82:1 — when machine identities outnumber your humans, who’s watching the machines?
CyberArk published a number last year that I keep coming back to. In the average organization, there are 82 machine identities for every human. Eighty-two. Service accounts, API keys, OAuth tokens, workload identities, certificates, bot accounts, CI/CD pipeline credentials. For every employee who logs in with a password and passes MFA, there are 82 non-human […]
How embedding-based case similarity finds threats that rules miss
Every SOC has a folder somewhere. A shared drive, a Confluence page, a Notion workspace, a senior analyst’s brain. It’s full of incidents from the last two years. Phishing campaigns that almost worked. The week somebody’s service account started behaving strangely on a Thursday afternoon. The lateral movement attempt that got caught by an alert […]
Why your best Tier-1 analyst is about to become your best agent engineer
Your best Tier-1 analyst is the one who already knows things the AI doesn’t. She knows that the encoded PowerShell alert that fires every Tuesday at 2:14 AM on the backup server is a scheduled job that’s been running for seven months. She knows that the marketing team’s VPN connects from a different country every […]
Identity is the new perimeter, and your SOAR platform doesn’t know it yet
Last quarter, Expel published their annual threat report. The number that stuck with me: 68.6% of the incidents their SOC handled in 2025 were identity-based attacks. Not malware. Not exploits. Not zero-days. Stolen credentials, hijacked sessions, OAuth abuse, and MFA bypass. More than two-thirds of all incidents started with somebody using a valid identity to […]
4,000 alerts a day: why the math stopped working for human SOCs
I want to run some numbers with you. Not the vendor numbers, the ones that show up in slide decks with green arrows and percentage signs. The actual math. The kind you do on the back of a napkin when you’re trying to figure out why your team is drowning and your budget request keeps […]
Why noise reduction needs three layers (and why a single severity score will never get you there)
There’s a moment every SOC analyst hits sometime in their first month or two on the job. It usually happens around eleven on a Tuesday morning, when the coffee has worn off and the queue hasn’t gotten any shorter. You realize the alert you just closed as a false positive is the same one you […]
The SOC analyst of 2027 doesn’t triage alerts. Here’s what they do instead.
I had a conversation last month with a Tier-1 analyst who’d been in the job for about 18 months. Smart kid, good instincts. He asked me, half-joking, whether he should start learning to code because “the AI is going to take my chair.” I told him his chair was fine. But it’s going to be […]
What happens when yourAI SOC makes a wrong call at 3 AM?
Nobody talks about this part. The vendor demo showed the AI triaging a phishing alert in 30 seconds. Clean verdict. MITRE mapping. Suggested containment. The room was impressed. Procurement moved forward. Six weeks later, at 3:14 AM on a Tuesday, the AI flagged a legitimate email from your CFO’s travel agent as a credential harvester, […]
The Explainability Gap: Why Most SOC Teams Cannot Explain an AI Security Decision
Your AI security platform just closed an alert autonomously. Your auditor wants to know how. What do you show them? In conversations with security teams across industries, one question comes up more often than almost any other. Not ‘does the AI work?’ Not ‘how fast is it?’ The question is this: if the AI makes […]
SOAR vs SIEM: What Is the Difference and Does Your SOC Need Both?
Most security teams have one. Many have the other. Very few can explain clearly what each one actually does — or why the question of whether you need both has a different answer depending on who you ask. Walk into most SOC conversations and you will hear both terms within the first ten minutes. SIEM […]