Normal view

AI SOC Live at Nasdaq: Real conversation about modern security operations

20 April 2026 at 18:58

The SOC is broken. Not because of a lack of talent or effort, but because human capacity does not scale. Alert volumes keep rising. Attacks move faster. And the operating model still assumes analysts will investigate most of what comes in, which means the vast majority of alerts never get looked at.

Our AI SOC Report 2026, based on analysis of 25 million alerts across our global customer base, put a sharp number on the problem. Over 60% of alerts are never reviewed by SOC and MDR teams. Nearly 1% of all incidents trace back to alerts classified at the lowest severity levels, signals most teams never touch. With average enterprises generating around 450,000 alerts annually, that equates to roughly one real threat per week hiding in the backlog, undetected.

That is not a tool problem. It is an operating model problem.

On April 27, we are bringing together the security leaders who are doing something about it.

Get your invite to AI SOC Live at the NASDAQ today.

What is AI SOC Live

AI SOC Live is a monthly, online event where security leaders discuss the latest issues facing the cyber industry. This month, AI SOC Live will be a full-day, invitation-only event at the Nasdaq in New York City. It is designed for CISOs, security directors, SOC managers, and MSSPs who are not just watching AI transform security operations from the sidelines, but are in the middle of it, making decisions about how their teams operate, what they invest in, and where the humans actually need to be.

This event is a full day of sessions, panels, and conversations built around the people, processes, and technology required to run a world-class SOC in 2026.

Who you will hear from at AI SOC Live Nasdaq

The speaker lineup reflects how seriously we have curated this event.

Itai Tevet, CEO and Founder of Intezer, will open the day with a session on the new SOC operating model, what it means when AI executes investigation and humans supervise outcomes, and why that shift changes security results structurally, not incrementally.

Alon Cohen, Founder and Executive Chairman of both Intezer and CyberArk, will speak to the broader impact of AI on security, drawing on decades of experience building foundational security companies.

Pavi Ramamurthy, Global CISO & CIO at Blackhawk Network as well as a founding member of the Professional Association of CISOs, and a venture advisor at YL Ventures. She will be speaking about the role of humans in the SOC.

David Spark, Founder and Executive Producer of the CISO Series Podcast, will host a live recording of the show featuring Nick Vigier, CISO at Oscar Health, digging into AI SOC beyond the hype.

You will also hear from CISOs at WCG Clinical, and ION Group, alongside practitioners from Realm Security, Legato Security, Upwind Security, and Monad. Sessions cover cloud security for the AI era, the blueprint for AI SOC success, and what every CISO needs to manage not only their security, but their executive board as well. 

And Mitchem Boles, Field CISO at Intezer, and Marcus Mingo, Detection Engineer at Intezer, will be there all day, available for the kind of real, technical conversations that rarely happen at larger conferences. See the full list of speakers.

What the day looks like

The agenda moves quickly and stays practical.

The morning opens with sessions on the new operating model and AI’s impact on security, followed by a CISO panel on the role of humans in the SOC and a session from Realm Security on building a data-first AI SOC. After a working lunch with interactive product demos, the afternoon covers cloud security, a live CISO Series recording, and a panel on advancing SOC outcomes at the C-suite level.

The day closes with a photo opportunity in front of the iconic Nasdaq billboard, followed by a cocktail reception overlooking New York City.

Attendees also earn CPE credits through the event’s partnership with ISC2.

Why this conversation matters now

The 2026 data makes the stakes clear. Our report found that more than half of confirmed compromised endpoints had been marked as “mitigated” by the EDR vendor, meaning teams believed those machines were clean when they were not. 

The gap between what organizations believe is covered and what is actually investigated is where real risk lives. Closing that gap requires a different operating model, one where AI investigates every alert, including the low-severity signals that human teams deprioritize, and humans supervise outcomes instead of grinding through queues.

That is the conversation happening at AI SOC Live.

Who should attend

This event is designed for CISOs, VPs and Directors of Information Security, SOC managers, and MSSPs from large enterprises who are responsible for security strategy, risk decisions, and operational outcomes. Whether you are evaluating AI for the first time or scaling capabilities you already have deployed, the sessions and conversations are built for leaders making real decisions, not attendees collecting swag.

Space is limited and invitations are by request.

Request your invitation at intezer.com/ai-soc-live-nasdaq

 

The post AI SOC Live at Nasdaq: Real conversation about modern security operations appeared first on Intezer.

AI SOC: When to buy and when to DIY

14 April 2026 at 16:58

The question isn’t whether to build. It’s what’s worth building.

Nearly every security organization with strong engineering resources is running some kind of internal AI project right now. That’s not a problem to be solved, it’s a sign of a healthy, capable team. The question worth asking isn’t “build or buy?” It’s a more precise one: which parts of this problem are worth your engineers’ time, and which parts aren’t?

That distinction changes the conversation entirely.

Intezer’s approach isn’t to compete with your internal roadmap. It’s to handle the commodity layer, common alert sources like CrowdStrike for example, so your engineers can focus on the security challenges that are actually unique to your organization. Some companies with very strong engineering teams are getting tremendous value from Intezer, precisely because they understand exactly what they’d rather not build themselves.

