Today, the speed of modern attacks outpaces what manual detection and review can respond to. Attackers usually take days, sometimes hours to exploit a recently disclosed vulnerability. In a compromised network, lateral movement can occur within minutes. The current model, which has a human analyst reviewing every event and making each escalation decision, is structurally too slow for that timeline at scale.
Note that in this environment, automation has no preference. It is a technical necessity. AI solves this problem in regard to cybersecurity by automating the phases of threat detection where machine speed has the biggest advantage, while reserving human judgment for only those stages where it is truly irreplaceable.
Automation: What Changes and What Doesn’t
Detecting incidents from raw log data through to confirmation is a multi-step discrete pipeline and there are several of those steps that can be automated using AI. It includes a lucid overview of artificial intelligence in cybersecurity automation and discusses how the BRAIN joins up across the detection lifecycle, with a brief discussion of where they see the state of play around automation boundaries.
- Event ingestion and normalization: The initial step where logging data from different sources are collected and normalized into same structure is fully automatable (and has been for years, in fact many monitoring tools perform this task). This can be done without AI using SIEM platforms. What AI brings is the capacity to conduct relevant analysis on the normalized data at the scale output of contemporary infrastructures, rather than following predetermined correlation rules.
- Enrichment: This is a stage that AI has actually automated better than any previous method. Enrichment is context around a raw alert: lookups against threat intelligence feeds, asset inventory information regarding the host generating the event, user account history, and similar signals. Instead of dry event records, analysts work with cases that are pre-enriched this task, which has been accomplished manually or through simple scripted integrations before now occurs in milliseconds against every alert as it hits.
- Behavioral classification: Automating the decision of whether an event or sequence of events corresponds to known-benign behavior, a known-malicious pattern, or an anomaly requiring investigation is arguably where machine learning models in AI derive their most straightforward value. By identifying normal operating conditions, a behavioral model is able to categorize thousands of events per second, raising alerts on truly out-of-the-ordinary behavior while muting day-to-day activities that fall squarely within established norms.
- Correlation: The most materially beneficial use of AI automation is through correlation the creation of narrative incident stories, by correlating likelihood signals across various data streams. An ‘Alert from an endpoint + a related Network anomaly + an Authentication event for the same account in the same time window’ on their own are each unambiguous. They are automatically itemized, making a simple lateral indicator.
The Automation Spectrum
The risk, however, is not the same across all automation decisions. The grey area you will want to define clearly on the automation spectrum is between detection and response.
The decision on detection in the context of very high volume is most likely to be fully automated and where an event can be classified and assigned a score without awaiting human review. The scale problem is real: you cannot expect a human team to review every event from a modern enterprise ecosystem. This is not a slapdash solution, but rather automated classification and prioritization that bubbles the most confidence alerts for human attention while automatically dismissing events that are consistent with known benign activity. This is the only method that will ultimately allow full coverage.
Where the automation spectrum becomes narrow, it is an automated response, which takes containment or blocking actions with little or no human approval. The fully automated response is suitable to high-confidence, low-impact actions where the cost of error is less than that of delay. It is perfectly reasonable to have a very limited set of actions that are automatically triggered under well-defined conditions, such as quarantining a host that is seen executing confirmed malware with high confidence, blocking an IP address that is sending active brute-force traffic, or isolating a compromised account until the malicious activity can be understood.
However, for high operational impact actions with lower confidence of detection or sufficient potential false positive risk a human should review an alert before action is taken, and fully automated response is not appropriate.
The NIST framework for information security continuous monitoring, covered in NIST SP 800-137, frames automated monitoring as the mechanism that provides organizations with ongoing awareness of their security status and supports timely risk response. The document describes continuous monitoring as maintaining awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. AI-driven automated detection is the practical implementation of that continuous monitoring principle at scale.
Where SOAR Fits
AI detection gives solid output that security orchestration, automation, and response platforms can take a step further to form workflow automation, making automatable steps. In cases when AI determines that an alert is high-confidence malicious activity of a certain type, the SOAR playbook can be triggered to automatically carry out initial response steps – collecting added forensic data, notifying teams, executing containment actions and also generating an investigation ticket with correlated evidence assembled.
The limitation of previous SOAR implementations hit is directly addressed by AI. Older playbook-driven automation required every scenario to be anticipated and encoded in advance. As industry analysis of AI-driven security operations notes, SOAR systems often promised more than they delivered, leaving organizations with complex automation infrastructure that covered only the most predictable incident types. AI enables dynamic response logic that adapts to each incident’s specific characteristics rather than forcing every incident into a predetermined template.
A detection loop emerges with AI detection feeding into intelligent response automation through AI-aware SOAR at machine speed for the early parts of an incident, allowing human analysts to step in at the point where judgment, context and accountability actually need to reside.
Governance is the Key to Automation that Scales
Automated threat detection, like that provided by HxD from Aker BP (a sub-collaborator in the C-KAR project), only works when there is sound governance underpinning it. Absent explicit policies establishing what can be automated at what level of confidence, audit trails indicating what automation decided and why, and regular reviews as to whether holding decisions that are automated produce correct outcomes or not, automation creates risk instead of eliminating it.
For automation to be governed sustainably, every automated decision needs to be logged along with the evidence that underscores the decision, confidence thresholds at which automated action takes place and where human review is triggered must be established and appropriate review cadences need to be set up so they can determine over time whether, in practice, adequate false positive and false negative rates are being produced by automation. Governing automation. Organizations that create these types of governance structures before expanding automated response scope can do so with confidence. Automate first, govern later equals operational incidents from automated actions without enough oversight.
Frequently Asked Questions
What Metrics Should Teams Track to Assess Whether the AI Automated Detection is Working?
Elastic’s own work in alert quality highlights the most useful metrics as mean time to detect (MTTD), false positive rate for automated closures, false negative rate measured as confirmed incidents not surfaced by automated detection, and finally the percentage of alerts that receive automated versus analyst-reviewed disposition.
Setting Automated Detection Escalation Thresholds
You should use baseline data of your particular environment in setting thresholds, not vendor defaults, and regularly review them as the environment changes. In practice, this means that the automated response is triggered at a high confidence threshold and escalation to human review for lower-confidence thresholds.
How is automated detection decisions audited for compliance?
For each automated decision, there should be a log entry documenting the event that triggered the decision, what classification an AI assigned to it, confidence scores and paths taken (actions or escalation) as well. An audit trail helps with compliance review and the reconstruction of incidents when automated decisions are subsequently assessed for accuracy.
