Disclaimer: Opinions expressed are solely my own and do not reflect the views or opinions of my employer or any other affiliated entities. Any sponsored content featured on this blog is independent and does not imply endorsement by, nor relationship with, my employer or affiliated organisations.
Part 1 of 3: The Detection Coverage Problem and How AI Solves It
Your SOC processes ten thousand alerts daily. Your detection engineer just wrote a brilliant new rule detecting lateral movement via WMI, but here’s what happens next:
They look at the alert volume and realize it generates two hundred potential hits per day. They know your team can realistically investigate maybe twenty alerts per day for this detection type, so they start making the rule more restrictive. They add filters, raise thresholds, and narrow the scope until the alert volume drops to something manageable.
In doing so, they’ve just created a blind spot.
Those one hundred and eighty alerts they filtered out might contain real threats, but your process design forced them to choose between overwhelming the team and potentially missing attacks.
This is the fundamental problem we need to solve. Your processes were designed for human-in-the-loop execution, and that constraint is now the bottleneck strangling your security effectiveness.
This edition is sponsored by AiStrike
AI SOC Done Right!
AI SOC Intelligence Fabric that unifies your data, accelerates investigations, and orchestrates intelligent response
Transform your SOC with composite AI that arrives pre-trained and ready to work. Enable small teams to operate like enterprise SOCs while giving enterprises state-of-the-art incident response capabilities.
What changed today
Today's AI wave is not a plug-and-play upgrade for security operations. Just as the shift to cloud and SaaS forced organizations to realign processes, roles, and governance, the AI wave demands a full reboot of your people-process-technology stack.
This isn't about adding a new tool to your existing workflows. This is about fundamentally rethinking how security operations function when you remove the human throughput constraint from the equation.
The Research Backs This Up
Recent research reveals an uncomfortable truth: data quality predicts success more than raw technology capacity, and process design often outweighs management intent in driving integration [1]. Meanwhile, cybersecurity researchers are exploring human-AI co-teaming models in SOCs, stressing the need for dynamic autonomy, trust calibration, and feedback loops in operational workflows [2].
The crux: Dropping AI into a rigid SOC is like installing a jet engine on a cart with square wheels. The power is there, but the system isn't designed to harness it.
What's Really Changing
Every major technology wave forces security teams to renegotiate the relationship between people, process, and technology:
Cloud era: Reinvented access models, monitoring pipelines, identity governance
SaaS era: Adapted to distributed ownership and ephemeral infrastructure
AI era: Must handle systems that don't just observe, they act, decide, and recommend
The challenge isn't visibility anymore. It's an agency. AI systems don't just help us monitor threats; they investigate, triage, and recommend actions. That shift means SOC processes can't remain static, checklists written for human cognition. They must become machine-executable logic that adapts to model confidence, context, and risk.
The Brutal Trade-Off: Killing Your Detection Coverage
Traditional detection engineering operated under constraints that forced you to sacrifice coverage for operational feasibility. Let me show you what this looks like in practice.
The Typical Detection Engineering Process
Here's how it actually works:
Developp hypothesis about a threat you want to detect
Build a detection rule to identify that behavior
Test against your environment to see alert volume
See 100 alerts per day 😰
Realize your team can only handle 20 alerts per day
Make the detection more restrictive (add filters, raise thresholds)
Deploy detection that catches 40% of attack variants instead of 90%
You weren't optimizing for security effectiveness. You were optimizing for operational survival.
Understanding the Funnel of Fidelity
Zack Allen in the Detection Field Manual #3 talks about detection efficency concept of the Funnel of Fidelity (introduce by Jared Atkinson back in 2019) to describe this exact problem[3]: massive data volume at the top, limited analyst capacity at the bottom. Every alert that survives the funnel consumes human focus, creating an inherent trade-off between comprehensive detection and operational sustainability.
This creates a dangerous dynamic. You might achieve eighty percent detection coverage, meaning your rules can theoretically identify eighty percent of relevant security events in your environment. However, analyst capacity constraints mean you can only thoroughly investigate fifty or sixty percent of the alerts those detections generate.
Your effective security coverage isn't 80%, it's the 40-50% that actually receives quality investigation.
The Attacker's Advantage
This coverage gap becomes an exploitable vulnerability. Attackers need only operate in the 20-30% of alert volume that your team doesn't have the capacity to investigate. They can:
Generate low-level alerts that get suppressed automatically
Operate during high-volume periods when your team is overwhelmed
Use techniques that generate alerts your team habitually ignores due to high false positive rates
The gap between what you detect and what you investigate is where attackers live.
