Disclaimer: Opinions expressed are solely my own and do not reflect the views or opinions of my employer or any other affiliated entities. Any sponsored content featured on this blog is independent and does not imply endorsement by, nor relationship with, my employer or affiliated organisations.
A two-part series on the new bottleneck emerging in AI-powered SOCs, and why solving investigation created a better problem to solve.
Let me start with some good news: We're actually winning at AI-powered security operations.
No, really. Hear me out.
Over the last two years, AI has genuinely transformed the middle of the IR cycle, investigation and triage. Vendors build amazing AI SOC analysts that can handle the 5Ws (Who, What, When, Where, Why), enrich alerts with context, and reach accurate verdicts in seconds instead of hours.
The middle is getting solved. AI can investigate alerts at scale, and it does it well (of course if you implement it right)
And now? The industry is shifting left. We're seeing platforms tackle data pipelines, log normalization, and even detection engineering itself. AI is helping us build better detections, optimize coverage, and reduce false positives at the source.
This is real progress. We should celebrate it.
But here's what's happening as a result of this progress: we're moving the bottleneck.
This edition is sponsored by Binalyze
Investigate cyber threats in minutes
AI-powered speed. Human-driven insight.
Binalyze AIR is the forensic investigation automation platform accelerating incident response with AI precision – fast.
Learn more at - [Link]
The Problem We Created by Solving the Middle
When AI handles investigation and triage brilliantly, and when detection engineering improves to generate higher-fidelity alerts, you end up with a new challenge:
You now have more True Positives and Inconclusive alerts that require deep investigation and incident response.
Let me break this down with a real example:
Before AI (the old bottleneck):
1,000 alerts per day
Analysts can investigate maybe 50-100 per day
900 alerts never get properly looked at
Real threats hiding in the noise
Bottleneck: Can't investigate everything
After AI in the Middle (current state):
1,000 alerts per day
AI investigates all 1,000
AI closes 700 as benign false positives
AI flags 200 as low-confidence, likely benign
AI escalates 100 as True Positive or Inconclusive
Analysts now have 100 high-quality alerts that need deeper investigation
New bottleneck: Can't properly respond to everything
See what happened? You went from "drowning in alerts" to "drowning in incidents that need forensic investigation and response."
This is actually a better problem to have, you're working on real threats now, not noise. But it's still a bottleneck.
Related to this blog, there isa podcast episode, check it out:
But Here's Where It Gets Interesting
While the bottleneck has clearly shifted right, smart organizations are discovering that forensic automation platforms can actually enhance investigation at every stage, not just the deep forensic response.
Even during AI triage, when your AI SOC analyst is determining whether that alert is a True Positive or False Positive, having instant access to forensic artifacts can dramatically improve verdict accuracy:
Memory analysis reveals the full process tree AI couldn't see from logs alone
Disk artifacts show persistence mechanisms that log data missed
Network connection history provides context that makes "Inconclusive" → "True Positive"
This means fewer alerts stuck in "Inconclusive" limbo and more confident verdicts earlier in the process. The forensic infrastructure you build for deep investigation also makes your AI triage more effective.
What "Deep Investigation and Response" Actually Means
When your AI SOC analyst escalates a True Positive or marks something as Inconclusive, here's what actually needs to happen:
The AI hands you a verdict:
TRUE POSITIVE: Lateral movement detected
User: john.doe
Source: WORKSTATION-047
Target: DC-01 (admin share accessed)
Confidence: HIGH
MITRE: T1021, T1570
Recommendation: Immediate forensic investigation and containment
Great! Now what?
Your analyst (or IR team) needs to:
Collect forensic evidence from affected systems
Memory dumps before artifacts are overwritten
Disk analysis for persistence mechanisms
Process execution history
Network connections and data transfers
Determine blast radius
What other systems did this user access?
Are there signs of lateral movement elsewhere?
What data might have been accessed or exfiltrated?
Preserve evidence for potential legal/compliance needs
Chain of custody documentation
Timeline reconstruction
All artifacts properly stored and indexed
Execute containment according to your IR playbook
Isolate affected endpoints
Disable compromised accounts
Block malicious IPs/domains
(All with proper approvals and governance)
Coordinate with stakeholders
IT for system access and changes
Legal for compliance and evidence handling
Management for business impact decisions
External parties if breach notification required
And here's the kicker: most of this is still manual, slow, and inconsistent.
Why the Right Side Became the New Bottleneck
As you solve the middle (investigation/triage) and improve the left (detection engineering), you're naturally generating more high-quality incidents that require the right side of the IR cycle to work properly:
Investigation → Containment → Eradication → Recovery → Lessons Learned
But the right side hasn't kept pace with the middle and left. Here's what's still broken:
1. Forensic Evidence Collection is Manual and Slow
What actually happens:
Analyst gets Alerts that requires further investigation at 10:00 AM
Starts trying to collect forensic evidence at 10:15 AM
Realizes they need to SSH into multiple systems(or use your EDR)
Discovers some logs have already rotated out (oops)
Manually pulls what's available from EDR (if the agent is installed)
Tries to get memory dumps (complicated, requires specific tools and permissions)
By 2:00 PM, maybe has incomplete forensic evidence
The problem:
Evidence gets overwritten or rotated before you can collect it
Collection process is different for every analyst ("tribal knowledge")
Manual processes don't scale when you have 20 incidents per day instead of 5
2. IR Playbooks Aren't Executable
Remember my blog series on playbooks? Most IR playbooks are PDFs or wiki pages that say things like:
Lateral Movement Response:
1. Isolate affected systems
2. Collect forensic evidence
3. Determine scope of compromise
4. Reset credentials
5. Document findings
This is guidance for humans, not executable automation.
When your AI SOC solution escalates 20 True Positives per day, you can't manually execute these steps 20 times. You need:
Automated forensic collection triggered by alert severity
Standardized evidence preservation
Orchestrated response actions with proper governance
Consistent execution regardless of who's on shift
3. Response Actions Require Too Much Coordination
Even when you know what needs to be done, executing it requires:
Multiple approval chains (IT, Security, Management)
Coordination across teams (Security, IT, DevOps)
Navigating change management processes
Fear of business disruption from containment actions
So containment that should happen in minutes takes hours or days because you're stuck in Slack threads and email chains getting approvals.
The Shift Map: Where We Are and Where We're Going
Let me map this against the SecOps AI Shift Map I introduced in my previous blog:
Left Side (Detection & Data):
✅ AI is starting to help here
✅ Better detection engineering with AI assistance
✅ Improved data pipelines and normalization
Status: Progress being made
Middle (Investigation & Triage):
✅ AI SOC analysts handle this brilliantly
✅ Enrichment, 5Ws, verdict reached in seconds
✅ False positives filtered out effectively
Status: Progress being made
Right Side (Response & Recovery):
❌ Forensic evidence collection still manual
❌ IR playbooks not machine-executable
❌ Response actions require too much human coordination
❌ Recovery and lessons learned feedback loops broken
Status: This is the new bottleneck
Why This Matters: The Investigation Debt Problem
Here's a concept I don't hear talked about enough: Investigation Debt.
Investigation Debt is what accumulates when you have True Positives or Inconclusive alerts that you can't properly investigate with complete forensic evidence.
Every time you:
Close a True Positive without collecting full forensic artifacts
Skip deeper analysis because evidence collection is too manual
Move on because "we don't have time to do full forensics on everything"
Accept "the logs rotated out" as an answer
You're accumulating Investigation Debt.
And here's what makes this dangerous: that lateral movement alert you couldn't fully investigate three months ago might have been your initial compromise. But you didn't collect the forensic evidence, logs rotated, the attacker cleaned up, and now you're doing incident response in the dark.
The irony is that better AI in the middle makes Investigation Debt more visible.
Before AI, you had so much noise you didn't even know which alerts were real. Now AI is flagging possible True Positives for you, and you're realizing: "We don't have the capacity to properly respond to all of these."
What "Solving the Right Side" Actually Requires
So what does the right side need to keep pace with the middle and left?
1. Automated Forensic Evidence Collection
When a True Positive alert fires, evidence collection should happen automatically, not manually:
Memory dumps captured before artifacts are overwritten
Disk forensics collected immediately
Process trees and network connections preserved
All artifacts time-stamped and stored with proper chain of custody
This needs to be triggered by alert severity, not analyst memory.
2. Response Orchestration with Governance
Response actions need to be automated but with proper safety rails:
Approval workflows for high-impact actions
Blast radius checks (don't isolate 500 endpoints because one script failed)
Rollback procedures if containment causes problems
Audit trails of who approved what and when
This is where SOAR was supposed to help, but as I wrote in my Shift Map blog: we failed at SOAR not because the tech was bad, but because our processes were a mess.
The Path Forward: Shift Right
Here's where we are:
✅ Middle is getting solved - AI handles investigation and triage brilliantly
🔄 Left is improving - Detection engineering and data pipelines are getting AI assistance
❌ Right is the bottleneck - Forensic collection, response execution, and recovery are still manual
The solution isn't to slow down the middle or left. The solution is to build the right side infrastructure to match.
That means:
Forensic automation platforms that collect evidence at machine speed
Machine-executable IR playbooks that respond consistently
Response orchestration with appropriate governance and safety rails
Feedback loops that actually work (lessons learned → detection engineering)
Vendor Spotlight: Binalyze
I need to be transparent: I've lived this problem.
During my eight years at Adobe doing incident response and forensics, investigations that should have taken days stretched into weeks. Sometimes months. We'd manually SSH into systems, run duct-taped scripts, and pray the evidence we needed hadn't rotated out yet.
We tried SOAR. We tried standardization. We never really solved it.
When I saw the Binalyze demo recently, my first thought was: "This is exactly what I wish we had back then."
What They Actually Solve
When your AI correctly identifies a True Positive, you still need to collect forensic evidence before it's overwritten. Binalyze built the infrastructure for that:
DRONE - Lightweight agent that remotely collects comprehensive forensic evidence (memory dumps, disk artifacts, process history) across Windows, Linux, macOS, ChromeOS, and cloud environments. Evidence collected in minutes, not hours.
AIR - Investigation orchestration platform that centralizes all forensic artifacts, provides timeline analysis, and integrates with your SIEM/SOAR/EDR to trigger automated collection.
Why It Matters
Here's what's interesting: while this blog focuses on the right-side bottleneck, Binalyze actually enhances investigation across multiple stages.
During AI Triage (Middle): When your AI SOC analyst is investigating that lateral movement alert, instant access to forensic artifacts helps reach more accurate verdicts. Memory dumps and process trees can turn "Inconclusive" into confident "True Positive" or "False Positive" decisions.
During Deep Investigation (Right): Remember my scenario? 4 hours from alert to containment with manual forensics vs. 11 minutes with automation? This is where Binalyze is purpose-built: getting comprehensive forensic evidence when a True Positive needs deep investigation and response.
The platform works at both stages because the infrastructure is the same, automated, comprehensive forensic collection. Whether you're enhancing AI triage or doing full incident response, you need the same artifacts, just at different investigation depths.
Learn more: binalyze.com
Join as a top supporter of our blog to get special access to the latest content and help keep our community going.
As an added benefit, each Ultimate Supporter will receive a link to the editable versions of the visuals used in our blog posts. This exclusive access allows you to customize and utilize these resources for your own projects and presentations.