One Fortune 100 company started with Intezer for phishing triage, which removed a significant chunk of their internal DIY roadmap and freed their team to focus on their unique, internal use cases. Another F500 company went further as they expanded their Intezer contract while building their own custom internal AI for their own security use cases. Build and buy, working together, each doing what it does best.

So with that framing in mind, here’s an honest look at the parts of the AI SOC problem that are genuinely worth building and the parts that usually aren’t.

The maintenance treadmill nobody talks about

The first thing you encounter when you start building AI-driven alert triage is that the initial integration is only a fraction of the long-term work.

SIEM integrations break when vendors push updates. EDR APIs change without notice. New alert formats appear. Security tools version, deprecate endpoints, and shift data schemas on their own timelines. Keeping those integrations alive requires constant reverse engineering, work that is generic across every security organization in the world, but still consumes real engineering hours every single week.

Intezer already handles all of that. The integrations are built, maintained, and updated as the ecosystem evolves. When you offload the commodity layer, you skip the maintenance treadmill and get straight to what actually requires your organization’s specific knowledge.

Vendor alerts share many similarities even in different customer environments

Every security team knows their environment has its own complexity with unique infrastructure, specific tooling, particular workflows that took years to build. That’s real, and it matters.

But when it comes to the triage logic itself like investigating a suspicious lateral movement event, assessing a phishing alert, working through a cloud misconfiguration, the patterns tend to look remarkably similar across organizations. These are problems the industry has collectively solved thousands of times over.

That doesn’t diminish the work your team has done. It does raise a practical question: is rebuilding that common triage baseline the best use of your most capable engineers? The time spent recreating what already exists everywhere is time not spent on the challenges where your team’s knowledge is genuinely irreplaceable for your specific threat model, your particular infrastructure, and the edge cases no vendor has seen before.

Plugging into Intezer for the common alert sources isn’t a concession. It’s a way to protect your team’s time for the work that only they can do.

The integration challenge

One objection that comes up reliably, “we’ll need to do the integration work regardless”. That’s true. Connecting any automated system to your production security stack is environment-specific work that no vendor can fully do for you.

But here’s the distinction. With Intezer, that integration challenge is the only technically demanding part remaining. You’re not also building the investigation engine, the forensic analysis layer, the case correlation logic, the noise reduction system, and the detection feedback loop from scratch.

Building everything yourself means doing all of that foundational work and the integration. You spend months getting to a starting line that Intezer has already crossed, backed by years of operational learning across more than 150 enterprise deployments.

What the ROI actually looks like

There’s a headcount dimension here that often gets underweighted.

Building and maintaining your own AI SOC automation means dedicating engineering resources to it indefinitely. Those people aren’t available for other priorities. Their output is difficult to measure in security terms. And at the end of it, you’ve built something that performs commodity triage work, the same work Intezer has already productized and is continuously improving.

Buying Intezer converts that into a measurable line item with clear security outcomes attached: investigation accuracy, alert volume handled per analyst, time to resolution, escalation rate. RSM reported saving approximately 21,000 analyst hours per month, the equivalent of around 130 analysts, by running Intezer as their AI SOC layer. That’s not a soft productivity argument. It’s a concrete operational ROI story.

Continuous learning

One more dimension worth considering. What happens after an alert is triaged?

When Intezer investigates an alert, that outcome feeds back into detection engineering at the source, surfacing noisy or broken rules, mapping coverage gaps to MITRE ATT&CK, and generating deployment-ready detection rules informed by actual investigation results. The system gets smarter with every alert it processes. Detection improves based on evidence, not assumptions.

Homegrown automation rarely achieves this systematically. You triage the alert, close the ticket, and move on. The learnings don’t automatically improve your SIEM rules or extend your detection coverage. The system runs, but it doesn’t compound.

The practical frame

Think of it less as build vs. buy and more as what’s the right division of labor?

The commodity layer, common alert sources, standard triage logic, integration maintenance, detection lifecycle management, is worth offloading. That’s where Intezer operates. Your engineers stay focused on what’s actually differentiated: the security challenges that are specific to your environment, your risk profile, your business.

The teams that figure out this division early move faster, cover more, and build the things that actually matter. 

Learn more about Intezer.

The post AI SOC: When to buy and when to DIY appeared first on Intezer.

AI SOC for teams outgrowing MDR

25 March 2026 at 22:21

For teams that have outgrown their MDR, the answer isn’t a better MDR. It’s a different operating model.

MDR works. For a lot of teams, it’s the right solution at the right time. It brings experienced analysts, established processes, and investigation capacity that most organizations can’t build internally overnight.

But as environments grow and alert volumes climb, many teams start to feel the limits of the model itself. Investigation quality depends on analyst availability and shift coverage. Low and medium severity alerts get deprioritized because the queue demands it. And the security team watching from the other side can’t always tell whether the backlog is safe to ignore or hiding something real.

That’s not a failure of MDR. It’s a ceiling built into any operating model that scales investigation through human labor.