How AI Changes the Detection Engineering Equation
When investigation capacity increases from 20 alerts per analyst per day to thousands of alerts per AI agent per day, everything changes. You can finally deploy the detections you always wanted to build.
Before vs. After: The Transformation
Before AI | After AI |
Detection generates 100 alerts/day | Detection generates 100 alerts/day |
Team can handle 20/day | AI triages all 100 |
80 alerts ignored or suppressed | 70 auto-closed (benign activity + false positives) |
Must narrow detection scope | 20 escalated (ambiguous, with full context) |
Catches 40% of attack variants | 10 true positives flagged (ready for response) |
Catches 90% of attack variants |
The Key Shift
With AI, you move from precision-optimized detection to coverage-optimized detection.
Precision-optimized (old way):
Question: "How can I make this detection narrow enough to be sustainable?"
Result: Restrictive filters, high thresholds, missed attack variants
Coverage: 30-40% of the actual threat landscape
Coverage-optimized (new way):
Question: "How can I make this detection broad enough to catch all variants while maintaining signal quality?"
Result: Comprehensive coverage, AI handles triage burden
Coverage: 85-95% of the actual threat landscape
The detection engineer's job transforms completely. Instead of adding restrictive filters to reduce volume, she focuses on adding context that helps the AI make accurate disposition decisions. Instead of tuning for low volume, she tunes for high recall, knowing the AI can handle the resulting triage burden.[4]
Understanding the Alert Categories
(Updated section : Thank you Nathan Eades for the feedback)
When we talk about the triage burden, we're actually dealing with two distinct categories:
Benign Alerts: The detection is working correctly; it identified the behavior it was designed to catch. But the activity is legitimate, authorized, or expected.
Example: Your lateral movement detection correctly flags WMI activity, but it's authorized IT maintenance during a change window
Problem: Requires context to distinguish legitimate from malicious
False Positives: The detection is firing incorrectly due to overly broad rules or environmental noise.
Example: Your detection fires on normal admin behavior because it doesn't account for privileged user patterns
Problem: The detection rule itself needs tuning
Traditional SOCs struggled with both:
Benign alerts required manual context gathering (check change tickets, verify with user, confirm authorization)
False positives required detection tuning, but that tuning often meant narrowing the rule and missing real threats
AI handles both categories intelligently:
For benign alerts: AI gathers context automatically (change windows, user roles, business justification) to determine legitimacy
For false positives: AI identifies systematic patterns and suggests detection improvements
The result: You can deploy broader detections because AI can distinguish between malicious activity, benign activity, and false positives at scale.
The Transformation in Detection Philosophy
This isn't just about automation making things faster. It's a fundamental shift in how you approach detection engineering.
Traditional Detection Engineering
Guiding questions:
Will this detection generate too many alerts?
Can our team handle the volume?
How can I make this more restrictive without losing too much coverage?
Optimization goal: Operational sustainability
Trade-off: Coverage sacrificed for precision
Result: Narrow detections that miss attack variants
AI-Enabled Detection Engineering
Guiding questions:
Does this detection catch the full breadth of attacker behavior?
What context does AI need to make accurate triage decisions?
How can I optimize for recall without sacrificing signal quality?
Optimization goal: Security effectiveness
Trade-off: Let AI handle triage burden, focus on coverage
Result: Broad detections that catch attack variants while maintaining a manageable analyst workload
Key Metrics That Change
Traditional metrics focused on volume management:
✓ Alerts per day per detection
✓ Analyst handling capacity
✓ Alert-to-incident ratio
New metrics focus on coverage and learning:
✓ Detection recall: Of all malicious events, how many did we catch?
✓ AI triage accuracy: Of AI's auto-close decisions, what percentage are correct?
✓ Analyst amplification: How many alerts can each analyst effectively handle with AI assistance?
✓ Feedback utilization: Is analyst feedback improving AI accuracy over time?
What This Means for Your SOC
The transformation from narrow, precision-focused detections to broad, coverage-optimized detections has implications that ripple through your entire security operations:
For Detection Engineers
New responsibilities:
Build comprehensive detections without volume anxiety
Add context and enrichment logic to help AI triage
Focus on recall and coverage rather than precision and volume
Monitor AI triage performance and tune based on feedback
Time allocation shift:
Less: Manual alert triage to validate detection quality
More: Detection development, coverage expansion, AI tuning
For SOC Analysts
New workflow:
Receive 20-30 pre-investigated cases per day instead of 200+ raw alerts
Each case includes a full context gathered by AI
Focus on judgment call and let the AI do the data gathering
Provide feedback that improves AI over time
(updated section, thank yo,u Roger W. Roberts, for the feedback)
For Security Outcomes
Coverage improvement:
From: 40-50% effective coverage (detect 80%, investigate 50%)
To: 75-80% effective coverage (detect 80%, investigate 95%)
The Bottom Line
The shift from playbooks to agentic systems will be messy but inevitable. AI is pulling SOCs from static logic toward adaptive, self-improving systems. If the cloud era abstracted infrastructure, the AI era abstracts decision-making. Our processes must now teach machines how to operate within boundaries, not just describe what humans should do. That's not automation. That's architecture.
But here's the critical insight: This only works if you redesign your processes to take advantage of it.
Deploying broader detections into your current manual triage process just creates a bigger backlog. You need to transform how you handle the resulting alerts. That's where machine-executable investigation procedures come in.
Coming in Part 2: From PDF Playbooks to Machine-Executable Logic
Broader detection coverage only works if your investigation procedures can handle the volume. In Part 2, we'll explore the transformation that makes this possible:
You'll learn:
Why your current SOPs don't work for AI (and what to do about it)
How to convert human-readable playbooks into machine-executable logic
A complete example: Suspicious login investigation (before and after)
How does this transformation change the coverage funnel from 50% to 100% triage
What this means operationally for your SOC team
The process tof ransformation is just as critical as technology. Get the SOP design wrong, and your AI will be making decisions based on incomplete or inconsistent logic. Get it right, and you unlock comprehensive coverage that was previously impossible.
Next week, we'll show you exactly how to do it.
Vendor Spotlight: AiStrike
Recently, I had the opportunity to demo AIStrike, and what immediately stood out was how the platform delivers full AI SOC capabilities built on three foundational pillars that directly address the transformation we've been discussing.
Pillar 1: The SOC Force Multiplier
For Your People:
AIStrike transforms a small team into an enterprise-grade SOC capability. If you're currently relying on an MDR, this platform lets you bring that intelligence in-house, giving you more control at a lower cost.
Transform three analysts into a 30-person SOC capability
Reduce alert fatigue dramatically
Elevate junior analysts to perform like seniors
Free senior analysts for strategic threat hunting and detection engineering
For Your Technology:
This is a technology enabler, not a rip-and-replace project. AIStrike unlocks the value of your existing security stack through extensive pre-built integrations and orchestration across all your tools. No need to abandon your current investments.
Pillar 2: Investigation Depth, Not Just Speed
AIStrike doesn't just summarize alerts; it builds the complete investigation story. This is exactly what we discussed: comprehensive context gathering that enables the 30% → 95% coverage improvement in our credential stuffing example.
The platform delivers:
Automated enrichment from identity providers, threat intel, and EDR platforms
VPN logs, user behavior patterns, and threat intelligence are pulled simultaneously
Your organization's risk policies are applied to make disposition decisions
Pre-investigated cases with full context, reducing investigation time from 30 minutes to 5 minutes
What this means practically: Deploy those comprehensive detections (500 alerts/day). AIStrike's AI triages all 500, auto-closes the 420 false positives with documented reasoning, escalates the 60 ambiguous cases with context, and flags the 20 true threats for immediate response.
Pillar 3: Continuous Intelligence Loop
This is the self-tuning SOC we've been describing, a feedback loop that sharpens over time:
Pre-trained on millions of security events
Learns from your environment without disruption
Self-tunes to reduce noise over time
Adapts to emerging threats automatically
Captures analyst feedback and decisions
Tracks AI performance metrics to show measurable improvement
The result: Your SOC gets progressively smarter as the AI learns which signals matter most in your specific environment. Your detection engineers can finally optimize for recall instead of precision, knowing the AI will handle the triage burden intelligently.
Learn more: AIStrike.com.
🏷️ Blog Sponsorship
Want to sponsor a future edition of the Cybersecurity Automation Blog? Reach out to start the conversation. 🤝
🗓️ Request a Services Call
If you want to get on a call and have a discussion about security automation, you can book some time here
Join as a top supporter of our blog to get special access to the latest content and help keep our community going.
As an added benefit, each Ultimate Supporter will receive a link to the editable versions of the visuals used in our blog posts. This exclusive access allows you to customize and utilize these resources for your own projects and presentations.