A Wazuh Platinum Partner with deep MSOC and MDR expertise saw cloud SOC vendors put their clients on per-GB and per-token meters that scaled out of control. They needed an alternative they could own — and partnered with yGen to build it.
Cloud-native SOC platforms — Microsoft Sentinel, Sumo Logic, Devo, the rest — had created a recurring problem for the CIO buyer: OPEX that scaled with usage in the wrong direction. $30–$50 per user per month for AI features. $2.76–$5.22 per GB per day for log ingestion. Per-token charges layered on top. None of it predictable.
GrayBox Security saw this clearly. As a Wazuh Platinum Partner running MSOC and MDR services, they were close enough to client conversations to know that data sovereignty, predictable cost, and on-prem control were no longer "nice-to-haves" — they were active deal-killers for cloud SOC vendors.
But building an on-prem AI-augmented SOC from scratch wasn't an option. The agent infrastructure alone — multi-agent orchestration, sandboxing, RAG, channel deployment — would take 18–24 months to get to production-grade. GrayBox needed a platform partner.
The partnership thesis was clean from the first conversation: two specialists with no overlap. yGen owns AI architecture, agent engineering, and platform R&D. GrayBox owns SOC operations, analyst expertise, and the client relationships.
"GrayBox brought the SOC operations and the client relationships. yGen brought the AI Box and Phoenix. Together: an Agentic SOC that was production-ready in months — not vaporware, not a Microsoft re-skin."
Each side committed to clear lanes:
The output: Agentic SOC — a co-branded, productizable solution GrayBox sells under their own packaging to clients who couldn't or wouldn't move to cloud SOC.
The technical architecture was non-negotiable. If the goal was to defeat cloud SOC's economics and sovereignty problems, the answer couldn't have a cloud asterisk.
Wazuh sits at the SIEM and detection layer — playing to GrayBox's existing Platinum Partnership. Phoenix orchestrates five specialist agents: triage, investigation, response, hunt, and posture. The whole stack runs on AI Box appliances co-located in PH facilities or installed at the client's HQ.
"Microsoft validated the Agentic SOC model — but locked it into Azure. yGen delivers it on-prem, open-source, and partner-deliverable. That's the gap we walked into."
Critical architectural decisions: No inbound ports exposed. All connections outbound via Tailscale VPN. Tenant-level data isolation enforced at VLAN and container level. Local LLM inference via Ollama (LLaMA, Qwen, Mistral) — no cloud token charges, no per-query cost.
The maturity roadmap was deliberate. Each phase delivered usable client value before the next one began — no big-bang launch, no 18-month "not yet ready" period.
AI Box installed at client. Wazuh + Phoenix integrated. Endpoint, identity, and cloud sources connected. Auto threat disruption enabled.
Triage and investigation agents activated. RAG knowledge base loaded with GrayBox playbooks. Analysts shift from alert queues to decision-making.
Full multi-agent orchestration — contain, remediate, hunt. Continuous posture optimization. Multi-box clustering for scale.
The partnership's value compounds across three vectors — operational efficiency for clients, cost advantage vs cloud-SOC alternatives, and a net-new market segment GrayBox couldn't profitably reach before.
Tier-1 analysts moved from alert triage to decision review. One analyst now supervises the workload of 5–10 traditional SOC seats — all on-prem, all client-isolated.
Phoenix-orchestrated triage and investigation agents close the loop on routine threats in minutes. Human escalation reserved for novel attack patterns and high-stakes containment decisions.
Fixed AI Box CAPEX vs variable cloud OPEX. For a 500-endpoint client, payback hits at 6–10 months. Every month after is margin.
Clients who couldn't justify cloud SOC's recurring cost are now buyable at fixed-price. Net-new revenue, net-new margin, net-new market — without compromising on capability.
The Agentic SOC was built to satisfy three audiences simultaneously: the CIO buyer who needs OPEX predictability, the CISO who needs data sovereignty, and the regulator who needs audit defensibility.
100% on-premise data residency. Multi-tenant isolation via VLAN + container segmentation — provable, not theoretical. Every agent decision logged with full context. Human-in-the-loop governance preserved at the containment and remediation layer — agents propose, humans approve.
"For any client where data sovereignty isn't optional — banking, government, regulated healthcare, anything subject to RA 10173 — Agentic SOC isn't just an alternative. It's the only viable architecture."
The GrayBox model is repeatable. Pick a vertical. Pick an industry-specific pain. Bring the client relationships, the domain expertise, and the delivery capability.
yGen brings the platform, the appliance, the agent engineering — and a 14-month proof point that the model works.
Tell us your market, your client base, and what you'd build with the stack. Our partner ops team responds within 5 business days.