Hugh Njemanze, President and Founder at Anomali, reveals how a purpose-built, cloud-native SIEM infused with agentic AI is transforming how security teams detect threats, reduce incidents, and prioritize risk. From faster investigations to board-ready insights, this conversation challenges outdated assumptions and showcases what modern security operations can truly achieve.
In this On Location Brand Story episode, Sean Martin speaks with Hugh Njemanze, President and Founder at Anomali, who has been at the center of cybersecurity operations since the early days of SIEM. Known for his prior work at ArcSight and now leading Anomali, Hugh shares what’s driving a dramatic shift in how security teams access, analyze, and act on data.
Anomali’s latest offering—a native cloud-based next-generation SIEM—goes beyond traditional detection. It combines high-performance threat intelligence with agentic AI to deliver answers and take action in ways that legacy platforms simply cannot. Rather than querying data manually or relying on slow pipelines, the system dynamically spins up thousands of cloud resources to answer complex security questions in seconds.
Agentic AI Meets Threat Intelligence
Hugh walks through how agentic AI, purpose-built for security, breaks new ground. Unlike general-purpose models, Anomali’s AI operates within a secure, bounded dataset tailored to the customer’s environment. It can ingest a hundred-page threat briefing, extract references to actors and tactics, map those to the MITRE ATT&CK framework, and assess the organization’s specific exposure—all in moments. Then it goes a step further: evaluating past events, checking defenses, and recommending mitigations. This isn’t just contextual awareness—it’s operational intelligence at speed and scale.
Making Security More Human-Centric
One clear theme emerges: the democratization of security tools. With Anomali’s design, teams no longer need to rely on a few highly trained specialists. Broader teams can engage directly with the platform, reducing burnout and turnover, and increasing organizational resilience. Managers and security leaders now shift focus to prioritization, strategic decision-making, and meaningful business conversations—like aligning defenses to M&A activity or reporting to the board with clarity on risk.
Real-World Results and Risk Insights
Customers are already seeing measurable benefits: an 88% reduction in incidents and an increase in team-wide tool adoption. Anomali’s system doesn’t just detect—it correlates attack surface data with threat activity to highlight what’s both vulnerable and actively targeted. This enables targeted response, cost-effective scaling, and better use of resources.
Learn more about Anomali: https://itspm.ag/anomali-bdz393
Note: This story contains promotional content. Learn more.
Guest:
Hugh Njemanze, President and Founder at Anomali | https://www.linkedin.com/in/hugh-njemanze-603721/
Resources
Learn more and catch more stories from Anomali: https://www.itspmagazine.com/directory/anomali
Learn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsac25
______________________
Keywords:
sean martin, hugh njemanze, siem, cybersecurity, ai, threat intelligence, agentic ai, risk management, soc, cloud security, brand story, brand marketing, marketing podcast, brand story podcast
______________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
Want to tell your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
From Overwhelmed to Informed: The Future of Threat Detection Isn’t Just Faster—It’s Strategic | A Brand Story with Hugh Njemanze from Anomali | An On Location RSAC Conference 2025 Brand Story
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] We're here with the father of SIEM Hugh Njemanze.
Very good. Good, good to see you, Hugh. We, we've crossed paths as competitors years ago and as potential partners after that. Uh, I was a big yellow You were at Arcsight. That's right. And, uh, a lot has changed. A lot has changed since, uh, the early world of Sin Yeah. And all that stuff. So we're gonna get into some of that and, and really what I wanna get into is, uh, what you're doing with Anomaly and some of the cool stuff that you announced today.
Um, before we do that, a bit of your, bit of your background, so folks know. All the, all the fun things you were involved with before and then leading into anomaly what, uh, what you're doing now? Sure.
Hugh Njemanze: Well, as Sean mentioned, I founded a company called Anomaly back in 2000, long time ago, and it was one of the instigators of the same category and essentially solved the problem of collecting logs from every type of [00:01:00] device on your network and identifying actionable security.
