惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

小众软件
小众软件
IT之家
IT之家
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Security Archives - TechRepublic
Security Archives - TechRepublic
P
Proofpoint News Feed
C
CERT Recently Published Vulnerability Notes
阮一峰的网络日志
阮一峰的网络日志
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Cloudflare Blog
P
Palo Alto Networks Blog
Know Your Adversary
Know Your Adversary
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Cisco Talos Blog
Cisco Talos Blog
L
Lohrmann on Cybersecurity
AWS News Blog
AWS News Blog
J
Java Code Geeks
博客园_首页
Scott Helme
Scott Helme
WordPress大学
WordPress大学
有赞技术团队
有赞技术团队
T
The Exploit Database - CXSecurity.com
Security Latest
Security Latest
V
Visual Studio Blog
Cloudbric
Cloudbric
Jina AI
Jina AI
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
博客园 - 叶小钗
Apple Machine Learning Research
Apple Machine Learning Research
博客园 - 聂微东
人人都是产品经理
人人都是产品经理
A
Arctic Wolf
C
Cybersecurity and Infrastructure Security Agency CISA
S
SegmentFault 最新的问题
The Last Watchdog
The Last Watchdog
SecWiki News
SecWiki News
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
W
WeLiveSecurity
K
Kaspersky official blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Hacker News: Ask HN
Hacker News: Ask HN
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
宝玉的分享
宝玉的分享
Hugging Face - Blog
Hugging Face - Blog
量子位
Google Online Security Blog
Google Online Security Blog
博客园 - Franky
Simon Willison's Weblog
Simon Willison's Weblog
博客园 - 三生石上(FineUI控件)
Recent Commits to openclaw:main
Recent Commits to openclaw:main

Business Insights

Bind Link Abuse: One Windows Feature, Many Ways to Blind Your EDR Bitdefender Threat Debrief | July 2026 Trust Under Attack: How Deepfakes Are Rewriting Cybercrime 2026 Cybersecurity Assessment: The Gap Between Knowing and Doing Your Last Red Team Tested the Wrong Attack MSP Strategic Defense: Why MDR Is the New Security Baseline for MSPs Technical Advisory: FortiBleed Credential Exposure Campaign Targeting Internet-Facing Fortinet Devices Bitdefender Recognized in the 2026 Gartner® Europe Context: Magic Quadrant™ for Endpoint Protection CISA Mandates Change for Structured, Prioritized Updates and Vulnerability Management Claimed Twice: Five Reasons the Same Ransomware Victim Shows Up Under Two Flags What’s New in GravityZone June 2026 (v 6.74) Bitdefender Threat Intelligence: Built for How Security Teams Work Bitdefender Threat Debrief | June 2026 Cut Complexity in Half While Reducing Risk Across Your Endpoint Environment Bitdefender Named a Visionary in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection How Leading Organizations Turn EDR Into Operational Resilience Bitdefender Supports Ferrari Through Cybersecurity Built on Trust Bitdefender at Infosecurity Europe 2026: Staying Ahead of Faster Threats Endpoint Detection & Response Is Table Stakes Security Operation Saffron: Bitdefender Joins “First VPN” Takedown MSP Strategic Defense: Why Dual-Layer Email Security (SEG + API) Is Now Essential Bitdefender GravityZone: 100% Telemetry in AV-Comparatives 2026 EDR Test FamousSparrow APT Targets Azerbaijani Oil and Gas Industry Bitdefender Threat Debrief | May 2026
Your AI SOC Won’t Catch Ransomware by Itself
Cristina Anghel · 2026-07-06 · via Business Insights

Customers ask me how many analysts the MDR team still needs. The question implies AI has already made the answer “smaller.” Unfortunately, the organizations asking this question are usually the same ones that have not yet solved their telemetry gaps, their unmanaged endpoints, or their MFA coverage. They want AI to close problems that AI cannot see.

I understand why the question gets asked: the dominant pitch in the market right now is that AI will replace SOC analysts. That framing is not just wrong. It is operationally dangerous because it tells buyers to defund the things that make AI useful: telemetry, business context, and analyst judgment.

The organizations that benefit most from AI in the SOC are those that already have the foundations in place. The organizations that skip the foundations and buy the AI tooling first are still struggling with the same visibility gaps, except now they have a dashboard that processes the gaps quickly.