Today, we’re announcing expanded capabilities in the Intezer AI SOC platform, powered by ForensicAI™. Built for teams who’ve reached that ceiling and are ready for what comes next.

The risk in the backlog

Across enterprise SOC environments, roughly 60% of alerts go unreviewed. Not because teams aren’t working hard. Because there are only so many hours in a day, and the alert stream doesn’t stop.

“Many organizations handle millions of security events per year. There’s no possible way you can go through 100% of your alerts and resolve them completely, unless you rely on an AI platform.”
— Cecil Pineda, 4x CISO, Healthcare Industry

Our analysis of more than 25 million alerts found that nearly 1% of real threats originate from low-severity signals, alerts that most teams deprioritize or skip entirely. For a large enterprise, that’s an average of 54 true threat alerts per year. More than one per week. Hiding in the noise tier that nobody gets to. 

Read our full AI SOC research report.

There’s also a second gap that rarely gets discussed. Because investigation and detection engineering are siloed within most MDRs, real investigation outcomes almost never feed back into SIEM and EDR rule tuning. Noisy detections stay noisy. Coverage gaps stay gaps. The system doesn’t learn from its own work.

What’s new in the Intezer AI SOC

The Intezer AI SOC platform was built on a simple premise. If you can’t investigate every alert, you can’t meaningfully reduce risk. Intezer AI SOC handles the investigative execution (triage, correlation, forensic-depth analysis) across 100% of alerts, regardless of severity. Humans supervise outcomes and engage at the decision point.

With this expansion, we’re adding three capabilities that close the remaining gaps between autonomous AI SOC operations and the full-service coverage teams expect.

AI-driven detection engineering

Investigation outcomes now feed directly into a closed-loop detection engineering process. SIEM and EDR rules are tuned or created, at the source, based on real verdict data, threat intelligence, and observed attacker behavior. Broken detections, noisy rules, and coverage gaps are identified and addressed continuously. This is the connection that siloed MDR roles have historically missed. Triage informs detection, better detection shortens the triage process, and the system gets smarter over time.

On-demand security experts

When the AI surfaces a high-confidence incident and you want a second set of eyes, or you’re mid-response and need expert judgment, Intezer’s security researchers and analysts are available directly through the platform. You can request expert analysis of artifacts, alerts, and logs, get guidance during an active incident, or validate suspicious activity the AI flagged. A dedicated expert is always on call for urgent requests, with Customer Success tracking every engagement through to resolution.

Continuous feedback and model tuning

Every time your team reviews a verdict, marks a false positive, or flags a result that doesn’t fit, that signal improves the system. Intezer’s experts review edge cases, adjust tuning rules, and add custom AI instructions calibrated to your environment and risk profile. Tuning also happens proactively through continuous platform monitoring and improvements, with no periodic review project required.

Learn more about Intezer’s QA process. 

The shift

“Security operations have reached a structural limit. Human teams, whether internal or outsourced to MDR providers, cannot realistically investigate the volume of alerts enterprises now face. Our analysis of more than 25 million alerts makes the risk clear: Real threats are often buried in the low-severity signals that never get investigated. AI SOC changes the model by making full forensic investigation possible across every alert, continuously improving detection based on real outcomes, and allowing human experts to focus on the incidents that truly require judgment and response.”
— Itai Tevet, CEO and Co-Founder, Intezer

Together, these capabilities shift security teams away from manual alert processing and toward supervising outcomes. Organizations that have outgrown their MDR can now investigate 100% of alerts at forensic depth, trust the evidence behind every verdict, close the loop between investigation outcomes and detection quality, and bring in expert analysts when it matters most.

The result is stronger security outcomes, broader alert coverage, and the ability to operate at enterprise scale without the constraints of a human-scaled model.

AI executes. Humans supervise.

RSA Conference is where the security industry sets its direction. This year, AI in the SOC is the conversation happening on every floor of Moscone. But there’s a meaningful difference between AI that helps analysts work faster and AI that takes on the investigative function entirely.

This announcement draws that line with data. 25 million alerts analyzed, 60% going unreviewed in enterprise environments, real threats hiding in the low-severity tier at a rate of more than one per week. These aren’t hypotheticals. They’re findings from production environments at scale where Intezer is not simply delivering better analyst productivity, but rather measurable improvements in enterprise security. 

For teams that have been thinking about what comes after MDR, this is the moment to see it working. 

Visit Intezer at Moscone South, Booth #555

The post AI SOC for teams outgrowing MDR appeared first on Intezer.

Intezer’s 2025 momentum reflects rapid adoption of AI SOC in global enterprise 

25 March 2026 at 09:47

Security operations is undergoing a fundamental shift.

As alert volumes continue to rise and environments grow more complex, enterprises are moving away from security models built on manual triage, fragmented automation, and are looking to decrease their reliance on outsourced MDR services. More enterprises are adopting AI SOC as the new model for running security operations, one that can triage and  investigate all alerts at machine scale while keeping internal teams focused on judgment and response.

That shift was reflected clearly in Intezer’s momentum over the past year.

