How Tealium Built Their Virtual AI SOC with Panther

When Tealium first deployed Panther, the results were immediate. The security team gained 9x more data ingestion, reduced false positives by up to 70%, and built precise, customized detections that their previous SIEM couldn't support. Panther gave the team the foundation they needed: a scalable data lake, real-time detection logic, and Python-based rules they could actually own.

What they didn't anticipate was what came next.

From Data Lake to Intelligence Platform

As Panther's AI capabilities rolled out, the Tealium security team was already primed to adopt them. They had the data, the detection library, and the operational discipline. What they needed was a way to scale the expertise sitting inside that foundation. "Our SIEM is no longer just a data lake. Panther is now an intelligence platform," said Jason, Lead Security Engineer at Tealium. That realization changed how the team approached the work entirely.

"When you look at the thinking steps of the AI in the platform, it's doing all of the things that a sophisticated engineer would do on their best day — and it's doing it on every alert, every time, 24 hours a day, no fatigue."

Jason, Lead Security Engineer, Tealium

Clearing the Backlog That Wasn't Clearable

Over time, the team had accumulated thousands of open alerts in OpsGenie — some dating back to 2023 — that had never been fully assessed. There was no realistic path to close them. Doing it manually, with the full team focused on nothing else, would have taken a quarter. Contracting it out was the only other option.

Instead, they were able to use Panther AI to run a summary on every open alert, generate an indicator confidence score, and auto-close anything that scored as benign. Alerts with uncertainty or high confidence of compromise escalated to human review.

In a matter of weeks, the backlog was at zero. Every open signal had been assessed for compromise. "It was an impossible task with our current team," Jason said. "There's just no way around it."

Accelerating Detection Engineering

The second shift happened inside their weekly signal-to-noise meetings — a standing session where the team reviewed which detections needed tuning, restructuring, or refinement. For over a year, those meetings moved slowly. Two or three detections per session, with significant back-and-forth before anything changed.

The bottleneck wasn't effort. It was the research burden on the engineer doing the work. For Javi, Tealium's primary detection engineer, deciding how to structure a new rule — real-time alert, scheduled digest, profile-level detection — could mean 4-5 hours of solo research per detection.

With Panther AI, that process changed fundamentally. Panther AI could surface the right structure for a detection, flag considerations Javi hadn't thought to include, and serve as a sounding board throughout the build. What once took most of a day became a 10-minute conversation.

"Our detection engineer said, once he had access to Panther AI, it felt like he had a peer collaborating with him. That's a powerful thing when you feel like you were solo on something before."

Donald Scherer, Vice President of Platform and Infrastructure Security

Detection build time dropped by 75–80%, and as detection creation sped up, something unexpected happened: the team started actively seeking out more log sources to monitor rather than avoiding them. They grew their monitored log sources by nearly 30% because they finally had the confidence and capacity to expand coverage proactively.

"With Panther, we went from not wanting to monitor any more log sources to actively searching for more logs to bring in. That's the difference between an effective tool and a tool that builds confidence."

Donald Scherer, Vice President of Platform and Infrastructure Security, Tealium

Building the T-SOC: A Virtual SOC Powered by AI

The most ambitious evolution came at the end of 2025, when Don directed the team to build what they now call the T-SOC — the Tealium SOC — a virtual security operations capability built from the ground up using AI at every layer.

The architecture runs in tiers. Tier 1 handles initial alert triage and analysis. Tier 2 audits that analysis, a second AI layer that critiques the first. Tier 3 evaluates the output of both, and when the two lower tiers disagree, it escalates to a human. When they agree and confidence is high, benign alerts close automatically with a complete audit trail.

Underpinning all of it is Panther's data lake and the Panther MCP, which the T-SOC uses to query log data, enrich context, and inform response recommendations at each tier.

"It's AI triaging and analysis from multiple perspectives, AI evaluating the work of other agents, all the way through the triage and closure lifecycle," Jason explained. "At the end of the day, humans have the accountability and authority to oversee this process. But these tools enable us to respond in hours, not days — and in some cases, minutes, not hours."

The practical results are striking. Jason and Don estimate the team of five is doing the work of a team 10X their size. When someone manually created an IAM user across one of Tealium's numerous AWS accounts, the team was aware and triaging within 10 minutes. Alert volume has dropped by 80–90% through continuous detection improvement. With AI handling the high-volume, repetitive work across the alert lifecycle, the team now has the bandwidth to think about threat patterns and adversarial behavior that would never have made it onto the radar before.

“There was a time I was so concerned about solving the next thing in front of me that I rarely had time to spend the mental resources on creative, strategic thinking. Now I have tools that can think creatively with me — and AI is running the low-brain, high-bandwidth work so we can focus on what actually matters. Everybody else is getting gray hair because of their SIEM. With Panther, we get to be excited about ours." 

Jason, Lead Security Engineer, Tealium