I discussed this topic with my colleagues recently during our webinar: The Lab, the SOC, the Red Team: Why Prevention Still Wins.

Screenshot 2026-07-01 160602

What Does AI in the SOC Handle?

AI has made real, measurable operational changes to how MDR teams work. Telemetry correlation that once required an analyst to manually connect events across dozens of sources now surfaces as a prioritized alert. Investigation summaries that took thirty minutes to build from raw logs take seconds. Noise reduction is genuine: the ratio of alerts that require human attention has shifted, and that shift matters enormously when a team covers hundreds of environments simultaneously.

In well-scoped environments, AI can execute predefined containment actions without waiting for an analyst. That is a real capability. Isolating a known-compromised endpoint based on specific behavioral triggers, queuing a password reset on a compromised account, blocking a process execution that matches an established behavioral signature: these are low-uncertainty, low-operational-impact actions where automation earns its keep.

The honest way to describe what AI does well is: it handles the work where the answer is already known, the uncertainty is low, and the operational impact of being wrong is contained. Enrichment, correlation, prioritization, predefined response. Everything inside those boundaries is genuine AI territory in a modern SOC.

Why is the Ransomware Binary the Wrong Detection Target?

The most damaging version of the “AI SOC” pitch focuses on catching malware at execution. That focus is wrong, and I want to explain precisely why, because it shapes everything about how an MDR program should be built.

Ransomware deployment is one of the last things that happens in a ransomware incident. Before the binary executes, the attacker has already been inside the environment for hours, days, or longer. They have accessed the network, scanned it, identified credential stores, dumped credentials, moved laterally to the systems they need, and confirmed that the environment is ready. By the time the ransomware binary appears, the investigation is largely over. The question is only whether containment happened before or after encryption.

One case illustrates this clearly. We identified suspicious Advanced IP Scanner activity running from a temporary user directory. That observation, on its own, looks like noise. Legitimate network administrators use Advanced IP Scanner regularly, and the process is not inherently suspicious. But the SOC team had investigated several ransomware incidents that started with this exact combination: VPN access to the environment, then internal scanning with a tool running from an anomalous path. We had seen where that sequence goes.

The full Akira ransomware progression, across multiple mid-sized enterprise environments in different industries, followed the same chain:

  1. VPN access
  2. Internal scanning
  3. Remote registry activity (querying credential-related areas of the registry remotely, which can happen in legitimate administration but is also a standard technique in early credential-harvesting stages)
  4. Credential dumping
  5. RDP movement
  6. Ransomware deployment

Six steps. The detection that prevented impact happened at step two, not step six.

Initial access in that case involved exploiting the SonicWall VPN. Based on our findings from prior investigations, we immediately isolated the affected host and advised the customer to disable external VPN access, verify patch status, and reset privileged credentials. No ransomware deployed. The binary never ran because the analyst recognized the progression pattern at the second step rather than the last.

The cross-environment learning that made that early detection possible is not a feature in a product. It is what happens when analysts have investigated the same progression multiple times, across different customers, different industries, different architectures. The pattern becomes recognizable before it completes. We see the same operational learning with newer social engineering techniques, including ClickFix-style attacks (a category of user-tricking techniques that prompt victims to manually execute malicious commands). Delivery methods evolve quickly, but many behavioral patterns repeat. When a new case arrives, the analyst is not starting from zero.

What Signature Coverage Cannot See

Signature coverage and vendor guidance do not move at the same speed as modern attackers. That gap is where behavioral detection earns its keep, and it is also where the “AI replaces analysts” framing most visibly breaks down.

On July 18, 2025, Bitdefender MDR identified suspicious encoded PowerShell activity on an on-premises SharePoint server, attempting to deploy malicious code into the SharePoint web directory. The relevant vulnerabilities, CVE-2025-49706 (an authentication bypass in SharePoint) and CVE-2025-49704 (an insecure deserialization vulnerability enabling remote code execution), had been published by Microsoft on July 8. The CVEs were public. What was not yet widespread was the public acknowledgment that these vulnerabilities were being actively exploited in the wild.

CISA updated its guidance on July 20. Microsoft published “Disrupting active exploitation of on-premises SharePoint vulnerabilities” on July 22. Microsoft’s subsequent analysis attributed the broader exploitation campaign to Linen Typhoon, Violet Typhoon, and Storm-2603. The activity was later named “ToolShell” in public reporting.

