Case Study: Sumo Logic

$1M False Start→AWS Top 100 AI ISV with Autonomous Multi-Agent AI. 60→3 Min MTTR. 166% ROI.

Cybersecurity | SIEM | Agentic AI | SOC Automation

A production multi-agent system that automated SOC analyst triage, reducing investigation time from 60 to 3 minutes per alert. Validated by Forrester with 166% ROI over 3 years.

The $1M Lesson

Before I joined the project, Sumo Logic invested $1M and 6 months in a traditional AI POC with a leading engineering-centered vendor.

The result: a flashy demo built on the wrong use case entirely.

Sample data. Internal stakeholder applause. Zero customer validation.

It was clear to me within the first hour of customer research that the approach was fundamentally misaligned with how security analysts actually work. That $1M bought impressive demos that solved no real problem.

This is why 85% of AI projects fail — they build before they validate.

The Snowball Sprint that followed proved there's a better way.

The Pivot

What They Thought They Wanted

Farmville-style AI assistant — step-by-step guided workflow, waiting for user clicks to launch investigation, run each step, and generate the analysis.

I killed this hypothesis in the first week.

What Customers Actually Needed

SOC analysts don't want guidance. They want answers.

Do all the work before the analyst arrives. Research done. Analysis complete. Everything laid out like a dashboard. Decision-ready.

This insight required both deep customer research AND sophisticated AI architecture — neither alone would have found it.

The Snowball Sprint

  • I facilitated a 3-day workshop with senior leadership, working directly with Tej Redkar (then CPO) to generate the core hypothesis: agentic AI could fundamentally change how security investigations work — not just faster queries, but autonomous investigation that removes manual stitching entirely.

  • Rapid customer validation. Hypothesis killed and rebuilt.

    I conducted dozens of customer interviews with SOC managers and analysts. Workflow analysis mapping actual investigation patterns versus assumed patterns.

    The guided-workflow concept failed immediately. Analysts rejected the "Farmville" interaction model. They didn't need help knowing what to do — they needed the work already done.

    The insight: Analysts weren't failing to detect threats; they were failing to complete investigations. The backlog itself was the product problem.

  • Research-driven architecture. Engineering for the insight.

    The pivot demanded a fundamentally different architecture — not sequential prompts, but parallel autonomous agents executing before the user arrives.

    I built the 4-Agent System prototype in Slack. UI didn't matter as much as content, so Slack enabled an extremely rapid discovery and iteration cycle. Each agent maintained its own RAG pipeline and data contract, ensuring clean separation of concerns and independent scalability.

    Technical constraints I solved:

    • Aggregate queries (not raw logs) for speed at scale

    • Time limits to prevent runaway agent processing

    • Parallel execution for sub-minute results

    • 1-liner summaries with expandable full reports

    The summary format was refined by watching analysts interact with the working prototype — they wanted the headline, with full analysis one click away.

    Design principle: Augment analysts, don't replace them.

  • Production hardening to global launch.

    With the architecture validated and design partners confirming production-readiness, I advised the team (led by Kui Jua, head of AI Engineering) as they moved to global deployment:

    • Infrastructure hardening for 4.5+ exabytes/day data ingestion

    • Agent orchestration optimization

    • Polished UI and branding

    • September 2024: Production launch

    • December 2024: SOC Analyst Agent enters beta

    • Featured at AWS re:Invent 2024

    • Recognized as AWS Top 100 AI ISV

During prototype testing with a design partner, a SOC manager stopped the session mid-demo:

"When can we have this? My team would kill for this tomorrow. We're drowning in alerts we can't get to — this changes everything."

That's the moment you know you've validated product-market fit. Not stakeholder applause. Not impressive demos. A customer asking when they can pay for it.

The "When Can I Have It?" Moment

Validated Impact

166%

ROI over 3 years

90%

False positive reduction

4 hrs

Saved per investigation

Top 100

AWS AI ISV

Patented Insight

Customer research found the problem. Technical innovation solved it. Neither alone would have worked.

The signal filtering system I invented — now patented — enables the 4-agent platform to correlate events across 4.5+ exabytes of daily data and surface actionable insights in under a minute.

This is what the 15% do differently. Validate first. Then build IP worth defending.

Across 34 AI products, I've generated 24 patents for my customers. When you find the right problem, innovation follows.

Tech + Customer Insight = Better AI.

What Leaders Say

"Greg can transform a simple idea into a state-of-the-art experience. Greg's laser focus on users and letting them decide good from bad differentiates him... His in-depth understanding of technology stacks positions him into the most needed leadership space between designers and developers."

Tejaswi Redkar
CEO & Founder (former Cisco, AppDynamics, Sumo)

"What used to take about 60 minutes per alert can compress to minutes when Insight-level summaries, targeted queries, and natural-language orchestration remove manual stitching."

Chas Clawson, VP Security Strategy, Sumo Logic

"Greg doesn't just talk about innovation—he gets his hands dirty to make it happen. He shepherded the first production-ready POC with multiple agents and laid the foundation for Sumo's AI direction. If you get the chance to work with Greg, take it."

Brandon Borodach
Field CTO, Abstract Security (former Sumo)

"Greg consistently pushes boundaries—not just in design, but in validating AI product-market fit directly with customers to ensure every feature solved a real-world problem. I'd work with him again in a heartbeat."

— Catherine Davis
VP Product Management, Addigy (former Sumo)

The Bottom Line

Traditional POC (What I fixed)

Time to validate: 6+ months, $1M

Outcome: Wrong use case, rebuilding from scratch

Customer validation: Post-development (too late!)

Risk: Deferred to production

Market impact: Competitive window missed, major customer attrition

Snowball Sprint (What I did)

Time to validate: 4 weeks (Fraction of the cost)

Outcome: Production system, 166% ROI

Customer validation: Week 1, using running AI code in Slack + real Sumo data (RAG)

Risk: Eliminated through rapid iteration + continuous customer validation

Market impact: Made re:Invent ● Earned Top 100 AWS AI ISV ● Revitalized SIEM Product Line sales

Let’s Talk

In 30 minutes, we’ll talk through your AI challenges and see whether Snowball Sprint is the right fit. No pitch — just an honest conversation.

Book a Call