Webinar Recap: From Code to Cloud — Closing the Gap Between AppSec and SecOps

Last week, RunReveal CEO Evan Johnson sat down with Ken Johnson, CTO and co-founder of DryRun Security, for a conversation on how AI is reshaping both application security and security operations — and where those two worlds are starting to collide.

Here's what we covered.

How AI is changing code velocity and risk

The conversation started with the obvious: AI coding tools have made software development significantly faster. But faster isn't automatically safer, and the risk profile has shifted in ways that matter for security teams.

Ken noted that while point-in-time code scanning is getting incrementally better — AI editors with well-crafted skills and rule files do produce cleaner code out of the gate — the harder problem is what happens after that code merges. Codebases are changing so quickly that the interaction surface between new and existing code is hard to predict. The simple, pattern-matchable flaws (SQL injection, command injection) are being mitigated at generation. The logic flaws that emerge at integration time are not.

Evan echoed this from the engineering side: once you pick up agentic programming, the PR queue fills up fast, and those PRs get big. Three hundred files changed. Approvals happening seconds after review is requested. The honest reality is that meaningful human review at that scale isn't happening.

AI SOC: What it actually looks like in practice

Evan walked through how RunReveal approaches AI-assisted alert investigation. The architecture is event-driven: an alert fires, an agent kicks off an investigation automatically, and within about 90 seconds you have a structured report — what identity was involved, what their normal activity pattern looks like, whether this matches known threat patterns, and a clear false positive / true positive assessment.

The key differentiator isn't the AI model. It's the data underneath it. Unstructured, un-normalized logs give AI agents very little to work with. That’s one of the main reasons RunReveal normalizes everything — typed fields, consistent schemas across sources — so the agents can reason reliably rather than guess at structure. Some customers are building their own AI SOC layers directly on top of RunReveal's MCP server, using that normalized data as the foundation.

The cost-per-investigation math strongly favors automation, and it's meaningfully changing what organizations need to staff a 24/7 SOC function, including making it more accessible for teams that couldn't previously justify the headcount.

Where humans still need to stay in the loop

Both Evan and Ken agreed that "AI does everything" isn't the right frame. The more useful question is where human judgment is actually irreplaceable.

Their answer: specs and evaluation. Writing a good specification — one detailed enough for an agent to execute against reliably — requires real expertise. And evaluating whether the agent's output actually meets that spec requires someone who understands the system well enough to know what "correct" looks like. The humans who stay central to software development and security over the next few years are the ones doing that orchestration and evaluation work, not the mechanical execution.

Ken added that observability into agent behavior is a gap most organizations haven't closed yet. Knowing what your AI editors are doing — what decisions they're making, what they're accessing — is foundational before you can meaningfully govern or secure that activity.

Startup vs. enterprise: Different starting points

We ended with a practical question: how should your approach to adoption AI differ based on team size?

For startups and small security teams, both Evan and Ken leaned toward being an AI maximalist. There's real leverage available: automated PR review, automatic alert triage and investigation, and lightweight homegrown tooling built on open-source foundations. The constraint has always been headcount, and AI meaningfully relaxes that constraint.

For enterprise teams, the starting point is inventory and visibility. Before you layer AI onto your security operations, you need to know what AI tools are already in use across your organization, what those tools are doing, and whether any of that activity is currently visible in your security data. Most enterprise security teams aren't there yet, and jumping to automation before you have that foundation tends to create more problems than it solves.

If you’d like to watch the webinar recording, you can access that here. And if you'd like to see how RunReveal handles log normalization and AI-assisted investigation in practice, book a demo or reach out directly.