Welcome to Detection at Scale—a weekly newsletter diving into SIEM, generative AI, security monitoring, and more. Enjoy!

As detecting suspicious behaviors has become increasingly automated, the gap between generating alerts and understanding their underlying causes has widened. Those crucial minutes when analysts scramble to gather context, validate findings, and determine appropriate actions represent a persistent bottleneck in security.

AI agents are changing this equation by compressing the time between alert generation and resolution. Unlike automation approaches that follow highly deterministic paths, agents can dynamically analyze context, correlate disparate data sources, and present actionable insights that dramatically reduce time-to-understanding. Most importantly, they're designed to augment human analysts, not replace them.

In this blog, we'll focus on how AI agents transform alert triage, the critical first stage of response, where determining severity and scope determines whether to escalate an incident. While agents provide numerous security operation benefits (as covered in our posts on The Agentic SIEM, Investigative AI Agents, and Teaching AI Agents Your Organization), their most significant impact is on triage, where they accelerate and enhance the entire incident response lifecycle from initial investigation through remediation and continuous improvement.

The economic implications are profound. By dramatically reducing the time analysts spend gathering and contextualizing information, organizations can handle more alerts without expanding headcount, breaking the linear relationship between alert volume and team size that has constrained security operations for decades.

The Security Operations Time Gap

Security operations teams face a daunting reality: on average, SOC teams receive approximately 4,484 alerts daily and spend nearly three hours manually triaging these alerts. Additionally, 97% of analysts worry about missing critical security events that are often buried under this flood of information.1 The alert validation process encompasses a wide range of activities that drain productivity and create operational bottlenecks.

When investigating a suspicious login alert, an analyst must quickly answer several questions:

• Is the detection logic accurate, or is this a false positive?

• Is the device used for access properly managed and secured?

• Has this user exhibited any other suspicious behaviors recently?

• Have we seen similar patterns across other users in this group?

• Does this access violate any organizational or compliance policies?

Traditional SIEM workflows require analysts to manually gather this information, formulating separate queries for each question and mentally connecting the results. Context switching within the SIEM creates cognitive overhead that directly impacts the quality of analysis. Analysts must continually rebuild their mental model of the investigation with each query, translating between different data representations while attempting to identify patterns that may span days or weeks of events. The result is shallower analysis, missed connections, and an inability to distinguish genuine threats from the noise generated by disparate security tools reporting similar behaviors through different lenses.

Previous attempts to solve this problem through SOAR platforms introduced valuable automation capabilities but fell short of transforming the validation process. While SOAR excels at executing predefined workflows, traditional automation requires explicitly programmed logic that cannot adapt to the nuanced, context-dependent nature of security investigations. These systems ultimately shifted the bottleneck rather than removing it, as teams now struggled to maintain complex playbooks and automation scripts instead.

This desire for more sophisticated automation reflects a broader recognition within security teams: human attention remains their scarcest resource.

What analysts truly need is intelligent assistance that can gather relevant context without explicit programming for every scenario, present synthesized findings that highlight key relationships, and adapt to the unique patterns of their environment. They want to focus their expertise on decision-making and novel threats rather than routine data gathering and correlation.

How AI Agents Compress Time-to-Resolution

AI agents automate the series of triage steps that analysts manually perform, dynamically gathering tedious data points through three key mechanisms.

Parallel Context Gathering

AI agents connect to the outside world through Tool Use. An example tool is a theoretical list_rules tool, which returns all active SIEM detection rules. Agents have access to a multitude of tools that can be used in concert to supply helpful context about an alert.

For a suspicious authentication event, an agent might concurrently:

• Query authentication patterns from the past 30 days

• Validate the user's identity against identity providers

• Correlate the user across other security events

• Compare behavior against the user's peer group

• Check the device's last check-in status

Handling all of this data typically requires a notepad, a Notion document, or numerous tabs. AI helps keep track of findings within the context window, allowing analysts to think at a higher level and direct their analysis. By retaining access to recent triage outcomes, agents can also recall similar cases and apply lessons learned, creating a feedback loop that improves triage efficiency.

Enhanced Pattern Recognition

Security alerts rarely exist in isolation. The difference between a false positive and a genuine threat often lies in the broader context surrounding an alert. AI agents excel at extremely detailed pattern recognition, such as the exact sequence of characters passed into a web application URL or the date and time ranges of user behaviors related to their home time zone.

For example, a failed login attempt might appear benign when viewed independently, but takes on new significance when an agent flags:

• Another failed authentication attempt from a different cloud environment

• The login occurred during odd hours for this user

• This service seems abnormal given their role in the organization

By dynamically adjusting their investigation based on patterns, agents emulate the thought process of experienced analysts, following leads and pivoting to new areas of investigation rather than executing predetermined steps. This adaptability enables agents to discover relationships that would not be explicitly encoded in traditional automation.

