In the latest episode of Detection at Scale, I sat down with Michael Sinno, Director of Detection and Response at Google. With 20 years at Google, starting as a Windows sysadmin in 2006, Michael’s security journey began during Operation Aurora and has evolved through Google’s transformation from 10,000 to 200,000 employees. His experience building and scaling detection systems that process 7 trillion log lines daily while automating 99%+ of a million annual tickets positions him to discuss the intersection of extreme-scale security operations, AI integration, and the future of autonomous detection and response.
Our conversation explores Google’s methodical approach to AI adoption, starting with incident summaries and progressing to fine-tuned agents for specific detection workflows. Michael discusses the critical distinction between when to use AI versus traditional automation, Google’s “infer and interrupt” model for faster containment, and why the team’s stretch goal is 70% automated operations. His emphasis on golden datasets for training, human-in-the-loop validation even at scale, and the shift from tool expertise to domain expertise provides concrete guidance for security leaders navigating the march to autonomous SOC operations while maintaining precision.
Topics Covered
Processing 7 Trillion Log Lines with 99%+ Automation: How Google’s detection and response team handles a million tickets annually with less than 1% requiring human intervention, built on 15 years of detection-as-code fundamentals and automation before AI.
The AI Adoption Journey from Assisted to Autonomous: Google’s progression from AI-assisted incident summaries (reducing 30 minutes to 90 seconds) to AI-led deduplication agents to autonomous workflows, while maintaining conservative precision requirements given their no-fail mission.
Fine-Tuned Agents on Gemini with Golden Datasets: Why Google uses fine-tuned models validated by humans for specific agents like exfiltration detection, rather than relying solely on prompting, with golden datasets ensuring high-quality training data.
The Critical Distinction: AI vs Traditional Automation: How Google’s lead engineer established that not everything needs AI—things requiring judgment, nuance, and data analysis benefit from AI, while deterministic “if A then B” workflows should remain traditional automation.
Deduplication Agent Achieving 95% Precision: Google’s ticket deduplication agent operates at 95% precision with 38% recall, with humans still in the loop but not on every ticket, demonstrating the precision-recall tradeoff in production AI systems.
Vulnerability Workflow Automation: How AI collects daily vulnerability data from trusted sources, pulls metadata, evaluates infrastructure impact, writes reports, and recommends actions—reducing hours of work to minutes while asking “is Google infrastructure affected” with high confidence.
Overseer Agents for Quality Control: Google deploys agents that evaluate other agents’ outputs in aggregate and agents that assess ticket quality based on documentation criteria, kicking incomplete work back to analysts—AI evaluating both AI and human work.
The Infer and Interrupt Model: Google’s security-wide shift toward detecting suspicious behavior early and automatically containing it (cutting email, locking accounts) rather than spinning up full investigations—necessary because AI attackers don’t sleep and move faster.
TimeSketch Integration with SecGemini: How Google achieved 50x speed improvements in forensic timeline analysis by integrating Gemini with TimeSketch, inventing new chunking methods, and pulling out events no human would catch without knowing exactly what to look for.
The Future: Broader Detections with Specific Intel Layers: Michael predicts 70% of detections becoming broader “this looks odd” signals that trigger challenges or containment, layered with shorter-lived specific detections based on current threat intelligence for rapid pivoting.
The transformation Michael describes aligns with Panther's approach to AI integration, using agents to scale judgment and pattern recognition, while maintaining deterministic logic for routine workflows. Security teams can focus on the critical thinking and domain expertise that Michael emphasized as irreplaceable. Learn more about Panther AI and how our AI SOC platform helps scale human judgment rather than replace it!
