< ciso
brief />
Tag Banner

All news with #soc tag

114 articles

Detection engineering rises as a core SOC capability

🔍 Detection engineering has moved from a niche role to a strategic imperative for many organizations, focused on building tailored, behavior-driven alerts that reduce false positives and improve response. It emphasizes threat modeling, SDLC/CI-CD practices, and integration of threat intelligence to craft detections specific to an organization’s environment. A SANS-Anvilogic survey found broad investment and leadership support, while AI and automation are increasingly used to tune rules and scale workflows.
read more →

Stonehenge as a Model for Cybersecurity Architecture

🪨 The author uses Stonehenge as a metaphor for designing resilient cybersecurity architectures, arguing organisations must move from fragmented point solutions to a modular, platform-based approach. Palo Alto Networks emphasises a unified cyber data layer, Precision AI integration, and an Autonomous SOC to enable real-time detection and response across IT, OT, cloud, and edge. The piece highlights identity security, AI runtime protection, and supply-chain risks as critical pillars for long-term resilience.
read more →

How AI Is Redefining the SOC Triangle

🔍 A simple framework called the SOC Triangle balances quality, consistency and cost efficiency in security operations. Human-centric workflows create trade-offs where improving one dimension often harms another. AI is changing this dynamic by automating repeatable investigative workflows, improving depth, consistency and scaling without linear headcount increases. The triangle still exists, but its constraints are loosening for machine-suitable tasks, shifting humans toward oversight and complex judgment.
read more →

Five new SOC roles emerging from AI evolution

🔒 The rise of AI-driven SOCs is reshaping security operations and creating new specialist roles rather than simply replacing people. Today's AI-SOC automates Tier 1 triage and is moving into Tier 2 investigation and remediation, prompting demand for skills in data engineering, agent orchestration, model training, threat hunting, and AI-savvy red teaming. Organizations will need professionals who can integrate diverse telemetry, manage agent swarms, fine-tune models, hunt adversary intent, and test AI-specific weaknesses.
read more →

Staffing and AI Shape Modern SOC Challenges

🛡️ The SANS 2026 SOC Survey of 513 security professionals highlights staffing as the top operational challenge for SOCs, with a marked perception gap between practitioners and cyber leaders about hiring and retention. The report shows widespread AI/ML adoption (79%) but limited operational integration (36%), with most teams using vendor tools without customization. It also flags maturity issues in CTI use, OT/IoT coverage, and SOC measurement practices.
read more →

SOC Speed Gap: How Attack Timelines Compressed Fast

⚠️ This article launches Unit 42's series Inside the Modern SOC, drawing on customer environments, SOC assessments and investigations to highlight a defining challenge: the speed gap. Attack timelines have compressed dramatically — in some cases from initial access to data exfiltration in about 72 minutes — driven by identity-driven tactics and AI-accelerated adversaries. The piece emphasizes that manual, sequential workflows and fragmented tooling leave defenders behind and argues for automated correlation, predefined response actions and behavior-focused detection to close the gap.
read more →

Challenges and Practical Paths for Autonomous SOCs

🔒 The promise of a fully autonomous SOC—where collection, analysis, investigation, and response happen without human intervention—attracts organizations facing talent shortages and a growing threat landscape. Vendors show value in alert enrichment and noise reduction, but autonomous decision-making and response have delivered limited ROI. Real-world obstacles include poor source data quality, tool integration gaps, analyst distrust, context deficits, AI hallucinations, compliance issues, and the need for human control.
read more →

Rethinking MDR as Attackers Use AI at Scale

🛡️ For years MDR filled a real gap by providing 24/7 human triage when teams were understaffed, but the modern threat landscape has outpaced that model. AI-powered attackers, expanded attack surfaces, and high alert volumes mean roughly 60% of alerts go unreviewed and low-severity alerts can hide real breaches. The article argues AI-driven SOCs that automate forensic-depth investigation, close the loop into detection engineering, and align pricing to endpoint counts are required to restore coverage and scalability.
read more →

Operationalizing AWS security: a maturity roadmap

🔒 This post outlines a practical, phased maturity roadmap for organizations that have enabled AWS Security Hub and Amazon GuardDuty. It emphasizes moving from enabled tooling to operational security practices by assessing current state, tuning signal quality, routing findings, automating safe remediations, and establishing a recurring operational cadence. Each phase includes goals, timelines, deliverables, and decision criteria to measure progress and reduce alert fatigue.
read more →

Most SOCs See Limited Value from First‑Wave AI

🔎 The SOC-CMM 2026 report shows rapid AI adoption across SOCs but limited perceived value: only about 10% report excellent value while 71% report some or no value. The dominant deployment pattern is the taker model—off‑the‑shelf AI bolted into existing tools—creating fragmented workflows and weak handoffs. The report argues the next wave must be architectural: AI that operates across detection, hunting, investigation, remediation, and threat intel with built‑in governance and institutional knowledge.
read more →

Defenders Must Adopt AI or Risk Failing

🛡️ Joe Slowik warned at Infosecurity Europe that defenders must adopt AI to keep pace with adversaries. He argued that purely human-driven SOCs cannot match the accelerated timescales enabled by AI, ML and LLMs, leaving organisations exposed. Slowik recommended rethinking security operations to integrate AI agents for rapid intelligence, enrichment and remediation, while keeping humans in the decision loop. He used the React2Shell example to illustrate the speed of modern exploits.
read more →

