惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
GbyAI
GbyAI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 三生石上(FineUI控件)
美团技术团队
Last Week in AI
Last Week in AI
WordPress大学
WordPress大学
L
LangChain Blog
雷峰网
雷峰网
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
博客园 - 叶小钗
Engineering at Meta
Engineering at Meta
腾讯CDC
Recent Announcements
Recent Announcements
The Register - Security
The Register - Security
有赞技术团队
有赞技术团队
Blog — PlanetScale
Blog — PlanetScale
博客园 - Franky
博客园 - 司徒正美
The Cloudflare Blog
Google DeepMind News
Google DeepMind News
T
Tailwind CSS Blog
C
Check Point Blog
小众软件
小众软件
V
Visual Studio Blog
V
V2EX
F
Full Disclosure
J
Java Code Geeks
MongoDB | Blog
MongoDB | Blog
罗磊的独立博客
人人都是产品经理
人人都是产品经理
量子位
Apple Machine Learning Research
Apple Machine Learning Research
F
Fortinet All Blogs
Microsoft Security Blog
Microsoft Security Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
博客园 - 【当耐特】
博客园_首页
Y
Y Combinator Blog
N
Netflix TechBlog - Medium
酷 壳 – CoolShell
酷 壳 – CoolShell
Stack Overflow Blog
Stack Overflow Blog
Recorded Future
Recorded Future
G
Google Developers Blog
Vercel News
Vercel News
大猫的无限游戏
大猫的无限游戏
Microsoft Azure Blog
Microsoft Azure Blog
U
Unit 42
爱范儿
爱范儿
Jina AI
Jina AI

Business Insights Cybersecurity Blog by Bitdefender

What’s New in GravityZone July 2026 (v 6.75) Bind Link Abuse: One Windows Feature, Many Ways to Blind Your EDR Bitdefender Threat Debrief | July 2026 Trust Under Attack: How Deepfakes Are Rewriting Cybercrime 2026 Cybersecurity Assessment: The Gap Between Knowing and Doing Your Last Red Team Tested the Wrong Attack MSP Strategic Defense: Why MDR Is the New Security Baseline for MSPs Technical Advisory: FortiBleed Credential Exposure Campaign Targeting Internet-Facing Fortinet Devices Bitdefender Recognized in the 2026 Gartner® Europe Context: Magic Quadrant™ for Endpoint Protection CISA Mandates Change for Structured, Prioritized Updates and Vulnerability Management Claimed Twice: Five Reasons the Same Ransomware Victim Shows Up Under Two Flags What’s New in GravityZone June 2026 (v 6.74) Bitdefender Threat Intelligence: Built for How Security Teams Work Bitdefender Threat Debrief | June 2026 Cut Complexity in Half While Reducing Risk Across Your Endpoint Environment Bitdefender Named a Visionary in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection How Leading Organizations Turn EDR Into Operational Resilience Bitdefender Supports Ferrari Through Cybersecurity Built on Trust Bitdefender at Infosecurity Europe 2026: Staying Ahead of Faster Threats Endpoint Detection & Response Is Table Stakes Security MSP Strategic Defense: Why Dual-Layer Email Security (SEG + API) Is Now Essential Bitdefender GravityZone: 100% Telemetry in AV-Comparatives 2026 EDR Test Bitdefender Threat Debrief | May 2026 Bitdefender Named an Omdia Champion: What It Means for MSPs Ready to Lead Technical Advisory: ShinyHunters Breach of Instructure Canvas LMS What’s New in GravityZone May 2026 (v 6.73) Endpoint Protection in Practice: How Customers Use Bitdefender to Reduce Risk Introducing Proactive Hardening and Attack Surface Reduction (PHASR) for Linux and macOS A Cybersecurity Lifeline for Lean IT Teams: Introducing C.R.E.W. Bitdefender at Black Hat Asia 2026: Disrupt Attacker Playbooks Introducing Extended Email Security What’s New in GravityZone April 2026 (v 6.72) What Mythos Reveals About Zero Trust’s Scope Problem Shut the Front Door on Email Attacks: How to Scale Security Services Without Increasing Workload Technical Advisory: Axios npm Supply Chain Attack - Cross-Platform RAT Deployed via Compromised Maintainer Account Your Biggest Cyber Risk Could Be What You Already Trust RSAC 2026: What to Expect from Bitdefender A Cyber Resilience Agenda: Inside the European Central Bank’s 2026–2028 Priorities AI in Cybersecurity: Is It Worth the Effort for Lean Security Teams? MSP Strategic Defense: Building Compliance on Dynamic Attack Surface Reduction Master XDR Investigations: A Deep Dive into the GravityZone XDR Demo Incident IDC Market Note: Surging Demand for EU Data Sovereignty Drives New Cybersecurity-Cloud Partnership
Your AI SOC Won’t Catch Ransomware by Itself
Cristina Anghel · 2026-07-06 · via Business Insights Cybersecurity Blog by Bitdefender

Customers ask me how many analysts the MDR team still needs. The question implies AI has already made the answer “smaller.” Unfortunately, the organizations asking this question are usually the same ones that have not yet solved their telemetry gaps, their unmanaged endpoints, or their MFA coverage. They want AI to close problems that AI cannot see.

