AI use for security analysts

In cybersecurity, AI is both friend and foe. Across industries, security analysts are deploying AI tools to defend against AI-fueled threats. Yet even with both sides of the battle equipped with this powerful technology, adversaries still hold several key advantages: speed, sophistication, and a lower barrier to entry.

“Attackers are shifting from stealth to speed, launching waves of opportunistic attacks with minimal effort. This evolution shows how urgent it is for defenders to harden identity protections and to adapt their detection strategies for this new era of speed attacks.”

— Head of Elastic Security Labs and Director of Threat Research

In this article, we’ll explore how security analysts can help tilt the AI playing field in their favor, despite a rapidly multiplying attack surface.

How AI is changing the cybersecurity landscape

AI is rapidly transforming the cybersecurity landscape. Generative AI threats like social engineering and advanced phishing attacks dominate the threat landscape, with AI weaponization continuing to escalate even further.

According to the Elastic Global Threat Report, generic threats increased by 15.5% in 2025 because of adversaries’ use of large language models (LLMs) to generate low-effort, effective malicious loaders and other tools. AI dramatically lowers the barrier to entry for adversaries, allowing them to more readily:

• Perform automated reconnaissance and exploitation at scale
• Craft convincing and personalized phishing emails (without the usual giveaway typos)
• Perform credential stuffing and automated brute-force login attempts with minimal skill
• Rapidly adapt malware, payloads, and tactics to evade detection and bypass security controls

Instead of stealthy and complex campaigns, today’s cybercriminals prefer to use off-the-shelf malware and automated workflows. Their AI-driven threats are evolving at an accelerated pace, resulting in diverse adversary capabilities. Malware is exploding in volume, variety, and velocity.

Later on in this article, we’ll cover how to adopt AI threat intelligence and recognize AI-powered threats to strengthen security defenses.

AI for quicker, more accurate defenses

AI use cases in the security operations center (SOC) are already rich in opportunity, helping security analysts:

• Cut through alert noise
• Accelerate investigations
• Ingest and analyze larger amounts of custom data
• Automate routine and time-consuming tasks
• Navigate SIEM workflows with suggestions

As impactful as AI-driven threat detection and response and other AI tools are for cyber defense, human oversight continues to be essential. Only skilled security analysts can apply their experience, intuition, and deep contextual understanding to validate AI-generated insights, determine the appropriate responses, and make strategic decisions.

AI is already embedded into many organizations’ security stacks and workflows. In fact, in mid-2025, 53% of surveyed US organizations were already using (or planning to use in the next six months) not just any artificial intelligence, but AI agents for IT and cybersecurity.¹

To approach this new era of accelerated cyber attacks, security teams have to make context-rich decisions within minutes. AI can enhance their ability to make informed decisions efficiently.

Next, we explore AI’s role in a security stack and how to integrate AI into daily workflows.

How AI models make decisions in SOC tools

AI models can classify threats, provide context, and trigger automated actions based on learned patterns. They correlate alerts, reduce false positives, enrich investigations with internal context, generate remediation steps, and automate responses. By learning from vast datasets to identify subtle attack patterns, they can prioritize high-risk incidents for further analyst investigation.

Key decision-making processes

• Alert triage: By analyzing thousands of alerts in real or near real time, machine learning (ML) models correlate them to other system events and prioritize their level of risk based on potential business impact and other risk scoring.
• Rich context: Models aggregate data from SIEM, cloud, network, and endpoints to add context about users and assets. Using retrieval augmented generation (RAG), LLMs can pull relevant data from internal knowledge bases and private data sources for more nuanced and accurate context.
• Behavioral analysis: Unsupervised ML can detect anomalies and potential new threats by finding deviations from normal user or system behavior as they occur.
• Automated investigation: Agentic AI can follow playbooks to perform predefined actions when triggered, including supporting security analysts with step-by-step remediation suggestions, summarizations, and incident documentation.
• Continuous learning: ML models learn from past incidents, improving their accuracy over time.

