The security operations center is set for even more change. Today, AI agents help human analysts triage alerts and investigate threats. But because of the pace of AI threats, Google Cloud’s Jon Ramsey says, that relationship will have to evolve.
Humans will support agents, stepping in only when the system encounters something it has never seen before, labeling it, codifying it, and teaching the system so that next time, the confidence goes up. The march to full autonomy in security operations is not a distant aspiration. It is an active engineering program.
Jon Ramsey is VP and General Manager of Google Cloud Security. His career spans the full arc of modern cybersecurity: from the Computer Emergency Response Team at Carnegie Mellon, to 22 years as CTO of SecureWorks where he took the company public as a Dell Fellow, to a stint as GM of AWS security products, and now 11 months at Google Cloud.
He came to Google, he says, because the company has everything needed to transform security operations: threat intelligence from Mandiant and Google Threat Intelligence Group (GTIG), planet-scale infrastructure, security expertise, an engineering culture, and an AI stack that runs from chips to models to platforms.
Expert Insights spoke to Jon Ramsey at RSAC 2026 to discuss how Google Cloud is building towards a fully autonomous SOC, why the Dark Web Intelligence feature in Google Threat Intelligence is a model for what AI-first security looks like, and why defenders have a structural advantage that AI will amplify.
Q. Can you give us an introduction to yourself and your role at Google Cloud?
I’ve been in cybersecurity my whole professional career. I started in college and ended up working to protect the university I went to. I went to the Computer Emergency Response Team at Carnegie Mellon. I did computer network exploitation, incident response, a lot of red and blue teaming, which I really enjoyed.
I got curious about why software couldn’t be built securely, so I studied software engineering at Carnegie Mellon and walked out of there knowing you can mathematically prove the completeness of a program. And I realized you can do it. There’s just reasons why you can’t in practice. Then I went to SecureWorks, and was the CTO there for 22 years. We ran a SOC for thousands of businesses. We got bought by Dell, so I had two roles as a Senior Dell Fellow, the highest technical track in all of Dell Technologies, and the CTO for SecureWorks. Then we took that public, spun it out of Dell, and went on the road show. After 22 years, I wanted to do something different, and went to AWS as the general manager for their security products. I spent two and a half years there, and now I’m at Google.
Q. What drives you in this role?
I heard Dr. Vint Cerf come and present. He’s known as one of the fathers of the internet because he designed the TCP/IP protocol. I asked Dr. Cerf, what is the greatest single limiter to reaching the full potential of the internet? And he said, security. My personal mission has always been to secure human progress. Technology enables people everywhere to grow and thrive. If one of the greatest technologies ever created, the internet, is limited by security, then our job is to fix that.
I was on a panel this morning and they asked me for one takeaway. I said, your job is more important than ever. Think about AlphaFold 2 discovering 200 million proteins through 3D modeling of amino acids. We knew 200,000 before that. Now people are talking about curing all diseases because of that. If we can secure all of that, our jobs as defenders of this incredible technology are critically important. I came to Google because I think Google has everything needed to transform the way security operations is done: the threat intelligence, the planet-scale infrastructure, security expertise, the engineering culture, the AI stack from chips to models to platforms.
Q. What’s the threat landscape looking like? What’s keeping people up at night?
The concern is the use of AI by adversaries. What we’re seeing is increased speed, scale, and sophistication because of the use of AI. We’re both on a march to autonomy: the ability to completely execute an attack autonomously. To be prepared for that, we have to use AI to fight AI. We have to be able to defend autonomously. The things I think about are, in 18 to 24 months, if we need to be fully autonomous in the Security Operations Center, what are we doing today to enable that? You’ll see that in our roadmaps, in our thought process. All of it is largely informed by the threat.
We use that visibility from GTIG, and from Mandiant’s consulting group and frontline intelligence. We build that strategically into the product, both in terms of what features the product has and how we add new analytics to the platform to detect the fundamental things that adversaries are doing, so we can detect them at scale and force the threat to go back to the drawing board.
Q. How important is it for security teams to deploy AI to defend against AI-powered attacks?
Everybody recognizes it. We must outpace and outmanoeuvre the adversary. There’s the OODA loop: observe, orient, decide, act. This is John Boyd’s concept, a USAF fighter pilot. If we can observe what’s happening, orient to our goals, make a decision, and act faster than the threat, we’ll win. If the threat is moving in an OODA loop that’s faster than ours, we’ll never be able to outpace the adversary.
