Shadow AI: Your Employees Are Deploying AI Agents You Don’t Know About
The next shadow IT crisis is already here. It runs on API keys, not VPNs. Remember when employees started spinning up their own AWS instances because IT took six weeks to provision a server? That was shadow IT. We spent a decade building policies, approval workflows, and detection tooling around it. Then we mostly got […]
From alert processor to AI supervisor: the new SOC career path
A friend of mine runs a 12-person SOC at a financial services firm in Dubai. Last year he promoted his best Tier-1 analyst to a role that didn’t exist six months earlier. The title on the offer letter was “SOC AI Operations Lead.” The salary was 40% higher than her previous role. Her job, roughly, […]
82:1 — when machine identities outnumber your humans, who’s watching the machines?
CyberArk published a number last year that I keep coming back to. In the average organization, there are 82 machine identities for every human. Eighty-two. Service accounts, API keys, OAuth tokens, workload identities, certificates, bot accounts, CI/CD pipeline credentials. For every employee who logs in with a password and passes MFA, there are 82 non-human […]
How embedding-based case similarity finds threats that rules miss
Every SOC has a folder somewhere. A shared drive, a Confluence page, a Notion workspace, a senior analyst’s brain. It’s full of incidents from the last two years. Phishing campaigns that almost worked. The week somebody’s service account started behaving strangely on a Thursday afternoon. The lateral movement attempt that got caught by an alert […]
Why your best Tier-1 analyst is about to become your best agent engineer
Your best Tier-1 analyst is the one who already knows things the AI doesn’t. She knows that the encoded PowerShell alert that fires every Tuesday at 2:14 AM on the backup server is a scheduled job that’s been running for seven months. She knows that the marketing team’s VPN connects from a different country every […]
Identity is the new perimeter, and your SOAR platform doesn’t know it yet
Last quarter, Expel published their annual threat report. The number that stuck with me: 68.6% of the incidents their SOC handled in 2025 were identity-based attacks. Not malware. Not exploits. Not zero-days. Stolen credentials, hijacked sessions, OAuth abuse, and MFA bypass. More than two-thirds of all incidents started with somebody using a valid identity to […]
4,000 alerts a day: why the math stopped working for human SOCs
I want to run some numbers with you. Not the vendor numbers, the ones that show up in slide decks with green arrows and percentage signs. The actual math. The kind you do on the back of a napkin when you’re trying to figure out why your team is drowning and your budget request keeps […]
Why noise reduction needs three layers (and why a single severity score will never get you there)
There’s a moment every SOC analyst hits sometime in their first month or two on the job. It usually happens around eleven on a Tuesday morning, when the coffee has worn off and the queue hasn’t gotten any shorter. You realize the alert you just closed as a false positive is the same one you […]
The SOC analyst of 2027 doesn’t triage alerts. Here’s what they do instead.
I had a conversation last month with a Tier-1 analyst who’d been in the job for about 18 months. Smart kid, good instincts. He asked me, half-joking, whether he should start learning to code because “the AI is going to take my chair.” I told him his chair was fine. But it’s going to be […]
What happens when yourAI SOC makes a wrong call at 3 AM?
Nobody talks about this part. The vendor demo showed the AI triaging a phishing alert in 30 seconds. Clean verdict. MITRE mapping. Suggested containment. The room was impressed. Procurement moved forward. Six weeks later, at 3:14 AM on a Tuesday, the AI flagged a legitimate email from your CFO’s travel agent as a credential harvester, […]