Defending at Machine Speed: Rethinking Security Operations in the AI Era

by Craig Fretwell, Senior Manager, IT Security, Rackspace Technology

Data AI
A red image with text "Subscribe to the Rackspace Insights Newsletter" with a "Subscribe now" button. A mail icon is positioned to the right of the text.

Cyberattacks now move at machine speed. This blog explores how AI reduces investigative friction, improves SOC response consistency and helps you defend before exposure occurs.

Not in a hypothetical sense. In practical terms, an adversary may already be inside an environment, moving quietly without detection. The clock is already running. The window is open. The question is how much time remains before anyone starts paying attention.

This is the pressure modern security operations teams manage every day. Not the breach at the moment of entry. Not the alert that fires when a rule trips. 

The response, the investigation, the judgment call made under time pressure with incomplete information. 

That is where outcomes are determined. And as the threat landscape accelerates, the margin for getting it wrong is shrinking faster than most organizations have adapted to.

AI sits at the center of that acceleration, on both sides of it. The risk environment is changing in ways that are no longer theoretical, and the security organizations that understand what that actually demands of them operationally are the ones pulling ahead. What is harder to find is a clear-eyed answer to what that means in practice, and what to do about it without chasing capability for its own sake or building dependencies that introduce new fragility.

Mean time to exposure and why it changes everything

Most breach narratives focus on the wrong moment.

The entry point matters, certainly. But the entry is not where organizations succeed or fail under pressure. That happens in the gap between compromise and consequence, the period between the moment an adversary gains access and the moment that access produces real, measurable harm.

That gap has a name worth using: Mean Time to Exposure, or MTTE. Not to be confused with how long it takes to detect a breach, MTTE is specifically the time between initial compromise and the point at which the damage becomes real and visible to the world. Before stolen data surfaces on a leak site. Before a regulator is notified not by you, but by a journalist who got there first.

That window was once significant.

Just six years ago, Mandiant research placed global median dwell time at around 78 days. That was enough operational runway to detect, investigate, contain, and manage the narrative before consequences became permanent.

That window has already compressed. 

Today the global median sits at around ten days. For ransomware incidents it can be as low as five.

The board that thought it had weeks to manage disclosure no longer has them. The legal team preparing notification strategy finds the data already in circulation before filings are filed. 

Every response playbook built on the assumption of meaningful dwell time becomes a liability the moment that assumption breaks.

A 78-day MTTE becoming a ten-day MTTE is not a hypothetical. It has already happened. And it is one that immediately resonates with any executive who has ever sat in a breach response call wondering how much had already left the building before anyone noticed.

What adversaries are actually doing with AI

Here is where most security conversations go wrong.

The instinct, when facing a threat that appears to be accelerating, is to reach for the most compelling explanation. AI-powered attacks. Automated adversary tooling. Machine-speed intrusions. These narratives are everywhere right now, and the honest answer is that some of them are very real, and more specific than most people realize.

We cannot always see directly inside an adversary’s toolkit. 

What we can do is observe the tactics, techniques, and patterns that surface in observability data, and what those patterns increasingly suggest is that AI is enabling a level of precision and speed that changes the nature of the threat. It goes well beyond automation.

Consider what becomes possible when AI is applied to stolen data. Tools configured with the right prompts could detect fear, embarrassment, or deception within internal communications. 

They could extract names, roles, and organizational structure in seconds. They could map relationships and surface the conversations that carry the most leverage, a CEO discussing a sensitive acquisition, a private exchange between a CIO and a whistleblower about unethical practices.

What that produces is not just stolen data. It is targeted intelligence. And it turns what might have been a straightforward ransomware event into a psychologically precise extortion campaign aimed directly at the board, crafted to create maximum pressure with minimum response time. 

The message arrives not as a generic demand, but as something specific and personal, designed to elevate an IT incident into a legal, reputational, and executive crisis before the security team has finished scoping the initial compromise.

That is what compresses MTTE. Not just speed, but precision.

Adversaries no longer need weeks to sift through what they have stolen.

That work can now happen in hours, and that directly shrinks the window defenders have to act before consequences materialize.

Whether every intrusion involves this level of sophistication is beside the point. The capability exists, it is being observed in practice, and defenders cannot know in the moment which scenario they are facing.

That uncertainty itself demands a faster, more consistent investigative response.

What AI actually changes for defenders

1. Volume is the first problem.
Security operations teams are not failing because their analysts are not smart enough.
They are failing because the volume of signals, alerts and contextual data exceeds any reasonable human capacity to process at speed.

An analyst in a live investigation is collecting evidence, correlating events across multiple sources and forming a judgment about risk while the clock on MTTE is running.
Something has to give. Usually, it’s speed.

2. Friction is the mechanism.
This is the friction AI is designed to remove. Not the judgment. Not the accountability.
The collection, correlation and assembly work that sits between an analyst and the moment they can reason about what is happening.

When AI is applied thoughtfully, evidence gets assembled faster. Investigative pathways become clearer before an analyst has to decide.
The analyst still makes the decision. Accountability and judgment remain human.
What improves is the speed to understanding and the confidence behind the actions that follow.

3. Predictability is the outcome.
In most environments, the quality of an investigation depends on who is running it.
A senior analyst with deep institutional knowledge investigates differently than a junior analyst on a weekend shift. That variance is not a character flaw. It is a structural problem.

It means outcomes depend on individual heroics rather than repeatable process.

Every security team has that one person. The analyst who holds everything together, who knows where the bodies are buried and who everyone calls when something goes sideways.
That is not a capability. That is a dependency.

AI reduces that dependency by making the best analyst’s knowledge and process available across the team. The result is a more reliable operation, not just on good days but on every shift, across every region and for every customer.

What better actually looks like

All of that operational improvement, faster enrichment, consistent investigation quality, earlier alignment on risk, produces something that matters beyond the SOC floor. 

Capability is the starting point. Outcomes are what prove it is working.

The organizations doing this well can point to three measurable outcomes:

  • “We understood the situation sooner.”
  • “We aligned on risk faster.” 
  • “We acted with greater consistency.”

Those three things are measurable outcomes grounded in how the team performed, not in a story about what the attacker was using.

They hold up under questioning from a CFO, a board or a regulator because they are observable and real.

That is the signal that separates a security organization that has genuinely operationalized AI from one that is still building toward it.

The window is already running

MTTE is compressing. The tools adversaries are using to extract value from what they steal are getting faster and more precise. And the organizations that close the gap between how quickly threats develop and how quickly their teams can respond are the ones that come out of incidents with their reputation, their customers, and their options intact.

That gap closes through better investigative speed, more consistent outcomes across every analyst and every shift, and earlier alignment on what the risk actually is before it has time to grow. 

AI, applied with discipline and clarity of purpose, is what makes that achievable at scale.

The gold standard is a team that understands situations sooner, aligns faster, and acts with consistency that does not depend on who happens to be working that day. 

That is not an aspirational target. 

It is an operational one. And it is exactly what modern security operations, built the right way, delivers.​​

Learn how modern security teams use Microsoft Sentinel and AI-assisted workflows to reduce investigative friction and respond to threats at machine speed. Download the e-book: Rethinking the SOC for the AI Era.

See how fast your security operations really respond. Request a Microsoft Sentinel Visibility & Resilience Check to evaluate detection coverage, investigation workflows, and response readiness across your environment. 

Tags: