28 01732 759725 Too much information New report highlights the dangers of alert overload – and why SOC leaders are embracing AI to tackle it SOCs don’t struggle with visibility anymore, they’re buried in it. This is the unambiguous conclusion of the inaugural State of AI in SecOps 2025 Survey Report from Prophet Software. On July 29, Prophet announced that it had raised $30 million to launch and expand its agentic AI SOC platform, Prophet AI, in a Series A funding round led by Accel, with participation from Bain Capital Ventures and other strategic investors. Its 30-page report, based on a survey of 300 CISOs, SOC leaders and SOC analysts/engineers in organisations with more than 1,000 employees, highlights the extent to which SOCs are struggling to cope with a surfeit of alerts generated by a multitude of security tools. On average, organisations have 17 tools generating 960 alerts daily, of which 40% are never investigated. Grant Oviatt, Prophet Security Co‑founder and Head of Security Operations, said: “Imagine logging in each morning to find a thousand new emails, some urgent, some easily replied to and some clearly spam, but all demanding our time and attention. Most of us sort, filter, prioritise and still miss a few important messages. That’s a similar reality for SOC teams, where analysts are overwhelmed with security alerts that need investigation, leading to fatigue and eventually missed detections.” The report warns that even when alerts are investigated, doing so often takes longer than is needed for a threat to morph into a breach. While Crowdstrike’s 2025 Global Threat Report reveals that phishing threats take an average of 48 minutes to extract sensitive information, Prophet’s research indicates that it takes an average of 56 minutes for an alert to be picked up for review after being issued by a detection tool (Alert Dwell Time) and 70 minutes for a security team to thoroughly investigate an alert (Mean Time to Investigate). One response to alert overload and the burden it places on stretched resources is to limit the number of alerts received by disabling/not activating certain detection rules. Despite the impact this has on threat visibility, more than half (57%) of organisations surveyed by Prophet admitted to suppressing detection rules to reduce triage and investigation workload. Given such a high volume of alerts and the questionable coping mechanisms of under-resourced and overworked SOC teams, it is not surprising that the top three SOC team challenges identified by survey respondents were triage/investigation taking too long (cited by 36%), gaps in 24/7 SOC coverage (32%) and analyst burnout and/or turnover (31%). An AI future Another response to these challenges, already adopted by 55% of organisations, is to use AI to augment security operations, with the most popular applications being alert triage and investigation (cited by 67% of respondents), detection engineering and tuning to refine detection rules and reduce false positives (67%) and proactive threat hunting (64%) – all key capabilities of the Prophet AI platform. Filip Stojkovski, Founder & Lead Researcher at SecOps Unpacked, says that by carrying out repetitive, tedious tasks in a fraction of the time taken by humans, AI has a big role to play in the future of SecOps, not least by freeing up analysts to focus on high-value work. He said: “The AI SOC transformation wave is no longer a vision, it’s happening now. This report puts hard numbers behind what many of us in the field already see: the alert problem has reached breaking point, and AI is being applied first where it matters most, in alert triage, investigation and detection engineering. These aren’t nice-to-have features; they’re the only way for teams to keep up. If AI helps reduce the noise and gives analysts back time, that’s the shift that matters.” https://www.prophetsecurity.ai/ ai-soc-adoption-trends automation and run a full SOC case management end to end for any issue that comes in, from understanding what it is in real time to actual remediation? This is what Torq does. And that’s why we’ve been growing like wildfire.” Gulfaraz suggests that the priority now is not more visibility but the speed at which you are able to detect something and how quickly you can respond to it, irrespective of the technology stack that you have. “You can have a dependency on Crowdstrike. You can have a dependency on Sentinel One. You can have a dependency on anything, but if it’s not talking to your organisation and the people that are able to take action, it really doesn’t mean anything,” he said. Personalisation at speed Gulfaraz adds that as well as resolving problems much more quickly, Torq expands the relationship an MSSP can have with customers by enabling them to suggest ideas that can be rolled out in a matter of minutes, making them much more of a strategic partner. As an example of what this might mean in practice, Smith cites the efficiencies Kyocera itself has brought to the management of alerts caused when a member of staff travels abroad with a company smartphone, tablet and/or laptop and neglects to register that they will be logging on from a different region. “When that person logs on in Germany, the SOC is flooded with alerts because their mobile phone, their laptop, their watch are all logging in. Someone consolidates those alerts, has a look on the HR system, but there’s no record of them being abroad because they didn’t register to travel. The next step is to see whether the telemetry on their device reveals where the device is. We’re 20 minutes in now. Next, you’ll have to message the person to find out where they are and, after they’ve apologised for not registering, clear all those alerts down. Or maybe not. If it turns out they are travelling but not in Germany, you’ll have to revoke all their sessions, change their passwords, reset their MFA,” he explained. “When we started to look at this scenario, it was obvious that every company does things slightly differently. If you run a SOC or provide that service to customers, you want a one size fits all otherwise your costs explode, but you can’t fit into every business process. What Torq enables us to do in just 5-10 minutes is build that workflow utilising AI and offer that personalised approach to the customer. Instantly, our AI agent within our SOC is communicating with the individual concerned, finding out where they are and either closing down all of the alerts or revoking all of their sessions, disabling their account and getting a highly skilled SOC agent to analyse what’s going on. “We started out with that proof of concept with Torq and built that workflow, integrated into our Azure AD, our HR system and our SOC within 15 minutes. We believe that ability to tailor our service to our customers’ needs is a differentiator.” Smith added: “Partnering with Kyocera Cyber means customers can choose what works best for them, whether that means fully outsourcing to our M-SOC or adopting a blend of managed security services to extend their coverage. Joining forces with Torq is key to this, as their platform helps ensure our proprietary architecture is best-equipped to offer peace of mind to customers. We look forward to seeing the new brand grow, alongside our collaboration with Torq.” https://kyoceracyber.com/ CYBERSECURITY ...continued
RkJQdWJsaXNoZXIy NDUxNDM=