AI-speed attacks will expose three hidden taxes that many SOCs still pay: visibility, tooling, and talent. This could be what modern defense will look like here soon.
I’ve been having numerous conversations with security leaders across many industries and verticals we serve. Different companies, different tech stacks, different threat profiles, but the same underlying challenges. The plans built twelve months ago will no longer keep pace with what’s happening now.
I’ve called this great compression to the attention of several of my peers. All the time “we” had — say, 24-48 hours to mitigate or remediate a potential vulnerability or threat — we now have minutes instead of hours, hours instead of days, and a week instead of months. AI didn’t introduce a new category of threat. It compressed the time and exposure for every category.
That compression is forcing other security leaders and me into a difficult position: not whether their team is good, but whether human-speed operations can survive machine-speed attacks. For most organizations, the honest answer is no. And the reason isn’t a lack of effort, talent, or strategy. It’s that this compression has exposed three hidden taxes that most security operations weren’t built to pay.
The visibility tax: you can’t disrupt what you can’t see
The first tax is the cost of incomplete or shallow telemetry.
Most security teams are stuck in an impossible position when it comes to data. Send everything to your SIEM, and watch costs potentially skyrocket. Send less and risk missing the critical signals that indicate an issue. Both decisions could introduce more risk.
This is well described by our partners at Palo Alto Networks. Kasey Cross, Director, Product Marketing XSIAM, has written about this directly. “The clock starts ticking as soon as a zero-day vulnerability is disclosed.” Her article notes that threat actors now begin scanning for exposures within 15 minutes of a zero-day disclosure — a pace human-led security teams struggle to keep up with. Frontier AI isn’t just a tool that accelerates exploitation. It accelerates everything that happens after initial access. weaponization. delivery. exploitation & installation. control & ultimately the objective. The defender’s window to detect and disrupt an attacker before the attacker achieves the objective is now measured in minutes. If detection logic is still built around known signatures or static rules, unfortunately, you’re behind.
There are two sides to this. The first is real-time detection. AI-driven intelligence needs rich data across assets, networks, identities, data, and the cloud to find what humans and rules-based systems would miss.
The second is retroactive investigation. When a new vulnerability gets disclosed, the question we ask is: What are the IOCs? Answering that requires going back in time across your environment, using telemetry that captures details of sources, processes, connections, and files that were touched. If your retention is only a few days or your telemetry doesn’t capture that information, you can’t answer the question.
The solution isn’t more data. It’s the right data, in the right format, at the right time, and the right amount, to support both real-time detection and retroactive hunting. At the very minimum, we do recommend thirty days of enriched telemetry. Without it, no platform can deliver on its potential.
The tooling tax: 47 products don’t equal coverage
The second tax is the cost of complexity disguised as coverage.
Some enterprises are running more than 100 different security products. They were purchased to solve a real problem and reduce risk to their business. The result, unfortunately, is fragmented data sources, integration and support debt, and a greater chance of gaps in the picture of what is really happening. Detection signals that need to be correlated across assets, networks, identities, data, and the cloud could be missed. Even more true today, the attacker has improved tools to exploit those seams.
Proper, intentional platform consolidation isn’t a vendor preference; it’s an imperative for AI-speed detection and response. The path from dozens and dozens of tools to intentional consolidation is not easy and may be harder than most vendors will admit. The transition itself could divert the necessary cyber focus, which is what an attacker hopes to exploit.
The honest answer is that most organizations can’t, nor should they, consolidate on their own. Which brings us to the third tax.
The talent tax: the gap no platform alone solves
When we look at where costs are piling up for organizations, talent is currently the biggest expense by a significant margin. And a close second is the direct and indirect costs of data, because a lot of us would love to keep all of it for forensics so we can go back and piece together the narrative. That can take a lot of storage. Two of the three taxes in this article appear in every CISO’s budget.
The talent tax isn’t about hiring more analysts. The cybersecurity talent shortage is well-documented and growing more complex. The tax shows up as unfilled roles, burnout, flat mean time-to-respond metrics, and smaller gaps that adversaries are increasingly skilled at finding. Most teams are built for business hours and known threats, not autonomous, machine-speed attacks at 6 PM on Friday.