In 2025, Intezer processed more than 25 million security alerts across live enterprise SOC environments, as adoption expanded across large and complex organizations looking for a more scalable way to run security operations.

A year of strong growth

Over the past year, Intezer achieved several major company milestones:

  • Multiplied revenue year over year
  • Achieved 126% net revenue retention
  • Expanded adoption across Fortune 500 organizations
  • Scaled the team across key functions to support a growing enterprise customer base

These milestones reflect more than company growth. They reflect a broader market transition toward AI SOC as enterprises look for ways to investigate every alert, reduce hidden risk, and operate beyond the limits of human investigation capacity.

Growing industry recognition

Intezer’s momentum is also being recognized by media, industry analysts and practitioners. Here is a sampling of recent coverage.

Reuters covered Intezer’s research team’s work on uncovering novel cyber attacks this past December, that were targeting Russian defense organizations.

Well known industry analyst Richard Stiennon recently included Intezer in the 2026 Cyber 150, an independently compiled list based on IT-Harvest data, and has also included Intezer in his new book, Guardians of the Machine Age.

At the same time, practitioners are taking notice. In his write-up on Intezer’s 2026 AI SOC Report, Darwin Salazar highlighted the report’s forensic depth, auditability, and practical value in a crowded AI SOC market.

Why this momentum matters

Traditional SOC and MDR models are constrained by human investigation bandwidth. As alert volumes increase, teams are forced to prioritize only a subset of alerts, often based on severity labels before full context is available. That leaves real risk hiding in uninvestigated alerts.

Enterprises are increasingly adopting AI SOC to remove that bottleneck.

Intezer investigates 100% of alerts at forensic depth across endpoint, identity, cloud, network, phishing, and SIEM sources, escalating only the incidents (less than 2%) that require human judgment. This allows security teams to stay in control while scaling operations far beyond what manual investigation models can support.

What the numbers show

The business results from the past year point to strong validation in the market.

Doubling revenue year over year signals accelerating demand.

126% net revenue retention reflects strong customer expansion and continued platform adoption.

Growth across Fortune 500 organizations shows that large enterprises are increasingly embracing this operating model.

And continued team expansion across key functions ensures Intezer can support customers as adoption grows.

Looking ahead

The market is moving toward a new SOC operating model, one where AI executes investigations at scale and human teams focus on decisions, response, and strategy.

Intezer’s momentum over the past year reflects that shift clearly. As more enterprises look to eliminate investigation bottlenecks and reduce cyber risk, AI SOC is moving from emerging category to operational reality.

Learn more about Intezer.

The post Intezer’s 2025 momentum reflects rapid adoption of AI SOC in global enterprise  appeared first on Intezer.

Intezer’s 2025 momentum reflects rapid adoption of AI SOC in global enterprise 

12 March 2026 at 23:46

Security operations is undergoing a fundamental shift.

As alert volumes continue to rise and environments grow more complex, enterprises are moving away from security models built on manual triage, fragmented automation, and are looking to decrease their reliance on outsourced MDR services. More enterprises are adopting AI SOC as the new model for running security operations, one that can triage and  investigate all alerts at machine scale while keeping internal teams focused on judgment and response.

That shift was reflected clearly in Intezer’s momentum over the past year.

In 2025, Intezer processed more than 25 million security alerts across live enterprise SOC environments, as adoption expanded across large and complex organizations looking for a more scalable way to run security operations.

A year of strong growth

Over the past year, Intezer achieved several major company milestones:

  • Multiplied revenue year over year
  • Achieved 126% net revenue retention
  • Expanded adoption across Fortune 500 organizations
  • Scaled the team across key functions to support a growing enterprise customer base

These milestones reflect more than company growth. They reflect a broader market transition toward AI SOC as enterprises look for ways to investigate every alert, reduce hidden risk, and operate beyond the limits of human investigation capacity.

Growing industry recognition

Intezer’s momentum is also being recognized by media, industry analysts and practitioners. Here is a sampling of recent coverage.

Reuters covered Intezer’s research team’s work on uncovering novel cyber attacks this past December, that were targeting Russian defense organizations. 

Well known industry analyst Richard Stiennon recently included Intezer in the 2026 Cyber 150, an independently compiled list based on IT-Harvest data, and has also included Intezer in his new book, Guardians of the Machine Age.

At the same time, practitioners are taking notice. In his write-up on Intezer’s 2026 AI SOC Report, Darwin Salazar highlighted the report’s forensic depth, auditability, and practical value in a crowded AI SOC market.

Why this momentum matters

Traditional SOC and MDR models are constrained by human investigation bandwidth. As alert volumes increase, teams are forced to prioritize only a subset of alerts, often based on severity labels before full context is available. That leaves real risk hiding in uninvestigated alerts.

Enterprises are increasingly adopting AI SOC to remove that bottleneck.

Intezer investigates 100% of alerts at forensic depth across endpoint, identity, cloud, network, phishing, and SIEM sources, escalating only the incidents (less than 2%) that require human judgment. This allows security teams to stay in control while scaling operations far beyond what manual investigation models can support.

What the numbers show

The business results from the past year point to strong validation in the market.

