Context Memory

Context Memory in Dropzone AI captures and distills institutional knowledge—details that aren’t directly observable in security telemetry, but that experienced analysts and documented processes consider essential to investigations. It augments the AI SOC Analyst’s understanding of alert entities with learned organizational facts, reducing manual research and accelerating decision-making.

Context Memory helps Dropzone’s AI apply organization-specific reasoning during investigations by proactively identifying facts that are not present in alert payloads or security systems, but are critical to assessing risk or ruling out benign behavior.

If you find yourself adding entries that describe workflows, decision trees, or if/then logic, it’s likely a sign you’re designing a Custom Strategy rather than a memory fact. Context Memory should be used to capture facts about entities—what something is, who owns it, or how it’s typically used—not prescriptive steps on how to interpret it.

## How to Create Context Memory

Learning from Investigations

• When an analyst changes a Conclusion, that outcome can be remembered, and the Dropzone agent synthesizes the documented notes into additional Context Memory.

• When providing feedback, reference specifics from the investigation:

  • ✅ “Application Foo is allowed in our environment”

  • ✅ “Emily Eaton is approved to run certutil.exe”

    • These are high-value, specific facts.

  • ❌ “This is allowed”

    • This is not specific enough to be useful.

Manual Notes and Guidance

• Just like senior analysts writing notes or runbooks, teams can manually add information to Context Memory that is not tied to a specific investigation

• There is no limit to the number of Context Memory items you can add and adding Context Memory does not slow down investigations

• It is good practice to periodically clean up Context Memory to avoid outdated information or conflicts as new items are added

Automated Ingestion

• Backfill institutional knowledge using exports from systems such as:

  • Confluence

  • Jira

  • ServiceNow

• These sources can be programmatically ingested into the Dropzone platform.

Building Context Memory Over Time

Just as training and coaching are most impactful during a new hire’s first 30 days, early investment in Context Memory gives Dropzone a strong foundation for long-term reference.

During onboarding, we recommend reviewing a set number of investigations per day to ensure your Dropzone analyst aligns with your team’s policies and expectations.

Best Practices

• Continually add to your Context Memory bank by adjusting conclusions or uploading new facts as your environment evolves.

• Periodically review your Context Memory bank to ensure Dropzone has up-to-date information about your organization.