I understand why the question gets asked: the dominant pitch in the market right now is that AI will replace SOC analysts. That framing is not just wrong. It is operationally dangerous because it tells buyers to defund the things that make AI useful: telemetry, business context, and analyst judgment.

The organizations that benefit most from AI in the SOC are those that already have the foundations in place. The organizations that skip the foundations and buy the AI tooling first are still struggling with the same visibility gaps, except now they have a dashboard that processes the gaps quickly.

I discussed this topic with my colleagues recently during our webinar: The Lab, the SOC, the Red Team: Why Prevention Still Wins.

Screenshot 2026-07-01 160602

What Does AI in the SOC Handle?

AI has made real, measurable operational changes to how MDR teams work. Telemetry correlation that once required an analyst to manually connect events across dozens of sources now surfaces as a prioritized alert. Investigation summaries that took thirty minutes to build from raw logs take seconds. Noise reduction is genuine: the ratio of alerts that require human attention has shifted, and that shift matters enormously when a team covers hundreds of environments simultaneously.

In well-scoped environments, AI can execute predefined containment actions without waiting for an analyst. That is a real capability. Isolating a known-compromised endpoint based on specific behavioral triggers, queuing a password reset on a compromised account, blocking a process execution that matches an established behavioral signature: these are low-uncertainty, low-operational-impact actions where automation earns its keep.

The honest way to describe what AI does well is: it handles the work where the answer is already known, the uncertainty is low, and the operational impact of being wrong is contained. Enrichment, correlation, prioritization, predefined response. Everything inside those boundaries is genuine AI territory in a modern SOC.

Why is the Ransomware Binary the Wrong Detection Target?

The most damaging version of the “AI SOC” pitch focuses on catching malware at execution. That focus is wrong, and I want to explain precisely why, because it shapes everything about how an MDR program should be built.

Ransomware deployment is one of the last things that happens in a ransomware incident. Before the binary executes, the attacker has already been inside the environment for hours, days, or longer. They have accessed the network, scanned it, identified credential stores, dumped credentials, moved laterally to the systems they need, and confirmed that the environment is ready. By the time the ransomware binary appears, the investigation is largely over. The question is only whether containment happened before or after encryption.

One case illustrates this clearly. We identified suspicious Advanced IP Scanner activity running from a temporary user directory. That observation, on its own, looks like noise. Legitimate network administrators use Advanced IP Scanner regularly, and the process is not inherently suspicious. But the SOC team had investigated several ransomware incidents that started with this exact combination: VPN access to the environment, then internal scanning with a tool running from an anomalous path. We had seen where that sequence goes.

The full Akira ransomware progression, across multiple mid-sized enterprise environments in different industries, followed the same chain:

  1. VPN access
  2. Internal scanning
  3. Remote registry activity (querying credential-related areas of the registry remotely, which can happen in legitimate administration but is also a standard technique in early credential-harvesting stages)
  4. Credential dumping
  5. RDP movement
  6. Ransomware deployment

Six steps. The detection that prevented impact happened at step two, not step six.

Initial access in that case involved exploiting the SonicWall VPN. Based on our findings from prior investigations, we immediately isolated the affected host and advised the customer to disable external VPN access, verify patch status, and reset privileged credentials. No ransomware deployed. The binary never ran because the analyst recognized the progression pattern at the second step rather than the last.

The cross-environment learning that made that early detection possible is not a feature in a product. It is what happens when analysts have investigated the same progression multiple times, across different customers, different industries, different architectures. The pattern becomes recognizable before it completes. We see the same operational learning with newer social engineering techniques, including ClickFix-style attacks (a category of user-tricking techniques that prompt victims to manually execute malicious commands). Delivery methods evolve quickly, but many behavioral patterns repeat. When a new case arrives, the analyst is not starting from zero.

What Signature Coverage Cannot See

Signature coverage and vendor guidance do not move at the same speed as modern attackers. That gap is where behavioral detection earns its keep, and it is also where the “AI replaces analysts” framing most visibly breaks down.

On July 18, 2025, Bitdefender MDR identified suspicious encoded PowerShell activity on an on-premises SharePoint server, attempting to deploy malicious code into the SharePoint web directory. The relevant vulnerabilities, CVE-2025-49706 (an authentication bypass in SharePoint) and CVE-2025-49704 (an insecure deserialization vulnerability enabling remote code execution), had been published by Microsoft on July 8. The CVEs were public. What was not yet widespread was the public acknowledgment that these vulnerabilities were being actively exploited in the wild.

