AI in cybersecurity is both an everyday tool and hype. For years, cyber security teams have worked with tools from the AI toolkit – for example in anomaly detection of user and network behavior, in behavior-based endpoint solutions and in email security. What’s new above all is the visibility of large language models, which simplify documentation, scripting and integration tasks.
However, the central message from practice remains sobering: the bottleneck is rarely a lack of AI, but too often insufficient architecture, unclear processes and missing risk transparency. AI accelerates, prioritizes and makes things visible – but it replaces neither clean design nor traceable governance and accountability.
Where AI Creates Value
AI most effectively unfolds its benefits where it learns patterns and detects deviations from normal state. In environments for Security Information and Event Management (SIEM) and Managed Detection and Response (MDR), User and Entity Behavior Analytics (UEBA) uncover irregularities in log and network traffic that would remain invisible to signature-based systems – for example, when an administrator suddenly logs in from an unfamiliar source and new accounts are created in parallel.
On endpoints, behavior-based detection has become established in the EDR (Endpoint Detection and Response) domain. In email security, generative and detecting AI systems face off directly: attackers create more convincing phishing emails, defenders respond with finer, language and context-sensitive detection models.
Challenges in the SOC
The various vendor ecosystems are largely isolated with respect to AI and have little interoperability. Fortinet harmonizes with Fortinet, Palo Alto with Palo Alto. This increasingly challenges IT managers. End-to-end correlation across tool boundaries requires integration into a Security Operations Center (SOC), clean data models and playbooks for Security Orchestration, Automation and Response (SOAR) – work that can neither be automated away nor is fully standardized by the market. SOAR tools are typically deployed in a SOC and attempt to serve the interfaces of possible information sources. The goal is to consolidate information and automate it so that analysts get a holistic view.
Best-of-Breed versus Platform
Many organizations are considering consolidation to a few vendors and their platforms to reduce complexity, contract and data protection overhead. In practice, best-of-breed remains relevant because few vendors excel in every discipline. The result is a tension: those who opt for a platform benefit from tighter integration but risk technical compromises and lock-in effects. Those who choose best-of-breed retain top-tier solutions but carry integration burden – from APIs and data pipelines to SOAR playbooks.
Cost is an often underestimated factor. Cloud SIEMs, for example, appear attractive and usually offer good performance, but can become expensive through required log retention, ingest fees – charges based on the volume of imported data – and data exports. Alternatives such as dedicated UEBA / anomaly engines or hybrid systems can sometimes better balance total cost of ownership (TCO) and compliance requirements – depending on data flow, required retention periods and regulatory obligations. Regardless of the approach: manage expectations realistically, factor in switching costs, and identify visibility gaps outside your respective ecosystem.
“AI makes anomalies visible, but it does not cure a bad starting situation. In practice, security leaders often encounter unclearly segmented networks, incompletely implemented security solutions, ignorance about applications critical to the business, undefined responsibilities and processes.”
Eike Trapp, Axians IT Security
AI Is Not a Cure-All
Artificial intelligence makes anomalies visible, but it does not cure a bad starting situation. In practice, security leaders often encounter unclearly segmented networks, incompletely implemented security solutions, ignorance about applications critical to the business, undefined responsibilities and processes. One example: the desire for a 24/7 SOC without available decision-makers on weekends. Automated response that, for instance, locks accounts or blocks traffic can cause greater damage than the original alert without accompanying risk and business understanding.
Another classic is the Swiss cheese ruleset in firewalls: over the years, more and more exceptions have accumulated. Machine learning can help with cleanup, identify unused or misplaced rules, and assign rules to applications. But only humans can decide who is responsible for an application and how critical it might be to the business. This requires processes, documentation and clear responsibilities.
Conclusion: Value Emerges Through Clarity
AI creates real value in cyber security when architecture, processes and responsibilities are clear. Employee training and awareness remains one of the most important points. In many organizations, it is pragmatic not to take this path alone, but to bring in an independent, experienced service provider at strategic points. This reduces the risk of hasty tool decisions, accelerates prioritization, and ensures that automation proceeds with clear anchors. Central to this is not increasing AI deployment, but enabling better interoperability. An external perspective helps identify perception gaps and leverage existing strengths – so that AI acts as an accelerator, not a risk amplifier.
About the author:Eike Trapp is Senior Security Consultant at Axians IT Security.
The authors are responsible for the content and accuracy of their contributions. The opinions presented reflect the views of the authors.
ComputerWeekly.de
