When I see discussion about AI in security (especially AI agents) - it’s often about how it will replace Tier 1 SOC analysts. It might…but I think the biggest area of opportunity in cyber security is for AI to analyze all the un-triaged alerts from an org’s security products
Most companies can only triage a tiny fraction of their overall alert volume with a human. It’s part of reason why companies put so much emphasis on vendors getting severity ratings “right”
The severity rating is often a major factor in deciding whether a human reviews an alert
The severity rating is often a major factor in deciding whether a human reviews an alert
This drives 2 behaviors from security vendors
1) Alert severity is often driven by TP/FP ratio
2) Those that don’t have high enough signal to noise ratio (even if they can meaningfully detect severe impact) get dropped altogether if they can’t be improved - which leads to FN’s
1) Alert severity is often driven by TP/FP ratio
2) Those that don’t have high enough signal to noise ratio (even if they can meaningfully detect severe impact) get dropped altogether if they can’t be improved - which leads to FN’s
AI coupled with agents has the potential to change this
The AI agent can reason over a detection
& take some initial investigative steps. Scale this up for all alerts coming into the SOC - then the ones with most likelihood of being TP can be forwarded for human review/action
The AI agent can reason over a detection
& take some initial investigative steps. Scale this up for all alerts coming into the SOC - then the ones with most likelihood of being TP can be forwarded for human review/action
I think the first iterations of AI agents in the SOC we’ll see are for very simple repetitive tasks (e.g user reports a malicious email attachment)
The second iteration of AI agents will be for performing mini-investigations into all alerts coming into the SOC
The second iteration of AI agents will be for performing mini-investigations into all alerts coming into the SOC
In parallel we’ll see security vendors (those that are still innovating at least) start to build AI & mini-investigations into their detection engines. This should help with TP/FP tradeoff that occurs w/detection logic as it exists today & improve quality of detections/severity
The challenge that will develop for security vendors will be. Their detection engines will turn into a COGs discussion (or at least each net new detection has the potential to massively drive up COGs)
How much can I detect at what price?
How much can I detect at what price?
Most enterprise intrusions that I’ve analyzed in my career have had alerts generated by some security product along the way. The issue/blocker has been figuring out which ones to get in front of a human to realize importance/significance to mobilize action by an org to mitigate
In theory MDR vendors are best positioned to drive progress. Combination of alerts + follow on investigative data to evaluate effectiveness of AI agents side by side w/human’s currently performing tasks
I’m dubious. Is COGs reduction enough to justify cost? Will it reduce COGs?
I’m dubious. Is COGs reduction enough to justify cost? Will it reduce COGs?
• • •
Missing some Tweet in this thread? You can try to
force a refresh