CISA updated its guidance on July 20. Microsoft published “Disrupting active exploitation of on-premises SharePoint vulnerabilities” on July 22. Microsoft’s subsequent analysis attributed the broader exploitation campaign to Linen Typhoon, Violet Typhoon, and Storm-2603. The activity was later named “ToolShell” in public reporting.

The MDR detection on July 18 was not before the vulnerability was disclosed. It was ahead of the active-exploitation wave, before signature coverage and broader vendor guidance had caught up.

That is the relevant window: the gap between CVE publication and the moment the security community broadly acknowledges that real attackers are moving on it. That gap is typically measured in days to weeks. Attackers move inside it. Behavioral detection sometimes catches what signature-based tools cannot see, because behavioral detection operates on evidence that does not require knowing about the specific vulnerability first.

What AI Returns to the Analyst

There is a boundary where AI hands work back to a human. That boundary is defined by two variables: operational impact and uncertainty. When both are low, AI carries the task. When either is high, the task comes back to an analyst. That is not a limitation to be engineered away. It is the correct design.

A case I think about when explaining this involved activity that AI initially classified as likely legitimate administrative behavior. The processes involved were signed Windows binaries. There was no obvious malware execution. On the evidence AI was weighing, the classification was reasonable.

The analyst recognized something different. The activity involved remote registry access to sensitive credential-related areas of the system. That behavior can legitimately occur in administrative workflows. It can also be a standard early step in credential harvesting before ransomware deployment. The question AI could not answer was: does this fit this customer’s normal environment? The analyst had the operational context to recognize that it did not. The case was escalated, the host was isolated, and it was handled as an active credential-access incident.

This is the judgment layer working as designed. AI handled the correlation, the noise reduction, and the initial classification. The analyst made the call that required understanding what the behavior meant in the specific context of that customer and that environment. The future SOC is AI-amplified, not analyst-less. Every step toward autonomy that preserves analyst judgment at the operational-impact boundary is the right step. Every pitch that removes that boundary is the wrong one. 

Which Organizations Benefit Most from AI in the SOC?

The organizations that benefit most from AI in the SOC are the ones that already have strong telemetry coverage, MFA, prevention layers, response capability, and endpoint visibility. AI can operate on reliable context. When the context is reliable, AI accelerates the work and shifts the analyst’s time toward the decisions that matter.

Which Organizations Struggle with AI in the SOC?

The organizations that struggle with AI tooling are the ones that deploy it on top of unresolved visibility gaps: unmanaged systems that do not report telemetry, inconsistent MFA coverage, missing endpoint agents, undefined response authority. AI does not fill gaps. It processes what is there. When what is there is incomplete, AI processes the incomplete picture faster, and the analyst makes decisions based on a distorted view of the environment.

Is AI Benefiting Attackers or Defenders?

Are cyber defenders or threat actors benefiting more from AI? This is an open question, and the jury is out. The 2026 Bitdefender Cybersecurity Assessment surveyed 1,200 IT and cybersecurity professionals in six countries about their views, and 52.6% said “AI is helping attackers more than defenders.” One thing we can say for certain now: operational tempos are accelerating on both sides.

The structural edge for defenders in an MDR model is not compute superiority or model quality. It is that MDR teams investigate attacks across many environments simultaneously, and that learning compounds. When we see a new progression pattern across customer A, it changes how we interpret early signals in customer B’s environment the following week. That operational memory is what enables early detection at step two rather than step six. AI accelerates the accumulation and retrieval of that pattern knowledge. It does not replace the knowledge itself.

The AI SOC pitch, taken literally, is a description of an environment where the foundations are already solved: complete telemetry, strong prevention, consistent identity controls, well-scoped response authority. In that environment, AI does accelerate and amplify. The mistake is assuming the pitch describes where most organizations currently are, rather than where they need to get to first.

The Akira progression gets harder to complete when prevention layers compress the attacker’s early window. Good telemetry means both the analyst and the AI are working from a complete picture. MFA and identity controls mean the early steps of that chain are harder to complete before detection. The SOC and the prevention layer are not separate investments competing for the same budget. The SOC multiplies what the prevention layer has built.

The May 21 panel discussion pulled on the two threads this piece relies on: prevention-first architecture and what an AI-enabled SOC can and cannot do. I made the SOC case there alongside Bitdefender Labs and the Bitdefender Red Team. Same incidents, three vantage points, recorded in full. The on-demand recording here: The Lab, the SOC, the Red Team: Why Prevention Still Wins

Screenshot 2026-07-01 160602