With nearly half of internet traffic coming from bots—a third malicious—security operations centers are drowning in alerts. Meanwhile, advanced persistent threats and zero-day attacks grow more sophisticated daily.
But a revolution is underway. AI-powered SOCs are transforming threat detection through automated triage, behavioral analytics, and real-time anomaly detection. These systems can spot “living off the land” attacks where legitimate tools are weaponized, while filtering noise and prioritizing genuine threats.
In this exclusive interview, Rajesh Ananthakrishnan, President and Head of Managed Security Services at Inspira Enterprise, reveals how AI handles Tier-1 and Tier-2 tasks, freeing human analysts for strategic work. With machine learning models that adapt through continuous feedback loops, these intelligent defense systems aren’t just keeping pace with evolving threats—they’re getting ahead of them.
President and Head of Managed Security Services
Inspira Enterprise.
CISO Forum: What AI/ML techniques are proving most effective for identifying advanced persistent threats and zero-day attacks in real time?
Rajesh Ananthakrishnan: Several AI/ML techniques are proving effective in detecting advanced persistent threats (APTs) and zero-day attacks in real-time. The key ones include Anomaly Detection models that are very effective in detecting unusual behavior, insider threats, and anomalies, even without a pre-existing rule mapping. This helps identify “living off the land” (LOTL) attacks where legitimate tools are used maliciously, which an experienced analyst can spot through odd parameters or uncommon sequences. In Behavioral Analytics, AI serves as a threat intelligence copilot by surfacing suspicious behavior and highlighting emerging attack trends. Security teams can identify zero-day vulnerabilities and new tactics through this proactive analysis, before they become widespread threats.
CISO Forum: How can AI-powered SOCs efficiently process and analyze telemetry from diverse endpoints, networks, and cloud environments without overwhelming analysts?
Rajesh Ananthakrishnan: Diverse telemetry data, which is the information collected from remote sources automatically, can be efficiently processed and analyzed in an AI-powered SOC. At Inspira, the SOC teams focus on some key processes. The team embeds AI as a cognitive layer to perform Automated Triage and Prioritization of alerts. False positives are filtered out and alerts are prioritized, based on their actual risk, enabling security teams to focus on priority threats and not waste time sifting through low-value alerts. AI automatically enriches alerts with context before an analyst even sees them. This Contextual Enrichment includes ingesting data from SIEM, EDR, and cloud logs and applying contextual tagging related to asset criticality or user risk scores.
AI connects the dots by linking events, timelines, and systems to build a precise and fast picture of an incident. This automated, AI-led incident correlation relieves analysts from having to map out timelines from a dozen different tools manually. AI algorithms filter out the noise and highlight only those alerts that have real context and risk scores. This Noise Reduction is critical when nearly half of all internet traffic comes from bots, with a third of that being malicious. AI agents can now handle the majority of Tier-1 and Tier-2 tasks, freeing up human experts to contribute to higher-value work.
CISO Forum: What are the emerging methods for combining global intelligence, behavioral analytics, and contextual risk scoring into an automated SOC workflow?
Rajesh Ananthakrishnan: Emerging methods for combining global intelligence, behavioral analytics, and contextual risk scoring into an automated SOC workflow include Automated Re-Ranking and Correlation, where the system can perform automated alert priority re-ranking and incident correlation based on the combined intelligence and risk scoring. This ensures that workflows are automatically adjusted to focus on the most critical threats. Generative AI (GenAI) can be leveraged for threat advisory collection and publication, where real-time intelligence is provided directly within the workflow. A TIP (Threat Intelligence Platform) Copilot can query vast threat repositories to inform automated decisions. AI can be integrated into SOAR platforms to accelerate playbook development by suggesting tasks and other relevant information. This leads to automated playbook execution with feedback loops to improve future responses.
CISO Forum: How can SOC teams address challenges like model drift, adversarial inputs, and bias while maintaining consistent detection performance?
Rajesh Ananthakrishnan: SOC teams at Inspira address model drift, adversarial inputs, and bias in AI-powered security systems by implementing Continuous Feedback Loops, where analyst decisions and alert triage outcomes feed back into the model’s weights. This process of auto-labeling alerts and outcomes constantly improves the calibration accuracy by using “human-in-the-loop” systems, where SOC specialists validate AI decisions in Human-in-the-Loop Validation. This is needed for retraining models when false positives or missed threats occur and for polishing AI outputs to extract the maximum benefit.
Models must be continually trained using real-world incidents, evolving threat data, and direct analyst feedback. This Regular and Diverse Training ensures the model adapts to new attacker techniques and remains current. SOC professionals must take on the elevated role of evaluating AI systems for potential bias and overall effectiveness. This supervision is crucial for maintaining trust and reliability in AI-driven security. The SOC team is responsible for identifying gaps in AI detection capabilities. Based on their experience and intuition, they can design custom rules and configure systems to adapt to new and evolving attack types that a model may not have seen before.
CISO Forum: What best practices are emerging for designing AI-driven response mechanisms that balance speed, accuracy, and the need for human oversight?
Rajesh Ananthakrishnan: Emerging best practices for designing AI-driven response mechanisms highlight a balance between speed, accuracy, and human oversight through Tiered Automation, where AI is allowed to autonomously handle high-volume Tier-1 and Tier-2 tasks, including containment actions like isolating an endpoint or blocking an IP address within seconds. In Analyst-Driven Control, the AI system should generate a tailored response plan for each incident, but allow human analysts to decide whether to launch the automated response or take manual control, keeping experts in the driver’s seat.
Establishing Clear Rules for Critical Actions is vital to preventing AI from having complete control. Set specific rules that require SOC specialists to review and approve certain AI decisions before a disruptive action is taken, especially if it could impact critical infrastructure. Use the AI’s prediction confidence score to guide the workflow, which is Confidence-Based Routing. For example, low-risk or low-confidence alerts can be auto-resolved or routed for standard review, while high-confidence threats are immediately escalated to senior analysts. In Workflow Integration over Tool Integration, the focus should be on integrating AI into daily workflows, not just security tools. This involves adapting playbooks based on model confidence and analyst feedback and consistently tracking performance to refine the balance between automation and human intervention.
