ZS is a global management consulting and technology firm serving clients who entrust them with some of their most sensitive data. With more than 15,000 employees across 40+ offices worldwide, security isn't simply an internal function—it's fundamental to the trust their clients place in them every day. ZS embeds AI into decisions and workflows to drive better client outcomes, but it also holds itself to the same standard internally, approaching every AI adoption with rigor and intentionality.
As ZS's Security Operations team looked to scale cloud detection and response, they saw an opportunity to leverage the Wiz Blue Agent. But rather than immediately automating investigations, they took a deliberate, responsible approach: validate first, automate second.
Over three months, the team built an internal framework for measuring Blue Agent performance, comparing its investigations against analyst findings and tracking confidence over time. The result was a self-validated accuracy rate of 95%—giving the team the confidence to operationalize Blue Agent as part of their day-to-day security operations workflow.
Today, Blue Agent automatically investigates and closes a defined set of low-severity cloud detections, helping analysts focus on the work where human expertise matters most.
The Challenge: Preserving Analyst Time for High-Value Work
After onboarding Wiz Defend, the team explored AI-assisted workflows to accelerate routine investigative tasks and enable analysts to focus more on complex security matters. ZS focused on ensuring that its highly skilled analysts could dedicate more of their time to investigations requiring deep expertise, contextual judgment, and collaboration. The objective was not to replace human analysts, but to augment their effectiveness by streamlining repetitive investigative activities.
By reducing the effort associated with routine triage and analysis, the team sought to create additional capacity for advanced threat investigations, incident response coordination, proactive security improvements, and other high-value security initiatives.
Earning Trust Before Automation
We spent considerable time evaluating the agent... We used to do our parallel investigation, see where it differed — the Blue Agent's analysis and our analysis. After this entire exercise, the accuracy was around 95.17%. It was a no-brainer that at least for the low severity alerts, we should start with this and operationalize it.
Atman Trivedi, Director of Information Security, ZS Associates
Many organizations evaluate AI based on speed. ZS started evaluating it based on accuracy and precision. It's an approach consistent with how ZS thinks about AI across the enterprise: not as a shortcut, but as a way to make better decisions and free people to do their most meaningful work.
Rather than treating AI as a black box, ZS built a structured validation process for the Blue Agent. The team continuously reviewed verdicts, measured performance, and worked to refine how the Blue Agent operated within their environment.
The process was intentional- the Blue Agent needed to demonstrate that it could consistently reach the same conclusions analysts would have reached themselves.
After three months of evaluation, the metrics demonstrated what the team felt- that the Blue Agent was not only accurate, but helping analysts do their jobs more effectively.
95% accuracy — Self-validated through three months of parallel investigation and confidence tracking
80–90% faster investigations — Time to render a verdict compared to manual analysis
4x analyst throughput — Analysts can now triage significantly more threats than before
From Alert Queues to Exception Reviews
Today, ZS uses the Blue Agent to automatically investigate and resolve a defined set of low-severity cloud detections.
When these alerts occur, the Blue Agent analyzes the activity, renders a verdict, and closes the threat directly within Wiz Defend. Instead of reviewing dozens of individual threats throughout the day, analysts perform a threat review at the end of each shift, keeping the human in the loop to validate the actions the Blue Agent took and looking for anomalies or edge cases.
The operational impact is significant.
Time that was previously spent manually triaging routine threats is now redirected toward advanced investigations, threat hunting, and security initiatives that require human expertise. Analysts spend less time processing queues and more time making decisions.
We are now fully relying on the Blue Agent for some of the low severity alerts. Instead of having a lot of tickets, it's just one task at the end of each shift — checking all those detections that have been closed by the Blue Agent. That is allowing our team to focus more on the advanced work.
Atman Trivedi, Director of Information Security, ZS Associates
Democratizing Cloud Security Expertise
For ZS, one of the most meaningful outcomes wasn't operational—it was organizational.
Cloud security expertise can be difficult to scale. While ZS's security operations function continues to grow, not every analyst enters the team with years of cloud-specific experience.
The Blue Agent helps close that gap.
By providing clear, contextualized investigations and transparent reasoning, the Blue Agent makes cloud detections easier to understand and act upon. Analysts don't need deep cloud expertise to understand the verdict, review the evidence, or determine the appropriate next step.
The result is a more accessible operating model where cloud security knowledge is no longer concentrated among a small group of specialists.
A broader set of analysts can confidently investigate cloud-related threats, triage moves faster across shifts, and team members continuously build cloud security expertise through the investigation process itself.
What is often described as "democratizing cloud security" becomes tangible in day-to-day operations: more analysts contributing effectively, more consistent investigations, and faster response across the organization.
The Blue Agent is really easy to consume - for any level on our team. It democratized this particular skill. Anyone on the team can look at it and know: is this something really critical, or is this something we can ignore?
Atman Trivedi, Director of Information Security, ZS Associates
Building the Foundation for Autonomous Security Operations
For ZS, the Blue Agent represents more than a faster way to investigate alerts- It provides the foundation for future security automation, enabling a more scalable and efficient future for security operations.
Today, the Blue Agent can automatically trigger the creation of investigation reports for analyst review, maintaining a human-in-the-loop approach while reducing
manual effort. Looking ahead, ZS plans to utilize Wiz Workflows to further automate remediation actions and coordinate response activities across teams.
With Wiz Defend and the Blue Agent, ZS is building a security operations model that scales alongside cloud growth and alert volume—without requiring linear growth in analyst effort. For a firm built on the belief that AI should be embedded into how work gets done, not bolted on top of it, this is what responsible, scalable AI adoption looks like in practice.
At ZS, we believe AI should be embedded into how work gets done - not bolted on as an afterthought. Our security operations team applied that same principle here: they validated the Blue Agent rigorously before operationalizing it, and the results speak for themselves. This is what responsible AI adoption looks like in practice - scalable, measurable, and always with a human in the loop. It's a model we intend to build on as we continue maturing our security operations.
Atman Trivedi, Director of Information Security, ZS Associates