Incidents. Um, so that takes a lot of integrations and it's a category that is still thriving 25 years later. Mm-hmm. Even though people like to say it's dead when they market their own SIEMs. Right. So, yeah. And, um, along the way, or post ARC site, um, I founded Anomaly in 2013, which was initially known as ThreatStream.
And became anomaly in 2016. Yeah. Member
Sean Martin: threat team. Yeah, exactly.
Hugh Njemanze: And that's been a very fun journey. Uh, we started out really focused on making threat intelligence something that large enterprises could use to bolster up their defenses. And at the moment we have come full circle, introduced a next generation SIEM a few months ago, uh, which combines the power of threat intelligence.
With, um, [00:02:00] extreme power of a next generation SIEM that breaks barriers in terms of orders of magnitude, not percentage points. So happy to talk about that.
Sean Martin: Well, let's do that. Um, so is that, is that speed detection reduce false positives? All the above. What else?
Hugh Njemanze: All of the above. Yeah. Plus very strong application of ai in particular ag ai, which we can talk about, um, but also scale.
And performance that hasn't been seen before. We basically built a, from the ground up native cloud platform. And what that means is we can harness the full power of a large cloud provider, such as Amazon or the others. Okay? Um, which means you ask a question, we can immediately bring thousands of servers to bear on that question.
Answer the question in seconds. That would take hours or even days in what are considered state of the art. Today. So it literally is night and day.
Sean Martin: So instead [00:03:00] of trying to figure out what the information is in the SIEM, you can actually almost have a conversation with it. So what are some of the types of, of queries or prompts, if you will?
Sure. Um, so like one I would imagine is, am I vulnerable or are there any indicators of X, Y and Z attack that we hear on the news today? Right,
Hugh Njemanze: right. So for people who are not. Steeped in how AI applies to security. If we go back all the way to search, uh, search became a very powerful tool for security tools.
'cause we collect a lot of data and you want to filter through it, siphon through it, identify, uh, either groups of events that are related or could be related and so forth. So search is powerful. You have to write queries that's complicated. People need special skills. Um, then AI kind of burst back on. To the scene two or three years ago with the advent of chat GPT, right?
And you could characterize that as a conversational search. [00:04:00] You ask the system questions and it answers you not based on just the words in the question, but based on the meaning overall of the question, the semantic meaning of the question. Mm-hmm. And, and that involved, those ais ingesting a lot of human information equivalent of the worldwide web, for example.
Now. The latest state of the art and where most of the research is going on is known as Ag agentic AI at the moment. And the difference give, give us the definition of what that is for folks. They probably
Sean Martin: heard the term at this point, but trying to figure out what it means.
Hugh Njemanze: So AG agentic AI embeds the word agent, and it means that the AI can perform a task on your behalf that might require multiple steps.
So in other words, it's behaving like a human. A human given a research question might decide to search one place and then search another, and then perform a calculation. So the AG agentic ai, a good one is gonna tell you, these are the steps I'm gonna go through to address this problem, right? It will show you each [00:05:00] step, it will show you the result, and then it will give you a complete task or an answer.
An example of a use case not in security, would be an agent AI booking a trip for you that involved multiple flights and figuring out, well, if. If the, if the middle flight lands one day later, then I have to change the hotel booking and da da da da. So ag agentic AI just means it's the next step forward in having the system be an expert working on your behalf.
Right. And are these
Sean Martin: typically purpose built? Because I think general, like general AI may not work perfectly for every specific thing you'd want. Exactly. And perhaps the AI is a little more purpose built for a specific task. Trained by specific data very with specific models.
Hugh Njemanze: And that applies double for security, right?
Because when you use AI for security solutions, you cannot afford to have hallucinations as they're known in the industry. Hallucinations is when the AI confidently gives you the wrong answer and supports it with facts. The [00:06:00] facts may not be real, but they sound very convincing. And so in our field, um, we have to take extra care to design our algorithm.
So that our AI answers cannot be hallucinatory. Alright? That means we essentially create our own walled garden with information that is pertinent just to that customer, okay? To that environment and to that set of threats. And then the AI takes as many steps as necessary to assemble all the research and deliver that information.
