nayyar: You are right. AI-driven threats will increase, and we need to adapt.
We frame it as two parallel priorities: AI for security and securing AI. AI agents themselves become new entities in the environment that must be monitored for behavioral anomalies, just as users, devices, and systems are.
We also see the future in more adaptive detections that adjust in real time based on the data they are getting. We are not claiming the industry is fully there yet, but this is the direction.
Beyond detection, response, and triage matter. That is where automated triage and the AI SOC Analyst capability help by accelerating investigations and responses, so SOC teams can focus on high-impact incidents.
Boards do not need more vulnerability counts. They need context, prioritisation, and a clear line between cyber risk and business impact.
CISO Forum: Most large enterprises now have tool sprawl and alert fatigue. If the problem is not the absence of tools but the absence of a coherent signal, what is your approach to reducing noise without creating blind spots?
Saryu Nayyar: This is exactly why the future is about building a data lake and running unified security analytics.
Bring everything into one platform, alerts, telemetry, signals, then build context. We stitch events together, run behavioral analytics, and apply risk scoring and risk aggregation. GenAI and agentic workflows then help translate this into what the SOC should actually act on.
Point tools can generate massive alert volumes. DLP alone can produce tens of thousands, even 100,000 alerts a day. Most teams cannot triage it all. They focus on a few key policies, and the rest becomes unreviewed noise.
Unifying signals and applying contextual analytics and risk prioritization changes the game by moving from looking at alerts in silos to operating as a risk-driven security organization.
CISO Forum: Boards are moving beyond operational metrics. They want business impact, accountability, and clarity on investment. How do you translate cyber signals into a board-level narrative that is decision-grade, not data-heavy?
Saryu Nayyar: We recently launched a beta capability that addresses exactly this.
With AI, we can generate board-level and executive-level summaries that connect prioritized risks to business impact and provide recommendations on what to remediate and where to invest.
Today, we produce five daily synopsis views: Board level, CISO, CIO, Chief Risk Officer, and SOC Leader. Think of it like daily highlights for stakeholders: top issues, business impact, risk priorities, recommended actions, and what peers in the industry are doing.
This avoids unhelpful reporting like you have 58 million vulnerabilities. Boards respond by asking, ” What does that mean. They need context and prioritization.
CISO Forum: IT/OT convergence and the rise of autonomous devices expand the attack surface, and in many environments, the asset inventory is the first gap. What do you see as the most practical path to visibility and risk control across OT and edge?
Saryu Nayyar: We designed UEBA from the start to support any entity, not just users. IoT devices, OT assets, and edge devices can all be treated as entities.
First is discovery: identify what is on the network and provide visibility into it. Second is behavioral anomaly detection: monitor how these devices behave and alert on abnormal interactions.
We have monitored CCTV systems, not the video content, but behavior signals like unexpected stoppage. We also work with large railroad infrastructure organizations globally, monitoring traffic systems, camera networks, and interactions that could affect routes and safety.
Supply chains and critical infrastructure generate many signals. Bringing that data together and contextualizing it is essential.
CISO Forum: Building management systems and medical devices are increasingly connected but rarely governed like core IT. What classes of risk do you see most often, and how should CISOs set ownership when the vendor ecosystem is involved?
Saryu Nayyar: We can monitor HVAC and similar systems. The broader category is high-risk connected devices, including medical devices.
In hospitals, devices like CT scanners or chemo medication dispensing machines are often maintained by vendors, and replacements occur without robust vulnerability checks. The security risk can be massive.
We monitor these as entities too. Think about the potential impact of compromised devices, including pacemakers. Monitoring behavioral anomalies across such devices becomes critical.
CISO Forum: DPDP raises the bar on governance, accountability, and data control. Where do you see enterprises getting caught off guard as they deploy GenAI and agentic workflows, and what must CISOs insist on to stay compliant and resilient?
Saryu Nayyar: Organizations need to embrace AI because it is here to stay. The faster you understand its impact on data and telemetry, the better prepared you will be.
Businesses are upgrading and moving faster than governance processes can keep up with. Many organizations set up AI governance boards, but business teams still move forward, often without fully understanding the security and data repercussions, including what telemetry is shared outside.
We are also adding a new threat vector: agentic AI workflows and AI agents that must be monitored.
Finally, we must stop operating in silos. Threats are moving faster, so protection must match that pace. SOCs must move away from mundane work and toward unified, contextual, AI-accelerated security operations.
CISO Forum: Trust is becoming a security control. What are your non-negotiables for explainability, privacy, and sovereignty, especially for regulated and air-gapped environments?
Saryu Nayyar: We are guided by three simple but non-negotiable principles. The systems must be explainable, they must be trusted, and they must never operate as an opaque black box without strong privacy controls.
Explainability matters because security and technology leaders are ultimately accountable for outcomes. If a model makes a decision, we should be able to clearly explain why it did so, not just to engineers, but to boards, regulators, and auditors as well.
Trust is built through consistent and predictable behavior. That means clear guardrails, no surprises in how the system operates, and absolute clarity on how data is handled. We take data sovereignty seriously. Sensitive data stays within the customer’s environment, and no telemetry leaves the system unless it is explicitly approved.
For government and highly regulated use cases, we support large language model deployments in fully air gapped environments. This ensures complete isolation and control.
At the end of the day, if you cannot explain how a system works, cannot trust it to behave consistently, or cannot verify its privacy controls, it becomes a risk rather than an advantage.
CISO Forum: As you scale in India, what will you invest in most, product capability, customer outcomes, or ecosystem partnerships, and how should CISOs evaluate those commitments?
Saryu Nayyar: We are making major investments in India. We have a large team and strong operations across Pune, Bangalore, and Chennai, with R&D and development anchored there.
Over the last 18 months, we have tripled the size of the India go-to-market team, and we are continuing to expand. We have built an India-specific customer advisory board comprising CISOs and large enterprises to guide us on regulations, compliance, data residency, detection, and operational needs.
We also work with major MSSPs in India. India is a big focus area. We are increasing investments significantly and want to be number one in the region.
CISO Forum: Which risk area do you think Indian enterprises are still underweight, despite rising maturity elsewhere?
Saryu Nayyar: We focus heavily on external threats, but we should also talk more about insider threats, especially in markets like India, where it may not be prioritized enough in day-to-day conversations, including in large services companies handling sensitive customer data. Raising awareness here is important.