Doubling revenue year over year signals accelerating demand.

126% net revenue retention reflects strong customer expansion and continued platform adoption.

Growth across Fortune 500 organizations shows that large enterprises are increasingly embracing this operating model.

And continued team expansion across key functions ensures Intezer can support customers as adoption grows.

Looking ahead

The market is moving toward a new SOC operating model, one where AI executes investigations at scale and human teams focus on decisions, response, and strategy.

Intezer’s momentum over the past year reflects that shift clearly. As more enterprises look to eliminate investigation bottlenecks and reduce cyber risk, AI SOC is moving from emerging category to operational reality.

Learn more about Intezer.

The post Intezer’s 2025 momentum reflects rapid adoption of AI SOC in global enterprise  appeared first on Intezer.

Alert fatigue is costing you: Why your SOC misses 1% of real threats

3 February 2026 at 15:04

Introducing the 2026 Intezer AI SOC Report for CISOs

For years, security leaders have lived with an uncomfortable truth. It has been to date, simply impossible to investigate every alert. As alert volumes exploded and teams failed to scale, SOCs, whether in-house or outsourced, normalized “acceptable risk” with the deprioritization of low-severity and informational alerts.

Our latest research shows that this approach is no longer defensible.

Intezer has just released the 2026 AI SOC Report for CISOs, based on the forensic analysis of more than 25 million security alerts across live enterprise environments. The findings reveal a critical disconnect between how security teams prioritize alerts and where real threats actually originate, and the cost of that gap is far higher than most organizations realize .

Why “acceptable risk” is no longer acceptable 

Across endpoint, cloud, identity, network, and phishing telemetry, Intezer found that nearly 1% of confirmed incidents originated from alerts initially labeled as low-severity or informational. On endpoints, that figure climbed to nearly 2%.

At enterprise scale, that percentage is not noise.

For a typical organization generating roughly 450,000 alerts per year, this translates to ~50 real threats annually, about one per week, never investigated by a SOC or MDR team. These are not theoretical risks. They are real compromises hiding in plain sight, dismissed not because they were benign, but because teams lacked the capacity to look.

What the data revealed across the attack surface

Because Intezer AI SOC investigates 100% of alerts using forensic-grade analysis, the report exposes how attackers actually operate once you remove triage bias from the equation.

Endpoint security is more fragile than reported

More than half of endpoint alerts were not automatically mitigated by endpoint protection tools. Of those, nearly 9% were confirmed malicious. Even more concerning, 1.6% of endpoints undergoing live forensic scans were still actively compromised despite being reported as “mitigated” by EDR tools.

See the full endpoint threat data → Download the 2026 AI SOC Report

Low-severity does not mean low-risk

Within endpoint alerts alone, 1.9% of low-severity and informational alerts were real incidents, the exact alerts most SOCs never review.

Attackers favor stealth over noise

Cloud telemetry was dominated by defense evasion and persistence techniques, reflecting a shift toward long-term access, token abuse, and misuse of legitimate services rather than overt exploitation.

Phishing has moved into trusted platforms and browsers

Fewer than 6% of malicious phishing emails contained attachments. Most relied on links, language, and abuse of legitimate services such as cloud file sharing, code sandboxes, CAPTCHA mechanisms, where traditional controls have limited visibility.

Cloud misconfigurations persist as silent risk multipliers

Most cloud posture findings stemmed from legacy or default configurations, especially in Amazon S3, including missing encryption, weak access controls, and lack of logging—issues often classified as “low severity,” yet repeatedly exploited once attackers gain a foothold.

To read the full report and all the findings, download the CISOs guide to AI SOC 2026 here. 

Why traditional SOCs fail: capacity, fragmentation and judging alerts by their severity

Modern SOC failures are rarely the result of a single broken tool or negligent team. They are the outcome of structural tradeoffs that every traditional SOC—internal or MDR—has been forced to make.

Capacity is the first constraint.
Human analysts do not scale linearly with alert volume. As telemetry expands across endpoint, cloud, identity, network, and SaaS, SOCs hit a hard ceiling. The only way to cope is aggressive triage: close most alerts automatically, investigate only what looks “important,” and hope severity labels align with reality. The 2026 AI SOC Report shows that this assumption is false at scale.

Tool fragmentation compounds the problem.
Most SOC stacks are collections of siloed detections, EDR, SIEM, identity, cloud posture, email, each optimized for a narrow signal. Severity is assigned locally, without cross-surface context or forensic validation. As a result, alerts are scored based on abstract rules, not evidence of compromise. When SOCs trust these labels blindly, they inherit the tools’ blind spots.

Process tradeoffs lock risk in place.
Once triage rules are defined, they become institutionalized. Low-severity alerts are ignored by design. MDR providers codify this into SLAs. Internal SOCs bake it into runbooks. Crucially, there is no closed-loop feedback: missed threats do not automatically improve detections, because they were never investigated in the first place.

The outcome is not an occasional failure. It is systematic, repeatable risk, embedded directly into how SOCs operate.