One key advantage that our AI has is when it asks questions, it's asking a search engine that's more than a thousand times faster. Faster than anything else. That means that
Sean Martin: this is the work you did previously. Yeah. Yes, exactly.
Hugh Njemanze: That means they couldn't do research that would take days or weeks for an analyst to do by hand using today's normal search engines.
So gimme a few
Sean Martin: examples are, is this for looking for indicators? Is it looking for the root, root [00:07:00] source of the, of the compromise? Or is it, do we see any signs that be another indicator of compromise?
Hugh Njemanze: What those are all, gimme some of the tasks that an analyst might sit,
Sean Martin: be sitting in front of and be overwhelmed.
And now they're, for example,
Hugh Njemanze: um, a bulletin. The briefing gets published by some security agency.
Sean Martin: Okay?
Hugh Njemanze: Um, you access it as a file could be a PDF or Word documentary, CML document. That document might be a hundred pages long. You could go read through it and somewhere in there there's gonna be references to malicious actors.
There's gonna be references to the techniques they're using. Okay? There's gonna be reference. As to what they're targeting. The AI will read that entire document in a few seconds flat. Okay. Then the hundreds of references that somebody would have to extract and then Google for, it's actually going to look up all of those references and it's gonna cross-reference them against the history of your own network.
Got it. So if one of those malicious actors mentioned in the [00:08:00] document touched your network six months ago, or two years ago, it will tell you, it will give you a timeline. It will then recommend steps you should take, whether they're to mitigate or to defend. Okay? It will also assess your current defenses against threats that have not yet targeted you, including the ones that have, okay, all of this happens while you're setting there.
We do this regularly in a desktop demo conference room demo, and we see people's eyes start by rolling in skepticism and then being amazed.
Sean Martin: Well, you, you, you've piqued my interest when you said what are your defenses? Yeah. How are you getting that, that information? So
Hugh Njemanze: we basically, um, support a framework known as the Mitre attack Framework.
Right. And so what we do is we map the, um, the system scans of your network, whether it's vulnerability scans, or equipment scans, or CDMA, the database. Okay. And then we compare those to the various [00:09:00] techniques that the bad actors use and the path that they would take. Attacks that have been attempted, reconnaissance that has been done on your system.
And we use that to prioritize which systems you should fortify and what is the risk and cost for that particular target to be breached. Okay.
Sean Martin: So, I mean, I, yeah, what, what you've built, I had a dream of many years ago. So it's really cool to see this come together. Um, all the information, all the context, all the metadata.
Mm-hmm. Consolidated, normalized, analyzed, yeah. At speed now. Mm-hmm. Um, and with the agent, agent ai, some answers and perhaps some tasks can be completed automatically.
Mm-hmm.
Where, where does the, the analyst fit in? Where does their manager fit in? Where does the security program leader fit in now in terms of, well, I would
Hugh Njemanze: say those jobs become more and more managerial and strategic in the sense [00:10:00] that what you want.
To be doing is prioritizing how am I gonna apply resources? Um, which of these equally, apparently, equally scored impacted systems are actually more meaningful to the organization. Okay. So you start to get into things that are maybe not in the metrics and the humans are gonna be providing more and more of the judicious type of decisions.
Sean Martin: Okay. You said another magic word for me. Metrics. So, for decades we've had the MTTX. Mm-hmm. Um. Metrics for how well is our, our SOC functioning. Right? Yeah. Um, do those still apply? Do they change, does the mindset need to be different? For, for the analyst, they still apply.
Hugh Njemanze: We have, um, a customer, a very large finance customer who just ripped out their old system, I won't name it.
Um, and replaced it with ours, um, last fall, and they told us about a week ago that they have had [00:11:00] 88%. Um, fewer incidents since our system was switched on. So that's, does that mean mean false
Sean Martin: positive? They were getting a lot of, or they, or they're not having to respond because your system is responding on behalf.
They're attacking
Hugh Njemanze: things before they turn into incidents. Ah, yeah.
Sean Martin: Very interesting.
Hugh Njemanze: Okay. Yeah, so that's one example of a metric that was shared with us by a very proud and happy customer. I'd say so, yeah.