Here’s what effective AI models do behind the scenes:

• Data ingestion: Data is ingested and processed from a SIEM and EDR/XDR platform.
• AI analysis: Once alerts are ingested, AI can view, track, and analyze them. ML models identify anomalies and correlate and prioritize alerts, while generative AI summarizes and contextualizes.
• Actionable insights: If an attack is discovered, a context-aware AI assistant recommends a remediation action to take.

One of the more exciting aspects of these tools is that they can sit atop an existing security stack, augmenting existing capabilities and helping teams avoid dreaded rip-and-replace overhauls. Elastic AI SOC Engine (EASE), for example, is a serverless security layer that brings AI-driven, context-aware detection and triage into existing SIEM and EDR tools.

AI for SOC efficiency

AI greatly improves SOC efficiency and effectiveness, strengthens defense mechanisms, and helps to cut costs. It can outperform humans in fast, large-scale data analysis and routine security tasks such as alert triage and monitoring, threat detection, and automated responses. A little help goes a long way.

AI is also great at anomaly detection, pattern recognition, data correlation, predictive analysis, and continuous learning and adaptability. With every countered threat, security defenses evolve, and response times become shorter.

Where human intuition is (still) best in cybersecurity

Detecting anomalies and recognizing patterns doesn’t go very far in cybersecurity unless security analysts can come in to make sense of the threat, interpret, and further contextualize AI insights.

Humans have many advantages over AI: creativity, strategic and ethical judgement, contextual insights, organization-grounded understanding. It's the whys. SOC teams excel at creative threat hunting, interpreting vague signals, anticipating and understanding an attacker’s behavior, and adapting defenses beyond the predefined rules and patterns.

Security analysts are the ones making complex decisions about risk, resource allocation, and specific actions to take in complex threat investigations. This means strategic decision-making and human oversight are an essential part of the detection and response lifecycle.

Hype vs. reality: Seeing through hollow AI promises for SOCs

As much as AI is touted as an autonomous solution to overcome analyst burnout, eliminate human errors, and counter AI-powered cyber threats, the world is not there yet.

Here’s the reality:

• Fully autonomous SOCs do not exist.
• AI augments security analysts.
• ML models can’t predict and prevent every single attack before it happens.
• AI security tools make mistakes.
• AI-driven alert triage can return false positives.
• Human oversight and judgment are essential.

Today, AI in the security stack can resolve well-defined, advanced problems as well as support or augment security analysts … but having a human on the loop is essential.

Let’s next explore how to integrate AI into daily security operations.

AI is a crucial tool for modern teams, helping improve efficiency, accuracy, and response speed. AI enables smarter, faster security by empowering analysts, reducing alert fatigue and noise, providing end-to-end visibility, and accelerating threat detection, investigation, and response.

With its numerous benefits, why haven’t all organizations integrated AI into their daily SOC workflows?

Key challenges to integrating AI into daily workflows

• Poor AI outputs due to poor data quality
• Siloed, legacy tools
• Tool sprawl
• Prohibitive costs
• Cultural resistance
• Choosing a trusted and secure LLM

A strategic, gradual, and guided AI implementation can help teams overcome these challenges. Let’s explore how.

Auditing current tools for underutilized AI capabilities

One of the first steps in implementing AI is to audit your current security tools.

Start by identifying the built-in AI features of all the software in your security stack. For each tool, evaluate its current AI features against desired outcomes. Identify gaps, pain points, and unmet needs that AI could solve for each tool’s use case (this is also an ideal time to trim any tools that haven’t lived up to their promise).

Then, map processes by identifying high-volume, repetitive tasks that could be automated or improved with AI. Focus on high-impact areas where AI could reduce risk or boost efficiency.

Ensure your data is ready by evaluating its quality, accessibility, and governance. By carefully integrating AI into your workflows, your SOC can transition from a reactive model overwhelmed by alerts to an efficient, proactive, and scalable defense system.

Ensuring LLM use is compliant with InfoSec best practices

A trusted and secure LLM is essential for integrating AI into daily SOC workflows. This means avoiding becoming a threat vector yourself (after all, LLMs receive a lot of data/insight from their users) by leveraging an InfoSec-compliant LLM.

The key here is to implement layered security. It should include controlling data access, validating and sanitizing inputs, securing APIs, implementing data governance, monitoring and auditing proactively, and training users on risks such as data leakage and shadow AI.

Elastic AI Assistant, for instance, is LLM-agnostic and can assist with tasks such as alert investigation, incident response, and query generation. Attack Discovery leverages LLMs to analyze alerts and identify threats.

Both of these tools are designed to address a few techniques that threat actors utilize against LLMs, including:

• Prompt injection: Exploiting an AI model's dependency on input prompts to generate responses, manipulating outputs to serve malicious objectives
• Poisoning training data: Occurs when malicious data is introduced into a model’s training set, skewing outcomes or reducing its effectiveness
• Supply chain vulnerability attacks: Inserting malicious elements into the AI's development or implementation pipeline, compromising the model before deployment
• Sensitive information disclosure: Involves the unauthorized release of confidential information through interactions with the AI model
• Overreliance: When users rely too much on AI-generated responses, leading to misguided decisions based on inaccurate data

In the next section, we’ll explore how AI can augment threat intelligence.

Faced with an onslaught of sophisticated, AI-generated threats, SOCs rely on trusted threat intelligence to gain up-to-date insights.

AI improves threat intelligence by monitoring across various threat intelligence sources, providing context to help understand threat actors’ latest motives and campaigns. With these synthesized insights, SOC teams can accelerate incident triage, reduce alert noise, and prioritize alerts that matter.

For tactical threat intelligence, AI provides insights into the tactics, techniques, and procedures (TTPs) of threat actors. ML models analyze historical data and current trends, helping SOC teams build the best-suited defensive measures.

AI might seem like a real game-changer for threat intelligence, and it is. At Elastic, for example, an AI Assistant drove a 92% increase in threat intelligence reports and saved 75% of security analysts’ time.

However, there are three challenges to keep in mind:

• While AI can help automate the latest TTPs from threat intelligence feeds that are preselected, these threat intelligence feed sources themselves must be continuously monitored for relevance.
• End-to-end visibility is crucial. Threat intelligence from disparate sources should be integrated across security workflows, rather than isolated to a single instance.
• Without context, data (and threat intelligence) is noise. Context provides that extra layer of relevance for your organization.

So, how can you solve these challenges for AI threat intelligence?

Solving the AI threat intel challenge by updating sources regularly

Context and visibility shape effective threat intelligence. Visibility provides situational awareness, while context explains how external threats can affect a specific business. Regularly updating threat intelligence sources to cater to a specific company profile is a core practice in threat intel.

A fintech company in the US will face different threats than an oil and gas company in the Middle East. Tailored feeds will provide more relevant data and filter out noise, ensuring that security teams can focus finite resources on threat types that pose a more immediate and damaging risk to their organization.

When security analysts gain knowledge about adversaries who target their industry or region, they can prioritize defenses and patch specific vulnerabilities.

To operationalize this practice, SOC teams can use AI and a threat intelligence platform (TIP), an application that ingests, enriches, normalizes, and correlates data from various sources. With a unified view of all Indicators of Comprise (IoCs) and the ability to search, sort, filter, enrich, and take action, a TIP helps security analysts quickly tailor intel feeds, discover, and act on reported threats.

Particularly useful in this context is RAG, a process that grounds LLMs in the company’s own internal knowledge bases, private data sources, threat intelligence feeds, vulnerability databases, and related data sources. RAG ensures that LLMs have the appropriate context to provide personalized, accurate, and relevant answers.

When a security analyst poses a question to the RAG system, it retrieves information from relevant cybersecurity sources, such as internal logs or tailored threat intelligence feeds. Retrieved data is then run against the analyst’s query, providing the LLM with context and the latest relevant information. As a result, the LLM uses the augmented prompt to generate a context-aware, up-to-the-minute response.

