SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Merlin
#
Firewalls
#
Ransomware
#
SIEM

Why a Paranoid Posture promises to revolutionise threat detection and response

Fri, 20th Mar 2026
By Merlin Gillespie, CTO, Cybanetix

Beleaguered security teams have their work cut out when it comes to detecting and mitigating attacks and threat actors appear to have gained the upper hand. According to IBM, the mean time to identify and contain a breach now stands at 241 days, equivalent to eight months, with dwell time is now at a nine-year high. It's a sorry statistic that reveals threat detection and response is struggling to keep pace.

There are a number of reasons for this. Alert overload is an obvious one, with Security Operations Centre (SOC) analysts dealing with as many as 3,000 alerts each day. Sifting through and prioritising these is no mean feat, inevitably leading to the pursuit of dead ends while genuine threats sneak under the radar. On average, 40% of alerts are never investigated, with 60% of organisations admitting to having ignored a critical alert.

Swivel chair operations also make the job of the SOC analyst harder, forcing them to use multiple poorly integrated solutions to manage distributed cloud, network, endpoint and other environments. And it's a problem exacerbated by the growing size of the attack surface, to which IoT endpoints, remote working devices, and AI systems have now been added.

How those security tools are configured can also pose problems because if detection rules are too sensitive, false positives will flood the SOC. While a lack of skilled analyst is further exacerbating the problem, with a quarter of enterprises reporting misconfigured systems as a direct result of skills shortages according to an ISC2 study

Collectively, these issues are leading to alert fatigue and are seeing SOC analysts retire early or move career, placing even more pressure on those that remain. Reddit abounds with tales of analysts fighting a losing battle and surveys regularly show between 60-70% reporting burnout. 

Attackers up the ante

At the same time, threat actors are upping their game. Cyber criminals can now leverage an entire ecosystem of tools and associates, with those peddling their wares including Initial Access Brokers (IABs) offering readymade access to networks, Ransomware-as-a-Service (RaaS) groups that provide a cut of the profits and the malware itself, and hosters providing the infrastructure. Phishing kits can be bought and used for social engineering campaigns and infostealer-as-a-service providers keep the whole ecosystem well stocked with a steady stream of compromised credentials.

The signs of an attack are also harder to spot because they're less obvious. Those contraband credentials allow attackers to log in rather than hack in and give them the ability to maintain persistence through Living off the Land techniques. Consequently, it's no longer enough to look for telltale indicators of compromise and security teams can struggle to join the dots.

Adding fuel to the fire is AI. Cybercriminals are using jailbroken or open source large language models (LLMs) to improve social engineering, victim reconnaissance, and vulnerability research and exploit development. But AI is also weakening the business due to insufficient guardrails and governance around AI projects being stood up internally, leading to AI being dubbed the new insider threat.

It's no wonder then that the scales have tipped in the attacker's favour. But it doesn't have to remain that way. If the SOC can harness intelligent automation it can power through a larger volume of alert data and surface insight to the security analysts faster and with more precision. 

Bigger, better, faster, more

Capturing more alerts means the SOC is much more likely to happen upon the signs of an attack earlier in the killchain and that earlier detection provides valuable response time. In fact, adopting this 'paranoid posture' can uncover and link multiple low-severity alerts that might previously have been disregarded, improving the detection of living-off-the-land attacks.

In many respects, adopting a paranoid posture seems counter intuitive. It can see alert volumes rise to ten times that of the usual volume, which risks increasing the risk of alert fatigue and burnout. But the trick is to automate 65-70% of all activity so that the SOC does the heavy lifting, not the analyst. 

Security Orchestration, Automation and Response (SOAR) tooling, for example, can be configured to automatically remediate and close cases without the need for human involvement. Similarly, threat intelligence, automatic threat hunting and telemetry gathering, artificial testing, alert correlation, entity mapping and AI can all be used to help create a ready-made case for investigation. 

In a typical scenario, the alert comes in, automation is used to enrich data within the alert with threat intelligence, and Security Incident and Event Management (SIEM) and Endpoint Detection and Response (EDR) searches correlate information. Any relevant alerts linked to the same entities such as IPs, users and devices are then added to the case. This contextual enrichment drives faster, more accurate decision making without creating extra fatigue for SOC teams.

Playing it by the book 

Gluing this together are automated playbooks. Pre-built to deal with specific scenarios, playbooks work through the steps needed to contain and remediate a threat and in complex attacks one playbook will trigger another, resulting in a cascading response. The best results are achieved when systems are configured to automatically run around hundred playbooks per alert, with each playbook averaging ten actions. 

A SOC running these playbooks might process over four million automation actions per day before analysts even need to get involved. But the skillsets of those analysts are still of the utmost importance. There is no substitute for a human when it comes to assessing the potential arc of an attack and the best course of action, particularly as the analyst can look at those alerts in the wider context of the business and its risk profile. 

Paranoid monitoring is so expansive that it can capture the more subtle attack paths that are becoming commonplace. However, the people, process and technology required may well place it outside the realm of the capabilities of the inhouse SOC. It's for this reason that the future of the SOC may well lie with Managed Service Providers who can draw upon the latest cutting-edge technology to provide the levels of automation required and offer experienced SOC analysts who have earned their stripes and are adept at tuning and interpreting the detection logic.

Related stories
Black Box Automation vs. Engineer Control: The partnership redefining Kubernetes FinOps
Automotive microcontroller market set to hit USD $15.1bn
BlackBox Hosting partners Everpure for sovereign cloud
Locai Labs deploys AI coding assistant at First Light Fusion
Vodafone & Google Cloud launch AI & security tools

Top stories

AI tools widen cyber attack threat, Flashpoint warns
AI flaws & supply-chain risks top new pentesting report
Exclusive: Google Cloud on the road to autonomous SecOps
Zapier expands AI governance controls for enterprise users
Avatier launches offline card after Stryker cyberattack