AI Won’t Replace SOCs, It Will Reshape Analyst Roles

🛡️ Vendors at Infosecurity Europe 2026 agree that AI will not eliminate security operations centers but will automate repetitive triage and ticketing. Experts urge treating AI as a glass box, ensuring transparency and human-in-the-loop validation. The shift accelerates junior analysts into supervisory tier-1.5 roles and creates demand for cyber defense engineers who build and tune detection systems.
read more →

Introducing the AWS Customer Incident Response Team

🔒 The AWS Customer Incident Response Team (CIRT) is a 24/7 global team that helps customers during active security events affecting the customer side of the Shared Responsibility Model. The team analyzes AWS service logs and the control plane using sources like AWS CloudTrail, VPC Flow Logs, and GuardDuty, provides triage and containment guidance, and recommends follow-up actions. AWS also publishes tools, workshops, and the Threat Technique Catalog for AWS (TTC) to help customers prepare and detect recurring tactics and techniques.
read more →

AI Becomes SOC Imperative to Counter Emerging Threats

🛡️ Security professionals at DTX argued that integrating AI into SOCs is now essential to counter autonomous attacker tooling and AI-accelerated threats. Panelists stressed sustaining core cyberdefence fundamentals—system hardening, patching, access control and monitoring—before deploying AI, and preserving human oversight to manage model risk. They noted role shifts toward validation, prompt engineering and GRC, and urged rigorous testing and SDLC-like deployment controls.
read more →

AI Security Must Shift From Posture to Behavior Now

🔐 The article warns that AI security is repeating the endpoint-era mistake of focusing primarily on posture controls—model cards, SBOMs, guardrails and access policies—while overlooking how systems actually behave. It argues that behavioral detection is essential, monitoring sequences of actions, data access patterns, tool invocations and output drift. The AI surface is expanding rapidly with open-source LLMs, third-party APIs, RAG pipelines and autonomous agents, creating "shadow AI" and dynamic risks. The recommendation is to keep posture as table stakes but prioritize logging, behavioral baselines and SOC integration to turn findings into actionable incidents.
read more →

Eight Principles for Reskilling the SOC for Agentic AI

🤖 DXC Technology, Accenture, and other organizations are actively retraining SOC teams to integrate agentic AI by embedding vendor experts and building secure sandboxes. CISOs emphasize top-down leadership, rapid experimentation, and formal learning tracks to shift mindsets and roles. Governance, humans-in-the-loop, and clear escalation and audit paths are required while agents take on L1/L2 tasks.
read more →

Fixing SOC Alert Overload: Why More Analysts Fail to Scale

🛡️ The operating model under most SOCs—not headcount—is driving persistent alert overload and slow containment times, despite rising security spend and dramatically faster attacker breakout windows. Prophet AI and similar platforms shift routine triage and pivot queries from humans to automation, freeing senior analysts to focus on detection engineering and complex hunts. The author presents a four-question SOC diagnostic, deployment outcomes that returned analyst-years of capacity, funding paths, and vendor-risk checks buyers must evaluate.
read more →

Expanding Detection: Essential Data Beyond Endpoints

🔍 The 2026 Unit 42 Global Incident Response Report warns that adversaries are moving to exfiltration four times faster than in 2025 and are exploiting gaps created by an over-reliance on endpoint telemetry. Unit 42 found critical evidence present in logs for 75% of incidents, yet siloed systems and inaccessible telemetry prevented timely detection and response. The authors recommend a single-pane-of-glass, AI-driven SOC that centralizes logs and uses tools like Cortex XSIAM for alert stitching, ML-based scoring and unified investigations to reduce alert fatigue and close multi-surface blind spots.
read more →

Threat Source: Prioritizing Identity and Legacy Risks

🔐 Hazel Burton summarizes Cisco Talos' Year in Review and outlines five critical priorities for defenders facing an increasingly automated threat landscape. While AI and accessible exploit code have lowered the barrier for attackers, adversaries still follow predictable patterns and reuse infrastructure, producing detectable anomalies. Defenders should treat identity infrastructure as a top-tier asset, secure MFA workflows with strict verification, prioritize patching by internet exposure, hunt long-tail legacy risks, and apply enhanced monitoring to management-plane systems to focus detection on anomalous post-login behavior and reduce alert fatigue.
read more →

NCSC: Bad SOC Metrics Undermine Detection and Response

🔍 The UK National Cyber Security Centre (NCSC) cautions that many common SOC metrics are misleading and can actively harm security operations if used or reported externally. CTO Dave Chismon argues that only time to detect/time to respond (TTD/TTR) reliably demonstrates SOC effectiveness, while metrics such as ticket counts, closure times, rule counts or raw log volume create perverse incentives. He recommends red and purple team exercises to assess TTD/TTR, and suggests internal, non-public metrics — hypothesis-led hunting, strict false-positive thresholds, log coverage, tooling expertise and analyst engagement — to monitor week-by-week health without driving the wrong behaviours.
read more →