The MDR detection on July 18 was not before the vulnerability was disclosed. It was ahead of the active-exploitation wave, before signature coverage and broader vendor guidance had caught up.

That is the relevant window: the gap between CVE publication and the moment the security community broadly acknowledges that real attackers are moving on it. That gap is typically measured in days to weeks. Attackers move inside it. Behavioral detection sometimes catches what signature-based tools cannot see, because behavioral detection operates on evidence that does not require knowing about the specific vulnerability first.

What AI Returns to the Analyst

There is a boundary where AI hands work back to a human. That boundary is defined by two variables: operational impact and uncertainty. When both are low, AI carries the task. When either is high, the task comes back to an analyst. That is not a limitation to be engineered away. It is the correct design.

A case I think about when explaining this involved activity that AI initially classified as likely legitimate administrative behavior. The processes involved were signed Windows binaries. There was no obvious malware execution. On the evidence AI was weighing, the classification was reasonable.

The analyst recognized something different. The activity involved remote registry access to sensitive credential-related areas of the system. That behavior can legitimately occur in administrative workflows. It can also be a standard early step in credential harvesting before ransomware deployment. The question AI could not answer was: does this fit this customer’s normal environment? The analyst had the operational context to recognize that it did not. The case was escalated, the host was isolated, and it was handled as an active credential-access incident.

This is the judgment layer working as designed. AI handled the correlation, the noise reduction, and the initial classification. The analyst made the call that required understanding what the behavior meant in the specific context of that customer and that environment. The future SOC is AI-amplified, not analyst-less. Every step toward autonomy that preserves analyst judgment at the operational-impact boundary is the right step. Every pitch that removes that boundary is the wrong one. 

Which Organizations Benefit Most from AI in the SOC?

The organizations that benefit most from AI in the SOC are the ones that already have strong telemetry coverage, MFA, prevention layers, response capability, and endpoint visibility. AI can operate on reliable context. When the context is reliable, AI accelerates the work and shifts the analyst’s time toward the decisions that matter.

Which Organizations Struggle with AI in the SOC?

The organizations that struggle with AI tooling are the ones that deploy it on top of unresolved visibility gaps: unmanaged systems that do not report telemetry, inconsistent MFA coverage, missing endpoint agents, undefined response authority. AI does not fill gaps. It processes what is there. When what is there is incomplete, AI processes the incomplete picture faster, and the analyst makes decisions based on a distorted view of the environment.

Is AI Benefiting Attackers or Defenders?

Are cyber defenders or threat actors benefiting more from AI? This is an open question, and the jury is out. The 2026 Bitdefender Cybersecurity Assessment surveyed 1,200 IT and cybersecurity professionals in six countries about their views, and 52.6% said “AI is helping attackers more than defenders.” One thing we can say for certain now: operational tempos are accelerating on both sides.

The structural edge for defenders in an MDR model is not compute superiority or model quality. It is that MDR teams investigate attacks across many environments simultaneously, and that learning compounds. When we see a new progression pattern across customer A, it changes how we interpret early signals in customer B’s environment the following week. That operational memory is what enables early detection at step two rather than step six. AI accelerates the accumulation and retrieval of that pattern knowledge. It does not replace the knowledge itself.

The AI SOC pitch, taken literally, is a description of an environment where the foundations are already solved: complete telemetry, strong prevention, consistent identity controls, well-scoped response authority. In that environment, AI does accelerate and amplify. The mistake is assuming the pitch describes where most organizations currently are, rather than where they need to get to first.

The Akira progression gets harder to complete when prevention layers compress the attacker’s early window. Good telemetry means both the analyst and the AI are working from a complete picture. MFA and identity controls mean the early steps of that chain are harder to complete before detection. The SOC and the prevention layer are not separate investments competing for the same budget. The SOC multiplies what the prevention layer has built.

The May 21 panel discussion pulled on the two threads this piece relies on: prevention-first architecture and what an AI-enabled SOC can and cannot do. I made the SOC case there alongside Bitdefender Labs and the Bitdefender Red Team. Same incidents, three vantage points, recorded in full. The on-demand recording here: The Lab, the SOC, the Red Team: Why Prevention Still Wins

Screenshot 2026-07-01 160602