In the latest episode of Detection at Scale I had a great conversation with Ken Bowles, Director of Security Operations at GreenSky, to explore how AI is transforming day-to-day security work beyond the hype. With 15 years in security operations spanning healthcare and fintech, Ken brings a grounded perspective on what’s actually working in production versus what remains aspirational. The conversation cuts through vendor buzzwords to reveal practical insights about leveraging AI for alert investigation, the evolution of detection strategies, and why understanding your data is more critical than ever in the age of large language models.
Ken’s journey from healthcare security at Tempest to securing credit card data at GreenSky provides a unique lens on how security operations have evolved from basic alerting to AI-enhanced investigation. His emphasis on protecting the crown jewels first, embracing automation pragmatically, and maintaining healthy skepticism about AI’s limitations offers a refreshing counterpoint to the “AI will solve everything” narrative that dominates vendor pitches. This is a conversation about real-world implementation challenges, the changing role of security analysts, and why the fundamentals still matter even as the tools become more sophisticated.
Key Takeaways
Prioritize Crown Jewels and Work Outward: Ken emphasizes starting with what matters most—identifying your organization’s most critical assets (such as credit card data at GreenSky) — and building security controls outward from there. This focused approach prevents teams from drowning in generic alerts and ensures resources are allocated where they’ll have the most significant impact on actual risk reduction.
AI Enables the “Single Pane of Glass” Through Context, Not Dashboards: Rather than forcing analysts to context-switch between multiple tools, AI acts as intelligent middleware, pulling data from EDR, SIEM, email security, and identity platforms into a cohesive alert context. This reduces investigation time dramatically by having AI assemble the complete picture before an analyst even starts looking, transforming what used to take 30+ minutes into near-instant contextual awareness.
Detection Strategy Needs Nuance Beyond MITRE Framework Coverage: While MITRE ATT&CK provides valuable guidelines, Ken cautions against the audit-driven mentality of “we need an alert for everything.” Not every technique applies to every organization, and trying to alert on everything leads to analyst burnout. The more intelligent approach involves understanding your threat model, implementing compensating controls where possible, and focusing detections on what actually matters in your specific environment.
Human Judgment Remains Essential Despite AI Advances: Ken draws a critical distinction—AI excels at pattern matching and data analysis but cannot determine intent, which is fundamental to security analysis. While AI can flag that someone accessed sensitive data from an unusual location, only humans can decide whether it’s a legitimate business trip or a credential compromise. This understanding should shape how teams deploy AI: as a force multiplier for analysts, not a replacement.
Audit Your Controls Because Tech Debt Compounds Security Risk: Ken shares a hard-earned lesson: security controls established years ago often drift as ownership changes hands, configurations evolve, and cloud environments grow more complex. Regular auditing of access control lists, security group rules, and other foundational controls is essential because that “tiny little crack” in your defenses often emerges from accumulated changes no single person fully understands anymore.
The practical AI implementation Ken describes reflects Panther’s approach to enhancing security operations. Panther AI handles the context gathering that Ken emphasized, providing that “single pane of glass” through intelligent enrichment rather than dashboard sprawl. This allows your analysts to focus on validating AI judgment rather than spending time manually pivoting across multiple tools. Learn more about Panther AI and how we are keeping human expertise at the center of security operations.