Such real-time integrated threat intelligence means faster response to threats, proactive defense, and a resilient security posture.

Next, let’s explore how to recognize and investigate AI-powered threats.

Today’s threat actors use AI to automate, scale, and enhance attacks, making them faster, more convincing, and harder to detect.

AI-powered threats can include:

• Polymorphic malware: AI-assisted malware that automatically mutates its code and execution characteristics across infections to evade signature-based and static detection techniques
• Social engineering: AI-generated emails or messages with perfect grammar and personalized content; hyper-realistic audio or video “deepfakes” that impersonate colleagues or friends to authorize fraudulent actions
• Automated attacks: Automated deployment of ransomware; scanning of networks for vulnerabilities and weak points in real time
• Detection evasion: Adversarial machine learning (ML) models that test and manipulate an organization's AI defenses to appear as legitimate activity or trick them into making wrong decisions

Recognizing and investigating AI-powered threats relies on a combination of AI tools and human expertise in an organization’s SOC. AI is a powerful force multiplier essential to counter advanced AI-powered threats, but so is human oversight. Security analysts provide essential context, validation, and strategic decision-making that AI cannot.

How to spot AI-generated threats in your environment

To spot AI-generated threats, security analysts use AI-enhanced techniques such as behavioral analytics, anomaly detection, automated alert triage and prioritization, and threat intelligence.

With Elastic, for example, this process involves tools like Attack Discovery and Elastic AI Assistant. These tools triage alerts, help teams to understand attack progressions, provide remediation steps, and hunt for suspicious activities like unusual LLM interactions or data patterns.

AI assistants are helpful in compiling essential data and providing suggestions for the best steps to take for an effective response. By closely monitoring user inputs, model interactions, and an AI assistant’s generated outputs, security teams can detect potential prompt injection attacks as well as identify and mitigate insecure or harmful outputs.

Building investigation playbooks for AI-augmented incidents

Traditional IoCs rely on static, observable artifacts such as malicious IP addresses, known file hashes, and specific registry modifications.

AI-driven attacks are different.

AI models are inherently dynamic, and it’s difficult to establish a baseline or identify their static signature. Moreover, most AI models are complex and opaque, making it difficult to understand how and when they were compromised.

That’s why building investigation playbooks for AI-augmented incidents involves integrating AI within your existing incident response framework. AI can analyze patterns in network traffic, user behavior, and system activities in real time. This enables security teams to identify anomalies that could indicate an AI-driven breach. Such a process will not only improve your incident response speed and efficiency but will also ensure you’re handling novel AI threats.

Step 1: Ensure you have playbooks for AI failures

Build dedicated playbooks for novel and evolving AI failures, including prompt injection, data poisoning, model theft, detection evasion, and shadow AI.

Step 2: Define playbook triggers

Start by identifying specific conditions that will activate your playbook. Specify which incidents AI should handle automatically and which require human escalation.

Step 3: Integrate AI

Incorporate AI assistance at various stages of the incident lifecycle, including alert triage, analysis, containment, recovery, root cause verification, and reporting. Define logic for every decision point. For instance, if AI actions during triage, determine which data it extracts, what to check against threat intelligence, and how to summarize findings.

Step 4: Automate response

Based on the AI analysis and predefined logic, automate low-complexity responses (e.g., isolating affected endpoints, blocking malicious IPs, or revoking compromised credentials).

Step 5: Human review

Define what information the AI should provide when escalating incidents to security analysts, ensuring a seamless transition of data and context.

Step 6: Document and improve

Ensure your playbooks integrate with case management systems to document the incident investigation and manage the workflow. Keep the playbooks current and test them regularly, as threats and AI capabilities evolve.

AI-driven security analytics

With these practices implemented, security analysts can confidently deploy AI tools, investigate and respond to AI-driven threats, and maintain relevant skills as the landscape continues to evolve.

Explore how an AI-driven security solution can help your team stay ahead in the expanding era of fast, complex attacks.

Footnotes

¹ PWC, AI Agent Survey, May 2025.