Custom Strategies

Overview

Custom Strategies in Dropzone AI enhance outcome decision-making by allowing teams to inject targeted, organization-specific judgment into investigations. These strategies apply during the Report phase and guide the AI SOC Analyst toward more accurate conclusions—Malicious, Suspicious, or Benign—based on institutional policy, patterns, and operational context.

Custom Strategies extend Dropzone’s flexibility by enabling teams to override default interpretations of investigative findings and to encode clear, reusable guidance for recurring or high-volume alert patterns.

Purpose and Role in Investigations

Custom Strategies are Dropzone’s mechanism for defining conditional logic and interpretive guidance that goes beyond raw investigative facts. They are used to scope judgment to specific situations and ensure consistent outcomes across similar alerts.

Custom Strategies allow teams to:

• Provide tailored outcomes based on alert metadata, MITRE tactics, attack surfaces, and alert sources

• Override default conclusions implied by insight tags when policy or context requires flexibility

• Embed analyst-grade reasoning into the AI’s decision process for edge cases and common noise patterns

For example, some organizations classify Attack Simulation alerts as benign by policy, while others treat them as malicious. A Custom Strategy can enforce the appropriate outcome consistently whenever these simulations are detected.

Best Practices

Write Like an Analyst, Think Like a Rule Engine

Custom Strategies function like if–then rules, but they should reflect the nuanced judgment of experienced SOC analysts—not raw detection logic.

Each Custom Strategy consists of two parts:

Alert Filters

Alert Filters define when a strategy applies. Filters can match on:

• Scenario description

• MITRE tactics

• Attack surfaces

• Alert sources

• Insight tags

An investigation must match all configured filters for the strategy to apply. If no filters are defined, the strategy applies to all investigations.

Analysis Guidance

Analysis Guidance defines what outcome to recommend once filters match. Guidance is expressed using one of two guidance types:

• Insight Tag Rule Matches on specific investigation insight tags applied by the Dropzone analyst.

• Scenario Description A natural-language hypothesis describing investigation findings. Only the “If…” portion should be included—the “Then” is handled by the conclusion selector.

Analysis Guidance should express reasoning about investigative evidence, not simply restate detection logic.

Example Scenario Descriptions:

• “If the malicious file is an EICAR test file” → Malicious

• “If there was no successful username-password combination” → Benign

Design for Clarity and Reusability

Well-designed strategies are easy to understand, audit, and reuse.

• Use descriptive strategy names Examples: Internal Red Teaming, Authorized Recon Activity

• Leverage insight tags thoughtfully Treat tags as indicators of behavior, not verdicts. Use them to guide conclusions, not dictate them.

• Group strategies by function For example:

  • Scanning and reconnaissance

  • Red team and testing activity

  • IT operations noise

• Document rationale in natural language Outcome tips should clearly explain why a conclusion is recommended.

Use Custom Strategies to Reduce Noise — Not Replace Investigation

Custom Strategies are not a substitute for investigation logic.

• Avoid overfitting Don’t build strategies for one-off scenarios. Focus on repeatable patterns.

• Combine tags with context Pair insight tags with metadata such as alert source or MITRE tactic for stronger signals.

• Avoid complex decision trees Strategies should be easy to reason about. For layered logic, create multiple simpler strategies instead of one complex rule.

Operational Behavior

Understanding how Custom Strategies are evaluated helps avoid surprises.

Match Evaluation

During the outcome phase, Dropzone retrieves all enabled Custom Strategies that match the investigation’s:

• Scenario

• MITRE tactic

• Attack surface

• Alert source

Within a strategy:

• Conditions are evaluated using logical AND (all criteria must match)

Across strategies:

• Conditions are evaluated using logical OR (any matching strategy applies)

If multiple strategies match, the final conclusion is chosen by severity priority:

Malicious → Suspicious → Benign

Outcome Tip Collation and Prompt Enrichment

When multiple strategies apply:

• All outcome tips are collected

• Natural-language guidance is injected into the AI’s prompt

• This improves justification and consistency in the final conclusion

Insight Tag Overrides

Custom Strategies can override default insight tag behavior.

For example:

• Without a strategy, Atomic Red Team may imply Malicious

• With a strategy, Atomic Red Team can support Benign or Suspicious outcomes

When conflicts arise, Custom Strategy guidance takes precedence.

Limitations and Considerations

Strategy Conflicts

If multiple strategies apply with conflicting recommendations, the AI weighs all guidance during prompt construction. This can reduce clarity, so regular audits are recommended.

Visibility and Traceability

Outcome tips influence final conclusions, but the strategies themselves are not directly visible to end users. Ensure outcome tips are clear and self-explanatory.

Maintenance Burden

Over time, unused or overlapping strategies can accumulate. Regular review and pruning helps prevent stale logic and unintended outcomes.

Conclusion

Custom Strategies give SOC teams a powerful way to embed institutional judgment into automated investigations. When carefully designed and maintained, they reduce noise, improve accuracy, and enforce consistent interpretations of common scenarios—without relying on playbooks or manual intervention.

When well-structured, Custom Strategies become an extension of your team’s best judgment, scaling experience and policy across every investigation.