Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Anyone who's stood up a SIEM from scratch knows the feeling: weeks of infrastructure work, integration headaches, and a services team alongside for the whole process. That experience shaped how people think about adopting anything new in security ops. The instinct is to treat AI the same way: budget for it, plan for it, bring in specialists. This instinct is costing teams real time. Traditional infrastructure takes great effort to stand up. Infrastructure-as-code happens in seconds.

Security operators often struggle with the escalating friction that naturally occurs in their detection and response (D&R) workflow. Detections fire in one tool. Investigations happen in another. Case tracking lives in a third. For MSSPs managing dozens of client environments, fragmentation compounds quickly. Analyst time bleeds into context-switching. SLAs are hard to track. When something goes wrong, reconstructing what happened across multiple platforms is painful.

Most current demonstrations of AI in security operations are lackluster. You ask a chat interface a question, get a summary, and maybe a suggested next step. The operator still does all the work, at human speed. Meanwhile, adversaries are already deploying AI offensively against their targets. AI in SecOps must ultimately be an operator. Otherwise, the gap between adversary and defender will become too wide to bridge. LimaCharlie Co-founder, Christopher Luft, demonstrates a simple way to get started.

Most AI detection engineering puts a human in the loop at every step. David Burkett envisions an efficient and effective pipeline architecture that does not. David is a security researcher at Corelight Labs and a longtime LimaCharlie community member. He appeared on a recent episode of Defender Fridays to walk through his vision of a fully agentic detection engineering pipeline. His system uses LimaCharlie as its operational backbone.

Detection engineering is fundamentally a translation problem: rules need to be converted between formats, IOCs need to be converted into detection logic, and noisy alerts need to be converted into precise suppressions. That translation work is what consumes analyst time, and it's what Claude Code handles well.

A credential access event fired. An AI agent investigated it, correlated it against running processes, assessed the risk, and closed the ticket. No analyst touched it. The entire loop ran in minutes. This is what security operations look like when AI can actually operate in the environment rather than advise from outside it. Security operations have always required a special kind of person.

Every new customer shouldn't cost you headcount. But with stack diversity, it usually does.

Revisiting a conversation between LimaCharlie co-founder Christopher Luft and Chris Cochran, Field CISO & Vice President of AI Security at SANS Institute, on The Cybersecurity Defenders Podcast. For most of cybersecurity’s history, defenders could operate under a safe assumption: somewhere on the other end of an attack, a human was making decisions. Scripts might automate parts of the kill chain, tools might accelerate execution, but a person was in the loop.

Every MSSP is fielding the same question from clients right now:"Are we safe with AI?" Most are answering with some version of"yes, we're logging everything." In a recent Defender Fridays episode, Saurabh Shintre, Founder and CEO of Realm Labs drew a hard line between these two concepts."You can log prompt and response and this bare minimum you have to do.

Security teams enter an asymmetric battle when adversaries freely use AI to wage attacks. The aggressors are armed with top-tier capabilities. Defenders hesitate to adopt AI they can't see, trust, or control. SecOps teams are drowning in alerts and outpaced by adversaries who are unafraid to automate everything. The solution isn't another dashboard or another AI chatbot offering recommendations.