The answer is to redesign roles, create new ones, and refactor processes. Two years ago, my team and I identified that the only way to fight AI is with AI. So, we took that seriously. To defend AI, we knew we would have to use it strategically. One was analyzing signals, telemetry, events, and alerts in our tooling to quickly identify and correlate alerts and enrich them, with some initial triage. The other was using AI to build and improve some of our SOAR playbooks, adding mitigation.
We’ve been operating that way inside our SOC for approximately 2 years. The shift it created wasn’t meant to replace analysts. It was changing what they spent their time on. Our team stopped doing the work AI was great at and started doing the work that requires human wisdom.
For many organizations, building that in-house isn’t truly feasible. That’s where a managed services layer becomes helpful and could be the operational answer.
What does modern defense look like
Modern security operations require three things working in harmony. A unified platform that delivers the appropriate visibility and AI-enhanced analytics across the environment. A tool that detects and mitigates attacks at machine speed. And a managed services layer that fills cybersecurity gaps by having experienced humans operate the platform 24×7.
The Cortex platform is designed for us to deliver a modern security operation. It’s what CBTS Managed SOC delivers at the operational layer. Together, we defend at AI speed without you necessarily having to build, staff, and run an AI-speed operation.
A few things about how we run this practice matter, and I’d encourage any security leader to evaluate them when they’re looking at a managed SOC partner.
The first is portfolio depth. We work with customers across healthcare, financial services, transportation, critical infrastructure, and education. What works in healthcare may not work inside finance. But we can turn that into wisdom for our customers. We don’t just tell them what we’ve seen work. We advise on what doesn’t work, which in most cases is more valuable. That’s the depth that’s built when you operate a SOC across tens of thousands of incidents across dozens of verticals. It’s not something a single-environment team can replicate.
The second is platform fluency. CBTS operates a Palo Alto Networks-vetted SOC practice with deep Cortex expertise, including specializations and accreditations earned through the NextWave program. The credentials matter less than what they represent: a SOC and engineering team that’s been validated against the platform that runs underneath it, with analysts who know the system not just from training but for the real world. It also means our analysts are operating against the same Cortex deployment running in your environment.
The third is threat intelligence at real speed. We participate in briefings with law enforcement, trusted cyber partners, and government entities. These relationships are invaluable, and that trust helps us help you. Compliance frameworks are valuable and provide response guidelines, but those guidelines are not sufficient today… Real conversations, intel, and insights helped us hit targets in hours and minutes, not days. It’s how we all need to operate, and it’s how our Security Operations team operates.
What this means for your security operations
The combination of an AI-driven platform and a vetted managed SOC will change the metrics for your board discussions.
- A faster path to ROI than most security investments. A 257% ROI with sub–six-month payback, according to a Forrester Total Economic Impact™ study commissioned by Palo Alto Networks.
- Lower total cost of operations. Customers achieve 73% cost savings in their security operations, often by replacing expensive senior analyst hires with early-career talent who operate an AI-driven platform.
- Detection & Response accuracy at machine speed. Behavioral analytics correlate signals across endpoints, networks, identities, data, and the cloud in real time, reducing time to detect and respond to enhanced threat tactics and techniques.
- Coverage that watches even at 3 AM on Saturday.A managed services layer handles the hours your team isn’t built for, with analysts who already operate the platform in production every day.
The window is closing
Great compression is upon us! The window to detect and disrupt attackers is shrinking from days to hours. The AI capabilities that make this possible aren’t just theory anymore. They’re being used by attackers today.
You don’t have to build the answer from scratch. The platform exists. The operational layer is in place. The decision is whether you’re going to keep paying the three hidden taxes.
If this perspective resonated, we’d love to keep the conversation going. Whether you want to receive our latest thinking on enterprise security or talk through what this means for your business specifically, our team is ready when you are. Fill out the form below and book a 1:1 consultation with us today!