Real-world examples of missed threats hiding in plain sight

The data in the 2026 AI SOC Report makes clear that missed threats are not exotic edge cases. They are ordinary attacks progressing quietly through environments because no one looked.

Endpoints marked “mitigated” but still compromised
In over 1.6% of live forensic endpoint scans, Intezer found active malicious code running in memory even though the EDR had already reported the threat as resolved. These cases included stealers, RATs, and post-exploitation frameworks, often originating from low-severity alerts that never triggered deeper inspection. Without memory-level forensics, these compromises would have remained invisible.

Phishing hosted on trusted platforms
Attackers increasingly host phishing pages on legitimate developer platforms like Vercel and CodePen, or abuse trusted cloud services such as OneDrive and PayPal. The parent domains appear reputable, so alerts are downgraded or ignored. Yet behind them are live credential-harvesting pages that bypass email gateways and browser-based defenses alike.

Cloud misconfigurations as delayed breach accelerators
Many cloud posture findings such as unencrypted S3 buckets, missing access logs and permissive cross-account policies rarely trigger action. But once an attacker gains any foothold, these long-standing misconfigurations dramatically accelerate lateral movement, persistence, and data exposure.

In every case, the failure was not detection. The signal existed. The failure was investigation.

How attackers deliberately exploit SOC blind spots

Attackers understand SOC economics better than most defenders.

They know which alerts generate fatigue.
They know which detections are noisy.
They know which categories are deprioritized by default.

As a result, modern attackers design their campaigns to blend into the backlog, not trigger alarms.

Stealth over speed
Cloud intrusions favor defense evasion, persistence, and token abuse over loud exploitation. These behaviors generate alerts, but rarely high-severity ones. The report shows cloud telemetry dominated by exactly these tactics, indicating attackers are optimizing for long-term access rather than immediate impact.

Living off trusted infrastructure
Phishing campaigns increasingly abuse legitimate brands, file-sharing services, CAPTCHA frameworks, and developer platforms. These environments inherit trust by default, allowing attackers to operate under severity thresholds that SOCs routinely ignore.

Multi-stage loaders and memory-only execution
On endpoints, attackers rely on layered loaders, in-memory payloads, and obfuscation techniques that evade static detections. Initial alerts may look benign or incomplete. Without forensic follow-through, SOCs miss the actual compromise entirely.

Attackers are not evading detection systems alone, rather they are exploiting SOC decision-making models.

What this means for your SOC operations

For CISOs and SOC leaders, the implication is stark:
Risk is no longer defined by what you detect, but by what you choose not to investigate.

If your SOC:

  • Ignores low-severity alerts by default
  • Relies on severity labels without forensic validation
  • Limits investigations based on human capacity
  • Operates without a feedback loop between outcomes and detections

Then missed threats are not anomalies, they are guaranteed.

The organizations that will reduce risk in 2026 are not adding more dashboards or rewriting triage rules. They are adopting operating models where investigation is no longer a scarce resource.

This is why AI-driven, forensic-grade SOC platforms fundamentally change the equation. When every alert is investigated:

  • Severity becomes evidence-based, not assumed
  • Detection quality improves through real-world validation
  • Attackers lose the ability to hide in “acceptable risk”
  • SOC teams regain control without scaling headcount

This is the shift behind the Intezer AI SOC model and why the concept of acceptable risk must be redefined for the modern threat landscape.

This all changes when you can investigate everything

The data in the 2026 AI SOC Report points to a different reality, one where AI-driven forensic analysis removes investigation capacity as a constraint.

When every alert is investigated:

  • “Low severity” stops being a proxy for “safe”
  • Detection quality improves through real-world validation
  • Missed threats drop from dozens per year to near zero
  • Escalations fall below 2%, without sacrificing coverage
  • Risk tolerance is defined by evidence, not exhaustion

This is the operating model behind Intezer AI SOC, powered by ForensicAI™ and it is why the definition of acceptable risk must be reset.

Download the report and join the discussion

The 2026 AI SOC Report for CISOs is grounded in:

  • 25 million alerts analyzed
  • 10 million monitored endpoints and identities
  • 82,000 forensic endpoint investigations, including live memory scans
  • Telemetry from 7 million IP addresses, 3 million domains and URLs, and over 550,000 phishing emails

All data was aggregated and anonymized across Intezer’s global enterprise customer base.

👉 Download the full report to explore the findings in detail, and
👉 Join Intezer’s research team on Wednesday, February 4th at 12 p.m. ET for a live webinar breaking down what this data means for SOC leaders and CISOs.

Because in 2026, the biggest risk is no longer what you detect, it’s what you choose not to investigate.

The post Alert fatigue is costing you: Why your SOC misses 1% of real threats appeared first on Intezer.

Building effective AI for the SOC: How Intezer Forensic AI SOC follows Anthropic’s best practices

14 January 2026 at 18:58

One of the most influential publications on real-world AI system design is Anthropic’s guide, Building Effective Agents. Its core message is simple:
Effective AI requires structure first, adaptability second.