Sean Martin: And of course we're proud. Yeah, absolutely. Yeah. Um, since we're on that topic, any other examples of, uh, I mean, burnout's been a thing for a long time.
I doubt it's, it's not, not as prime, uh, topic this year. It seems maybe more for the CISO than the analyst. Mm-hmm. Um, any, any anecdotes or stories about the, the, the mental health and fortitude of the, the analyst team? Sure. Because they're not overwhelmed or they're not Yeah. Struggling trying to find stuff.
It's difficult or impossible to find.
Hugh Njemanze: [00:12:00] I'll give you an example that might be relevant. So a different customer told, uh, told me that it used to be they had trouble maintaining more than two or three trained specialists at any time for the product they were using before. First of all, because there's a steep learning curve.
And second of all, because after people go up that learning curve, they get poached. Okay. And what he told me is since our product. Has been deployed, a much broader percentage of the team is using the tool directly. Okay. 'cause it is that accessible. So I would say that both gives people job security Yeah.
And mental comfort. 'cause before there were a few priests and now everybody can be an expert. Yeah. Super cool. Yeah.
Sean Martin: Let's, um, if you're cool with it, let's talk about, uh, risk management. Okay. Um. And perhaps some of the information that mm-hmm. [00:13:00] The security team now has available to say, here, here's our exposure, here's how we're, yeah.
Mitigating things. And we can have a better conversation with our executive leadership team and perhaps even the board,
Hugh Njemanze: well, here's something we do that has not lived in a single system before. Okay. Okay. There's a space in security called attack surface management. Mm-hmm. Okay. And that's about knowing which of your systems could be vulnerable.
Okay, and then there is the threat detection space. Okay? Our system ingests all of the information about your attack surface, compares it to all activity on your network, shows you who is interested in the things that are attackable. Okay? So before you either knew what was attackable or who was attacking you.
But you were not able to narrow it down down to these machines are attackable and they are being threatened. [00:14:00] Okay. Right. And so that allows this kind of triaging that I was talking about before, where a team can have a very strong sense of what to focus on to stay safe.
Sean Martin: Okay. And it, so the system is at whole.
Does that include the mm-hmm. I, I presume the operating system and applications mm-hmm. On it? Yeah. Um, 'cause I, I have this. Another dream. Yeah. This dream that security, especially with the system you've put in place Certainly, yeah. Has so much knowledge about mm-hmm. The network, the infrastructure, the workflows, the business processes.
Mm-hmm. And the exposure and the weaknesses that, yeah. I believe we have a chance to guide the business to say, if we design this differently Yeah. Or build it from the start differently. Mm-hmm. We can. Reduce the exposure, reduce the need to patch, reduce the need to respond, and, and yeah. So have you experienced that [00:15:00] with your, your solution and, and your customer?
Hugh Njemanze: Yes. That is, uh, relevant and true on multiple fronts. One front is we are now getting much more interest in business level strategic reports from the system. So it's no longer IP addresses and individual attackers. It's more what are the campaigns. What are they targeting? Is it related to this acquisition we want to do, et cetera?
So we're getting much more interest in answering business level questions. The other thing is just the sheer scale of our product has allowed customers that were maxed out on their previous licenses. For example, maybe there were ingesting eight terabytes a day. I
Sean Martin: was gonna ask you about this. Now they can move
Hugh Njemanze: up to 40 terabytes plus.
Okay. And um, and I should mention that our. Per terabyte is significantly less than anybody else on the market. So this is not something where you pay more to get more. Right. It's something where you can save money and at the same [00:16:00] time upgrade your defenses. Yeah.
Sean Martin: So I had a chat with, uh, Ali Mellon from, from Forester, and she was talking about the number of, the number of incidents is low Good is a lot good.
And, okay. Um, yeah. What, what's your, when you're speaking to the, the security leadership. Team. Mm-hmm. What, what's that conversation sound like with them? What are they experiencing? How do you, how do you respond and what's, what's the, the final common ground? Yeah. For what matters to them?
