SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

#
Firewalls
#
Ransomware
#
Network Security

Exclusive: Cybanetix CEO on AI, MDR and the shifting UK cyber landscape

Mon, 8th Sep 2025
Author image
By Melania Watson, Interview Editor

The enterprise cybersecurity market in the UK is in flux, and according to Cybanetix CEO Martin Jakobsen, this is driving an 18% surge in demand for managed detection and response (MDR) services, particularly among mid-size firms.

"Only really, really big organisations have got the talent and the capability to build a 24/7, operations themselves in security," Jakobsen said, during a recent interview.

"The vast, vast majority of organisations just haven't got the scale nor the money or capability to build it themselves. They choose to buy a service in."

It's not simply about budget. Jakobsen explained, "MDR is a multi-discipline service: you need technical people, SOC analysts, DevOps, process architects, and automation capabilities."

Many UK midmarket businesses-typically with 1,000 to 20,000 seats-can neither attract nor retain the right expertise across those domains. He added, "MDR at a minimum needs to be a 24/7 service, which means that in most countries, legally, you need eight SOC analysts just to get going."

The financial logic of outsourcing, therefore, is straightforward.

The problem is exacerbated by a persistent and growing skills shortage. While entry-level candidates are plentiful, "the skill shortage is mainly in the mid-level tier," Jakobsen said.

"Organisations haven't got either the time or the capability to train them, and then as soon as people have three, four, five years of experience, they become very expensive, so it becomes financially prohibitive." The industry trend is clear: organisations are buying in advanced services rather than attempting to build them internally.

Artificial intelligence is only "amplifying the complexity", according to Jakobsen.

"AI is incrementally changing the role of both the SOC analyst and the MDR provider, but conversely, it's driving a huge amount of complexity as well, which organisations are not ready for, creating a whole new attack surface," Jakobsen explained. "A lot of the AI technologies now in cyber are driving incremental improvements in a SOC and how it interacts, perhaps speeding up some work. But now comes the entire AI protection discussion as well, which people have not even started to get their heads around."

On the practical side, Jakobsen described how Cybanetix uses AI for tasks such as text summarisation, alert interpretation and client interaction with data.

"If you're looking at Microsoft as a perfect example, they're constantly launching new alerts out. AI has the capability to interpret an alert for the first time, which avoids a SOC analyst having to Google to figure out what it means or what should be done." However, he noted such gains are situational: "For the general humdrum of a SOC day, which deals with thousands of alerts, the efficiency gain is less, but on new alerts, it's very useful." 

Jakobsen also remains cautious about the productivity ROI from the current crop of AI-driven SOC analyst products: "They have the same, I think, gimmicky effect as ChatGPT initially: 'Okay, it's funny to ask questions, but what's the productivity gain?'" He does see value in natural language capabilities breaking down barriers between technical and non-technical users, but pointed out, "It doesn't mean you get better detections per se-you still need the analytical capability to figure out what you need to ask. If you don't know what you're looking for, AI doesn't help you."

Industry best practice is defined by both response and transparency, Jakobsen argued. For MDR services, "You need a very good SLA, something that looks like 15 minute response times for all alerts. Don't accept differentiated SLAs between different severities, because two or three 'lows' in the right combination could constitute a critical breach." He added, "If the SLA doesn't have the same speed for everything, and it's not imminent, you can't be talking hours when you're talking cyber."

Equally, businesses must ensure their provider's remediation capability spans beyond basic malware: "A lot of MDR services only mean malware remediation, which frankly was solved in the 90s. You need to look at user containment, password resets, user controls, and network controls as well. Compromise of identity is often the pivotal point in most attacks."

Transparency remains a sticking point in the market. "Black box is a more cost-effective way for an MDR provider to deliver a service, and for small businesses, it's a good alternative. For more complex infrastructures, you need tailoring to your use cases." Jakobsen warned clients to scrutinise service approaches carefully: "If you have black box, you have no idea what they're doing for you… When you remove the MDR service, you'll be left with no improvement and starting from scratch." Instead, he suggests, "A good service provider will make sure the systems are managed in parallel with them running the service. You can see the notes, you can see the investigations that have been done."

On regulatory compliance, Jakobsen was pragmatic. "Regulation rarely stipulates you must have a SOC. The majority of regulatory requirements make sure you have an appropriate security posture and ability to respond. Having some sort of MDR or SOC service, internal or external, is key to good practice, but it's not strictly required."

As for keeping up with emerging threats, he noted that "most attacks are very similar in patterns: reconnaissance, typically a credential compromise, then exploitation, and then data theft or ransomware. The trick is to set a paranoid monitoring posture not for a particular threat actor but for all the subcomponents: compromised credentials, reconnaissance, data loss. If a good MDR provider can see even 15 out of 50 possible attack steps and remediates early, the attack will be stopped."

Jakobsen cautioned buyers faced with expanding attack surfaces and constrained budgets to "do the basics first. Make sure your firewall posture is good, make sure your EDR platform is good. There's no point in starting to look at MDR services if your basics aren't in place." Understanding what exactly needs protecting is vital: "If you're an online retailer, the website is revenue impacting. If it's financial data, then the database needs protection. Figure out what's critical before going to market, and always shop around-but be careful picking the cheapest."

For organisations shortlisting MDR providers, Jakobsen's view is unequivocal: "Your MDR service provider is perfect until the day you have a breach, only then do you know whether they would or would not detect a real attack."

Related stories
Deepfake boom fuels relentless wave of celebrity scams
Visionplatform.ai adds AI agents to Milestone XProtect
Ofcom probes X over Grok deepfake sexual imagery risk
European privacy teams warn of cuts amid rising risks
Phishing services drive 389% surge in account breaches

Top stories

Executive-level CISO titles surge amid rising scope strain
UK unveils Software Security Ambassadors to push new code
Dun & Bradstreet outlines seven key compliance trends
Cyb3r Operations raises $5.4m to tackle cyber risk
Asimily boosts Cisco ISE with new device microsegmentation