Anthropic emphasizes that AI agents work best when:

  1. A deterministic workflow does all the structured work up front
  2. The agent only activates when uncertainty remains
  3. The agent begins with full context, not an empty slate
  4. Tool usage is controlled and evidence-driven
  5. Human-in-the-loop remains central for oversight and trust

These principles ensure accuracy, avoid hallucinations and keep investigations reproducible, all critical requirements for cybersecurity.

Intezer Forensic AI SOC is built on exactly this philosophy. Our platform uses a dual-mode design with Intezer AI Workflow and AI Agent, completely aligning with Anthropic’s best practices to deliver fast, scalable and highly accurate investigations across a broad range of alerts, all while keeping analysts in the loop.

Here is how Intezer implements Anthropic’s best practices for agents.

Structured first: Intezer AI Workflow handles the majority of alerts

Anthropic advises that AI systems should begin with deterministic workflows instead of free-form reasoning. In cybersecurity, this is essential for accuracy, auditability, trust and scalability (when handling huge volumes of alerts).

Intezer’s AI Workflow mode is a structured triage process designed by security experts and executed with strict consistency. It applies AI only at key decision points, not as the driver of the entire investigation.

This approach provides:

  • Deterministic, reproducible results
  • High speed due to streamlined, parallelizable steps
  • Lower costs because heavy reasoning is used sparingly
  • No drift or unexpected branching
  • Clear human oversight points

Most alerts, especially well-defined ones, are fully resolved at this stage, giving SOCs broad alert coverage at low cost.

Adaptive only when needed: Intezer AI Agent extends the investigation

Anthropic states that agents should activate only when the structured workflow reaches uncertainty, and only after they inherit the full context. Intezer follows this exactly.

AI Agent mode activates only when the Workflow cannot reach a high-confidence verdict.

At that point, the agent:

  • Starts with all evidence collected so far
  • Avoids premature assumptions
  • Uses tools deliberately and contextually
  • Expands the investigation where human analysts would
  • Surfaces deeper behavioral patterns or cross-asset correlations

This ensures the agent is guided, not free-floating, and its decisions remain grounded in evidence, not guesswork.

Tools the AI Agent can leverage once activated

  • Dynamic SIEM queries
  • EDR/XDR telemetry lookups
  • Identity provider (IDP) investigation
  • Behavioral analysis of processes and command lines
  • User activity mapping
  • Process ancestry and parent-child correlation
  • Intezer’s historical alert database
  • Code DNA similarity and malware lineage tracking
  • Additional host, memory, or file-based forensics

The result is deeper investigation where it matters, without unnecessary cost.

Human-in-the-loop by design

Intezer keeps human analysts at the center so they can review and override conclusions, and trace every decision made by Intezer. Of course, all evidence and reasoning is grounded in forensic data and is fully transparent and explainable for beginners and advanced analysts alike.

This aligns with Anthropic’s principle that humans remain final decision-makers, especially in high-stakes domains like cybersecurity.

How this architecture improves SOC performance

Intezer’s adherence to Anthropic’s best practices produces measurable outcomes across the three most important SOC metrics: accuracy, coverage, and speed, while also reducing cost.

Accuracy

Intezer’s approach of combining deterministic forensics + adaptive AI = best-in-class verdict quality.

  • The structured workflow prevents hallucinations
  • The AI Agent only activates with strong guardrails
  • Context inheritance ensures consistent reasoning
  • Analysts always have visibility and control

This hybrid approach dramatically reduces false positives and prevents premature conclusions.

Triage of all alerts, including low-severity (where threats often hide)

Because AI Workflows handle the bulk of alerts inexpensively and AI Agents only run when needed, heavy and expensive reasoning calls are minimized

This frees SOCs from cherry-picking which alerts to ingest allowing them to triage and investigate them all.

This is crucial for:

  • High-volume enterprise environments
  • MSSPs with strict SLAs
  • Cloud-scale detection pipelines
  • 24/7 monitoring teams

You get broad alert coverage without inflating compute costs.

Speed: Structured steps + adaptive depth

  • Workflow mode resolves most alerts within seconds
  • Agents accelerate investigations that normally take analysts hours
  • No bottlenecks, no backlog, no manual evidence gathering

The result is a SOC where every alert is investigated quickly, consistently, and with forensic depth.

Table of how Intezer’s design reflects Anthropic’s guidance

Anthropic best practiceHow Intezer implements it
Start with deterministic workflowsAI Workflow handles structured triage with predefined expert steps
Activate agents only when neededAI Agent triggers only when confidence is insufficient
Give agents full contextAgent inherits the entire Workflow evidence set
Control tool usageAgent selects tools based on evidence, not speculation
Maintain human-in-the-loopAnalysts can verify, guide, and override conclusions
Prioritize safety and reproducibilityEvery action is logged, justified, and traceable

Conclusion: Anthropic’s Agent principles in a real SOC

Anthropic’s framework for building effective agents is now influencing industries far beyond general AI research. Intezer Forensic AI SOC might be one of the strongest real-world implementations of these practices in cybersecurity.

By combining:

  • Deterministic workflows for reliable baseline investigations
  • Adaptive agents for deeper reasoning when needed
  • Human oversight for trust and accountability
  • Cost efficiency enabling full-pipeline alert coverage

Intezer is able to deliver fast, accurate, and scalable triage that transforms SOC operations.