Q. Can you talk through some of the announcements Google has made this week?
A great example is the Dark Web Intelligence feature in Google Threat Intelligence we launched at RSAC. The idea is you want to shift as far left in the kill chain as possible. You want to see the threats organizing to attack before they attack. A lot of that organization happens on the dark web: building capability, selling access as an access broker, selling insider information about a company. Having visibility into all the precursors and signals of an actual attack is critically important.
The traditional approach was to write regular expressions representing words you might see, like “initial access broker.” But the threat knows that’s how detection is done, so they use different techniques to avoid it. The false positive rates were very, very high. We stepped back and said, if we were going to do this from an AI-first perspective, what would it look like? We wrote prompts, used few-shot learning to tell the LLM what an initial access broker conversation looks like, and asked it to evaluate dark web messages. With a bunch of back-end enrichment and relevance tuning using Gemini, and got it to 98% true positive accuracy.
Now instead of the SOC analyst spending their time filtering through all these messages, we give them the relevant messages with context. They were talking about access here, and we saw access there. The analyst puts the two together and says, that’s malicious.
Q. Do you think you get to a point where you don’t have to hand that off to a human at all?
I don’t think so. But I think there’s an evolution. Today, we’re using agents to help humans. Our triage agent, in public preview, will look at events coming into our SecOps product and give a probability of it being malicious with a confidence score. The analyst then looks at the list of true positives and does an investigation or takes a response. That’s the model today.
The next model, if we need to get to fully autonomous, is that instead of agents supporting humans, humans will support agents. Remember, there’s a probability and confidence of it being malicious. It’s like tri-state logic: true, false, and I don’t know. Sometimes the models don’t have enough training data, don’t have enough context, or it’s a threat that’s never been seen before. The system says, I have zero confidence on this. Then the analyst looks at it. You probably need many analysts looking at the same thing, because you don’t want to introduce noise by labeling something legitimate when it’s actually malicious.
In the process of labeling and codifying it for the system, the next time it sees the same thing, the confidence goes up a little bit, and a little bit more. Where people will be spending their time is doing evaluation of what AI is doing to drive the confidence and efficacy of the AI systems. I don’t think that evaluation part ever goes away.
Q. What about the security for AI adoption piece? How is Google Cloud helping organizations secure the way they’re using AI?
This whole area of securing the AI attack surface is critically important and something we’re spending a lot of time on. One of the things Wiz launched this week was an AI application protection platform. Wiz started as a cloud-native application protection platform, and this leverages that with additional capabilities to be an AI application protection platform. The fundamental starting point is always observability. What AI do I have in my environment? Who’s using it? What is it? How is it being used? Both from a code perspective and a runtime perspective. What code do I have that’s using AI, how is it operating in runtime? Then you can understand the AI attack surface and take preventative actions to detect and respond to attacks related to that.
Q. Are security leaders feeling that AI is making their lives easier, or is it adding more pressure right now?
At this point in time, things are moving very fast. Businesses recognize that AI is a critical technology enabling them to better serve customers or improve their business model. CISOs have a role to help businesses secure that. It’s critically important: if you have something increasing your customer service or improving your business, you don’t want that to fail. CISOs are wrapping frameworks and governance around it to make sure it’s being used in a safe and secure way.
Q. A few Google Cloud leaders have said they believe AI advantages defenders more than adversaries. Do you agree?
I do. Let me back up and say it this way. What do defenders know that adversaries don’t know? We know our infrastructure better than anyone. And because we know our infrastructure better than the adversaries, we can use AI to understand our infrastructure and proactively fix exposures. We can use AI to fix things before the adversary can attack the infrastructure. Even when the adversary is attacking, they still have to learn what the infrastructure is. That gives us a head start over the adversaries.
Q. What’s been your favorite takeaway from RSA so far?
It’s been our customer base and how they’re really leaning in to using AI, especially in the context of reducing all the toil for their SOC analysts. I hear stories of things that CISOs had wished they were doing and now have the resources to do because the analysts aren’t stuck doing all the toil. It gets the high-value, high-judgment human capacity freed up to do the things they need to do to evolve the defenses themselves. It’s kind of like they’re working on the business rather than working in the business. And in that context, working on the business of securing the business versus working in the business of just pedaling and doing all the toil work.
