Reddit didn't set out to build an "AI SOC." They set out to stay ahead of the problem.
Alert volume was growing, investigations were getting more complex, and the team wasn't scaling at the same rate as the work. But Reddit's approach to AI was deliberate, not panicked. As Nick Fohs, Reddit's manager of enterprise systems and security, put it in a recent webinar: introducing AI without structure is like bringing a backhoe to your backyard. Hit a gas line with a shovel and it's manageable. Hit one with a backhoe and the consequences are a completely different animal.
So they started with the work. Then introduced AI where it created leverage.
Start with how time is actually spent
A typical alert investigation took around 15 minutes. Most of that wasn't decision-making. It was gathering context. Analysts moved between systems, pulled logs, checked devices, and pieced together what happened before they could assess anything. As Fohs put it: "It was a fairly arduous task every single time."
The process worked, but it was also slow and dependent on individual experience.
Rebuilding investigation inside workflows
Reddit rebuilt this in Tines, deploying their AI-assisted investigation system, internally named Event Horizon, in three weeks. Faster than most teams scope a project.
Workflows define how investigations run. AI sits inside that structure. When an alert triggers, the workflow gathers data across systems, AI processes and summarizes it, and produces an initial assessment.
What used to take 15 minutes now takes about 30 seconds.
The gain is speed, but also consistency. As Fohs put it about the new process for junior analysts: "They're basically getting access to our expertise without us needing to be in the room." Less experienced responders follow the same investigation path as senior engineers. And the benefits aren't limited to junior analysts. Across hundreds of alert types from tools like CrowdStrike, the breadth of what AI can hold in context is hard for any individual to match.
Decision-making stays with people
High-impact actions like locking accounts and isolating devices still require human input. The workflow can stage an account for locking and page on-call, but doesn't execute autonomously on sensitive actions.
The reason is both practical and architectural. If the alert involves a C-suite executive, Fohs noted, "you don't just nuke their access without a response plan." Reddit had already built a model in Tines where workflows stored privileged credentials and executed scoped actions, rather than handing engineers broad system permissions. The same logic applied to AI. Explicitly defining what actions are possible, Fohs said, "made it a lot easier to have confidence that the platform is going to do what we expect and not do a ton of things that we don't."
Spreading expertise and going further
Reddit uses Tines Workbench to bring humans into workflows at the right moment with the right tools already available. The team ships these quickly: the day before the webinar, someone had built a flow to pull context on a suspicious email and push the output to Slack. "A lot of the questions people want to ask their security team but are pretty low stakes," Fohs said. "Now they just have access to an always-on agent."
On auditing, Fohs's approach is to treat AI outputs the way you'd treat a human's. "Have an output log and have somebody reviewing the actions taken, the same way you would if a human were doing this."
Beyond security
Security actions frequently trigger follow-on work. Locking an account affects a real person who needs to come back online. Reddit's workflows now handle those downstream steps, notifying managers, guiding recovery, and closing the loop. "That person doesn't go away," Fohs said. Detection, response, and resolution became one connected process rather than a handoff.
What's next
Near-term, the focus is enabling IT support teams to resolve issues without escalation. Further out, Fohs described what he called the emergency medical hologram approach: deploying agents tuned to specific contexts that can be dropped into a live incident response. "If the specific person I'd normally ask isn't available, how do we get the procedural elements of their expertise into an agentic stance to help us in any scenario?"
A foundation that scales
Reddit moved quickly because the foundation was already in place. Existing integrations in Tines meant AI could be layered in without rebuilding from scratch. Everything built was designed to be forked by other teams and tuned for different alert types.
The result is more work handled, with more consistency and less manual effort. AI plays a specific role. Workflows provide the structure. Humans stay responsible for decisions that carry real risk. That's what let Reddit scale their SOC without losing control of it, and build a foundation ready for whatever comes next.