Hugh Njemanze: I'll tell you firsthand what I've heard in these conversations with, um, security leaders.
One is one of the metrics that they try to figure out is what percentage visibility do they have? In other words, out of everything that's impinging on them, how much of it can they even. C. Okay. So part of that is addressed by being able to ingest more than 90 days. Maybe you want to keep five years, 15 years.
Okay. Another part is being able to [00:17:00] ingest from more of your sources. So we're agnostic about the sources. Typically, SIEMs focus on, um, network type sources. And then EDR will focus on host sources. Uh, we ingest everything. Okay. And because we have the volume. To do so. So it doesn't matter whether it's net flow or EDR data or network data, because we ingest everything and we ingest it over a longer period of time, they can ask better questions and expect the answers sooner, and that directly impacts their visibility score.
Okay. So we've had people tell us they went from less than 20% to north of 60% in months.
Sean Martin: Very cool. Yeah. 'cause one of the things, I'm looking back in time now and one of the. One of the biggest challenges, you probably experienced this as well mm-hmm. Is the collection of that data. Yeah. And the, and the connection points between That's right.
The SIEM at all these different layers of the, of the infrastructure and then obviously all the different types and formats and That's right. Um, [00:18:00] how have you addressed that with Anomaly so that you can actually pull that stuff out? I
Hugh Njemanze: would say that would probably be the biggest challenge for any, let's say next Gen SIEM vendor.
Thinking they're going to displace anybody. Okay. The challenge is how are you gonna migrate all the IP they've built over the years? Mm-hmm. How are you gonna redirect all the traffic that's going to their SIEM? Okay. Um, this is all stuff that we took into consideration from the outset, designing our product.
Um, 'cause some of us used to be a SIEM vendor in the past. Um, and as I mentioned, we've been able to migrate customers large. Enterprise customers that are now running a bigger deployment than they ever ran in the past. We've been able to deploy those customers in three to six months where they were able to turn off the other product, not just go live with us, but turn off the other product and, um, 'cause that's the only way they're gonna actually get to save the money.
If they have to run both, [00:19:00] then it's just more budget as
Sean Martin: Yeah. Not, not the, not the answer you want to give your, your leader human budget team
Hugh Njemanze: part of is. Due to the fact that we can leverage ai, for example, to do IP conversion from another system to our system. So we're trying to be eat our own doc. Right, right.
Yeah,
Sean Martin: yeah, yeah. I can, I can see all the, all the use cases here. It's pretty cool. Pretty cool here. Um, anything you want to close with, uh, maybe word of, of welcome or a word of advice or a question that maybe you'd like to ask the CISO community or security leadership community?
Hugh Njemanze: Well, thanks for all your questions to start with.
They've been very insightful and really, I haven't had to come up with anything that you didn't ask me, so there we go. That's that's good. I appreciate that. That's one thing. Um, I guess a word of advice would be to be open-minded in assessing systems. Obviously it's easy for me to say that because we're less well known as a SIEM than other vendors, [00:20:00] but if you just do an assessment and identify what your goals are.
Pick the best tool for the job.
Sean Martin: That's good advice. And funny enough, I've heard that a few times from a few of my CISO friends. Yeah. Um, being open Yeah. To explore and understand not shut off. Yeah. Because they don't want to disrupt what's going on. And I would say
Hugh Njemanze: the people who have adopted us early, uh, are not only successful, but they were pioneers in taking that kind of a risk on us.
Yep. Because not many people, I think in, in the old days, it used to. You can never get fired for buying IBM, right? So people are taking that same kind of risk now and happily for us. That's a good thing.
Sean Martin: It sounds like you demonstrate, uh, the risk is worth taking too. So, very cool. Hugh, fantastic my friend.
Pleasure. Lovely chatting with you. I love what you're doing. Thank you. It, it's deeply rooted in me, in my, my past. So I love the, love the topic. It sounds like you're doing some really cool things. So, [00:21:00] uh, check out, anomaly connect with you. State team to ITSP magazine for more stories. Thanks everybody for listening and watching.
See you soon. Thanks, John.