Rethinking MDR: 60% of Alerts Unreviewed as AI-Driven Threats Surge
In recent years, managed detection and response (MDR) services have been a cornerstone for organizations struggling to maintain robust cybersecurity. Initially, MDR addressed a pressing need: security teams often lacked the resources to monitor threats around the clock. However, as the threat landscape evolves at an unprecedented pace, the limitations of the MDR model are becoming increasingly apparent.
The rise of artificial intelligence (AI) in cyberattacks has transformed the dynamics of threat detection. Attackers now leverage AI to execute sophisticated phishing campaigns, automate reconnaissance, and develop malware that can bypass traditional signature-based detection methods. The attack surface has expanded significantly, encompassing endpoints, cloud environments, identities, and networks. Yet, MDR services continue to operate in a reactive mode, primarily routing alerts to human analysts who prioritize based on severity.
This approach is proving inadequate. Data indicates that a staggering 60% of alerts generated by organizations go unreviewed. This is not merely a failure of performance; it reflects the overwhelming volume of alerts that modern environments produce. Human analysts, whether in-house or outsourced, cannot keep pace, leading to a prioritization of high-severity alerts while lower-severity ones accumulate in the backlog. Unfortunately, this is precisely where attackers often conceal their activities.
MDR’s 24/7 Promise: A False Security
MDR services tout 24/7 human coverage, but what they deliver is a capacity to triage high-severity alerts. The reality is that approximately 60% of alerts remain unexamined. A recent analysis of 25 million alerts across global enterprises found that nearly 1% of genuine threats originate from low-severity and informational alerts. For an organization generating 450,000 alerts annually, this translates to about 54 real incidents per year—one every week—sitting in the deprioritized queue.
These breaches are not hypothetical; they are occurring in organizations that believe they have adequate coverage. The implications are severe, as attackers exploit these gaps to execute their strategies undetected.
Variability in Investigation Quality
Even when alerts are reviewed, the quality of investigations can vary significantly. Factors such as the experience of the analyst on duty, the time of day, and the current workload can all impact the thoroughness of an investigation. For instance, a high-priority alert at 3 AM may receive less scrutiny than the same alert during peak hours.
This variability is not a critique of individual analysts but rather a reflection of the challenges inherent in human-driven processes operating under pressure. When investigations lack depth, threats may be misclassified as noise, allowing attackers to move laterally within the network without detection.
The Disconnect in Detection Engineering
In many MDR deployments, detection engineering operates as a periodic exercise rather than an ongoing process. Adjustments to detection rules typically occur only in response to customer complaints about alert volume or following significant vulnerabilities in the news. Consequently, the detection posture can drift over time.
This disconnect is structural; investigation and detection engineering often function in silos. Insights gained from investigating alerts rarely feed back into the detection system, resulting in a scenario where broken rules persist and new attacker techniques go undetected. The overall detection posture can deteriorate faster than it improves, leading to a significant gap in coverage.
Lack of Transparency and Accountability
Most MDR services operate as a black box. Customers receive escalations and summaries but lack visibility into the investigation logic, evidence trails, and the rationale behind verdicts. This opacity poses a significant liability, especially in an era where accountability and transparency are paramount. When incidents are missed, organizations cannot diagnose the root causes, and regulatory inquiries become challenging to address.
The Vendor-Centric Nature of AI Savings
While AI is being employed to enhance operational efficiency in MDR services, the benefits are often not passed on to customers. Providers utilize AI to automate triage processes and reduce the need for human analysts, thereby increasing their profit margins. However, the fundamental coverage gaps remain unchanged, and organizations continue to pay the same or even higher rates without receiving expanded services.
Ownership of Detection Knowledge
Detection rules, triage logic, and investigation insights accumulate within the MDR vendor’s platform throughout the contract. When the contract concludes, this knowledge does not transfer to the organization. Consequently, companies that switch providers must rebuild institutional knowledge, while those seeking to develop internal capabilities find themselves starting from scratch.
This knowledge lock-in is not merely a switching-cost issue; it also hampers organizations’ readiness to adopt AI-driven solutions for their security operations. If foundational knowledge resides within the MDR vendor’s platform, any new AI agent deployed will lack the necessary context to function effectively.
Additional Gaps in MDR Services
Beyond the significant issues outlined, MDR services exhibit several smaller gaps that compound over time. Customers often receive a generic playbook that fails to account for their specific risk profiles or compliance requirements. Integration tools designed to streamline findings into internal workflows have largely fallen short due to the inconsistent outputs generated by human-driven investigations. When real incidents occur, customers frequently find themselves interacting with automated systems rather than knowledgeable personnel.
The Need for a New Operating Model
As we move further into an era dominated by AI-driven attacks, the operational model for cybersecurity must evolve. Attackers are not waiting for alert queues to clear; they are executing campaigns at a speed that outpaces traditional response mechanisms. The need for an investigative approach that examines every alert—regardless of severity—is critical.
An AI-driven Security Operations Center (SOC) can facilitate this shift. By automating the investigative process, organizations can ensure that every alert is triaged and investigated in real time, allowing human analysts to focus on decision-making rather than discovery.
The Advantages of an AI SOC
An AI SOC can process 100% of alerts—covering endpoints, identities, cloud environments, networks, and more—automatically. This approach ensures that even low-severity alerts receive the same level of scrutiny as high-priority ones. Data from Intezer indicates that less than 2% of alerts require human escalation, with over 98% resolved autonomously in under a minute, achieving a 98% accuracy rate.
This level of forensic depth is essential for trust in AI-driven investigations. Genuine inquiry must go beyond surface-level assessments to uncover the true nature of threats, especially those designed to evade detection.
The Importance of Closed-Loop Detection Engineering
A true AI SOC benefits from a closed-loop system between investigation and detection. Each investigation provides valuable insights that can enhance detection quality, allowing for continuous improvement without waiting for annual audits or customer complaints. This dynamic approach ensures that detection capabilities evolve in tandem with emerging threats.
Pricing Models That Reflect Coverage
The economic model of an AI SOC should align with the coverage it provides. Unlike per-alert pricing, which incentivizes selective alert handling, per-endpoint pricing allows organizations to investigate every alert without incurring additional costs. This shift not only enhances coverage but also improves budget predictability.
Ownership and Control in an AI SOC
Under an AI SOC framework, detection rules, investigation histories, and organizational context belong to the organization, not the vendor. This ensures that if an organization decides to expand its internal capabilities or switch tools, it retains all relevant knowledge and insights.
Transitioning from MDR to AI SOC
Transitioning from an MDR model to an AI SOC does not necessarily require a complete overhaul. Organizations can begin by augmenting their existing MDR services with AI-driven investigations, allowing them to compare the findings and build a case for a full transition at contract renewal.
The Critical Question for Security Leaders
The traditional MDR model was designed for a slower-paced threat landscape, where staffing was the primary challenge. As attackers leverage AI to execute rapid campaigns, security leaders must confront a pressing question: Of the 60% of alerts that go unreviewed, how confident are you that none contain real threats?
Data from Intezer suggests that approximately 54 genuine threats are overlooked each year, underscoring the urgency for organizations to reevaluate their cybersecurity strategies.
The AI SOC does not promise to eliminate all threats, but it addresses the coverage gaps inherent in the MDR model. By ensuring that every alert is investigated with forensic depth, organizations can enhance their security posture in an era where threats are evolving rapidly.
Source: thehackernews.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
