Overview
Exaforce connects to Google Security Command Center to ingest findings and wrap them in investigation ready context from across your GCP environment. The platform looks at the principal behind the activity, the full trail of API events, impacted resources such as Cloud Storage buckets, and related activity for the same user, service account, or project. SCC detections become narrative style assessments that explain what happened, why it matters, and what to do next, which lets analysts move from an alert to a decision in minutes instead of hours.
How it works
Exaforce ingests Google SCC findings, along with Cloud Audit Logs and configuration data from connected GCP projects, using the SCC finding stream as the starting point for each investigation. Once a new finding arrives, the Exabot Triage agent pulls together identity attributes, session details, source locations, services involved, and resource metadata. It then generates a human readable assessment that summarizes the situation, highlights supporting evidence, and proposes mitigation options.
In Exaforce, analysts can see a dedicated view of enriched findings. Opening a finding launches the Exabot Assessment view, which shows a structured summary, supporting analysis, and a timeline of events that contributed to the detection. A Command Center view shows which steps the agent took, which workflows ran, and what notifications or confirmations were sent over Slack or Microsoft Teams.
Continuous triage and validation
SCC runs continuously across your GCP projects, and Exaforce layers continuous triage on top of that signal, so every finding is rapidly categorized as a True Positive, False Positive, or Needs Investigation.
When a finding is ingested, Exabot immediately performs its analysis and assigns a recommended classification. If the recommendation is Needs Investigation, or if analysts want to validate a potential False Positive, they can drill into rich contextual details using the Investigate view.
Within the Investigate view, analysts can expand the time window to look for additional suspicious activity, review identity chains and service account impersonation trees to confirm the correct principal, and compare historical and current location data to evaluate the significance of geographic signals. They can also use Command Center’s question and answer interface to ask follow up questions, such as what other operations occurred on a specific bucket, and receive precise answers grounded in the same underlying evidence.
Historical analysis is part of a closed loop process, continuously improving triage accuracy and reducing mean time to response.
Core capabilities
Exaforce treats Google Security Command Center as a signal for suspicious GCP activity and augments it with additional context and analytics to streamline investigation and response.
Each SCC finding is automatically triaged by Exabot, which analyzes identities, service accounts, impersonation chains, locations, VPN usage, and the sequence of API calls involved. This activity is compared against historical behavior to determine whether it is normal, unusual, or likely malicious.
Investigations are organized to reflect how a SOC analyst works, with a question-and-answer style interface that enables fast pivots across related user, resource, and activity context without custom queries. Visual timelines and event-level evidence provide clarity into what happened and when, with access to raw JSON for verification.
Exaforce also supports identity and resource-centric analysis, built-in collaboration through Slack and Microsoft Teams, and flexible response options. Its automation capabilities enable both human-in-the-loop and fully automated mitigations, as well as integration with SOAR workflows.
Benefits
Exaforce improves the quality of SCC triage by providing each alert with narrative context, supporting evidence, and recommended actions, reducing time spent on manual log analysis.
By evaluating user history, VPN usage, resource behavior, and confirmations from users and managers, Exaforce significantly reduces false positives so analysts can focus on real threats.
Structured investigations, automation, and collaboration integrations create repeatable workflows that scale across SOC teams and shifts.