Learn more about how you can transform your SOC today.

The post Building effective AI for the SOC: How Intezer Forensic AI SOC follows Anthropic’s best practices appeared first on Intezer.

Properly framing the AI SOC conversation 

2 November 2025 at 21:45

Gartner’s recent Innovation Insight: AI SOC Agents report is an encouraging signal that the concept of an “AI-powered SOC” has reached mainstream awareness. The report recognizes the potential of AI technologies to transform how security operations centers function, especially in augmenting analysts through automation and intelligent workflows.

Yet, while Gartner’s analysis succeeds in capturing the momentum of this space, it falls short in clarifying how and where AI actually fits within the security operations stack. By treating “AI SOC” as a monolithic, undifferentiated category, the report overlooks the crucial distinctions between detection, triage and response, each of which requires a very different kind of AI capability and delivers very different value.

A closer look at Gartner’s analysis 

Gartner’s report provides a valuable overview of how AI SOC can assist with detection, alert investigation, and even response recommendation. We wholeheartedly agree with Gartner’s advice that CISOs should evaluate which security activities are “volumetric, troublesome, or low-performing, and which would benefit the most from augmentation with the application of AI”. However, presenting all of the AI SOC functions (and vendors) as part of a single undifferentiated security ecosystem, can be confusing. 

This broad framing misses the fact that an AI model designed to improve SIEM detection logic operates on entirely different data, architecture, and feedback loops than one built to support analyst decision-making or response automation. The result is a flattening of a nuanced market into one monolithic category, useful for taxonomy, but not for decision-making.

For CISOs, this lack of segmentation makes it hard to answer the key strategic question: Where should we apply AI first to get tangible operational value?

By contrast, our view is that organizations should start by identifying which part of their operations needs augmentation most, then evaluate AI solutions purpose-built for that domain.

A clearer way to frame the AI SOC market

To understand where AI truly fits in and how it can deliver measurable outcomes, it helps to zoom out and look at the broader security operations stack. As we described in a previous blog post, “Making sense of the AI SOC market”, we see three main layers where AI can add value:

Detection (SIEM, XDR)

The first layer converts raw telemetry into actionable alerts. Here, AI can strengthen correlation logic, improve detection models, and reduce false positives. This is largely about data pattern recognition and automation of repetitive analysis.

Triage and Investigation (SOC / MDR)

The middle layer is where human analysts determine which alerts are real incidents worth escalating. This is where AI can truly emulate analyst reasoning, gathering context, cross-referencing intelligence, and presenting likely root causes. Done well, AI here acts as a co-analyst, not a replacement.

Response and Case Management (SOAR)

The final layer coordinates remediation and manages incident workflows. AI can accelerate playbook creation, automate routine case handling, and improve overall response time through dynamic decision logic.

Each layer offers opportunities for AI—but they are fundamentally different problems to solve. When vendors use the term “AI SOC” without specifying which layer they’re addressing, it creates confusion and unrealistic expectations.

A more practical evaluation framework

To move the conversation forward, we recommend a more structured approach to evaluating AI SOC solutions.

Step 1: Identify your target layer

Ask: Which layer of our operations needs the most improvement. Is it detection (SIEM/XDR/Cloud), triage (SOC/MDR), or response (SOAR)? 

This helps narrow the field to the right class of solutions rather than chasing the broad “AI SOC” label.

Step 2: Define measurable outcomes

Especially for alert triage and investigation (which is usually handled by an internal SOC or external MDR), establish metrics to compare performance, such as:

  • Reduction in mean time to detect (MTTD)
  • Noise reduction rate
  • Scale of alert coverage
  • Consistency across SOC shifts or analyst tiers
  • Triage accuracy

These metrics allow organizations to compare vendors on tangible outcomes, not vague AI promises.

Step 3: Evaluate transparency and integration

An effective AI SOC solution should clearly explain its reasoning, integrate easily with your existing tools, and allow human oversight. The goal is augmentation, not opacity.

Read more about why the “AI SOC agent” narrative misses the point.

The way forward

Gartner deserves credit for bringing visibility to an emerging market, but their analysis underscores how early and fluid this space still is. The future of the AI SOC isn’t one product category. It’s a set of AI capabilities applied intelligently across the detection–triage–response continuum.

Organizations that treat AI as a modular capability rather than a monolithic product will see the most success. The key is knowing your operational priorities and matching them to the layer where AI can have the greatest impact.

Conclusion

AI is not a magic “SOC-in-a-box.” It’s a set of technologies that, when properly targeted, can transform specific parts of security operations. Gartner’s latest report captures the enthusiasm, but not yet the structure, of this market.

At Intezer, we believe the path forward starts with clarity. Understanding the distinct layers of the SOC, the role AI plays in each, and the outcomes that matter most. Only then can organizations cut through the noise and choose the right AI SOC partner for their needs.

Explore how Intezer delivers complete peace of mind for your security operations! 

The post Properly framing the AI SOC conversation  appeared first on Intezer.

❌