Institutional Knowledge Application

Perhaps the most transformative aspect of AI agents is their ability to apply organizational knowledge consistently across all investigations. Agents can learn from historical alert dispositions, recognize the unique patterns in their environment, and apply relevant lessons to new cases.

This means a suspicious login at 2 AM might not trigger an escalation for a developer whose profile shows regular overnight work during release cycles. Similarly, an unusual access pattern may warrant immediate escalation if it aligns with tactics used in a previous breach or targets a critical system containing sensitive data.

This contextual understanding—the kind that typically resides in the minds of your most experienced analysts—becomes consistently available for every alert, regardless of who's on shift or how many concurrent incidents are being managed. The result is more accurate triage decisions, fewer false positives, and faster identification of genuine threats.

The cumulative effect of these capabilities is a dramatic compression of the time between alert generation and meaningful action. Where traditional processes might require 30 minutes or more per alert, AI agents can present a comprehensive analysis in just a few minutes, allowing analysts to focus on decision-making rather than data gathering.

From Detection to Decision: Closing the Loop

The productivity gains of AI agents are realized when agents establish a continuous feedback loop that enhances the entire security workflow, from initial detection through incident resolution and ongoing improvement.

Typical alert workflows create artificial boundaries between detection and response. An alert is generated, triaged by an analyst, escalated if necessary, handed off to an incident responder, and eventually closed with minimal feedback for improving detection. This linear process creates knowledge silos that limit overall security effectiveness. AI agents can help break down these boundaries by sharing knowledge across domains.

Evidence Organization

AI agents excel at both gathering and subsequently organizing evidence at the end of an incident. An analyst may ask the agent to:

• Extract relevant indicators from logs, network traffic, and security tools

• Standardize evidence format for consistent analysis regardless of source

• Prioritize evidence based on relevance to the current investigation

With the cleaned evidence, security teams can resolve and begin communication.

Streamlined Reporting

Perhaps the most significant impact comes from streamlining incident response and reporting. AI agents can:

• Generate detailed incident summaries capturing key events, findings, and actions

• Prepare draft communications for stakeholders based on incident severity

• Create documentation that preserves investigation context for future reference

This significantly reduces the administrative burden of security operations, enabling analysts to concentrate on the technical aspects of response rather than documentation. More importantly, it ensures consistent, high-quality reporting regardless of who handled the alert.

Continuous Improvement

The most transformative aspect of AI-enhanced SIEM is the continuous feedback loop between detection and response. After each incident, agents can:

• Identify gaps in detection coverage exposed during investigations

• Suggest rule modifications to reduce false positives

• Recognize emerging attack patterns that warrant new detection logic

With human approval, these insights can feed directly back into detection engineering, creating a virtuous cycle where each alert makes the entire system more effective. This closed-loop model ensures that tribal knowledge from investigations directly improves detection quality, rather than being lost in disconnected systems or team silos.

The human-in-the-loop approach ensures that AI agents remain assistive rather than replacing analyst judgment. Analysts maintain control over key decisions while delegating routine data gathering and correlation to agents. This partnership leverages the comparative advantages of both: machines excel at processing large volumes of data and identifying patterns, while humans provide strategic judgment, contextual understanding, and creative problem-solving.

Case Study: Panther AI in Action

I'm excited to share a real-life case study of how we built these concepts into Panther's security monitoring platform. Today, we are launching Panther AI, our intelligent agent that collaborates with security teams to enhance alert triage and investigation workflows. Panther AI embodies the principles we've discussed:

• Comprehensive Context Gathering: Panther AI automatically collects and correlates data from across your data lake, eliminating the need for repetitive manual queries. When a user initiates triage, the agent enriches information from identities and assets, historical alerting patterns, rule logic, and other relevant sources.

• Human-in-the-Loop Design: Throughout the investigation process, analysts maintain complete visibility and control over the system. Panther AI presents its findings transparently, explains its reasoning, and allows analysts to redirect the investigation as needed. Users can also write AI findings to alerts.

• Adaptive Investigation Paths: Instead of following predetermined playbooks, Panther AI dynamically adjusts its triage path based on each unique alert. For instance, when examining a potentially noisy alert, it pulls the previous alert history and outcomes to inform better how the current alert should be handled.

Trust is essential. For security teams to trust Panther’s AI agent, it must deliver reliable, secure, and consistent results. Panther AI builds this trust through:

• Analytical Consistency: Panther AI applies the same analytical rigor and format to every alert. This consistency ensures that midnight alerts receive the same quality of investigation as those handled during peak hours.

• Transparent Reasoning: Panther AI explains its analysis process and provides specific evidence to support its conclusions. This transparency allows analysts to validate the agent's reasoning and builds confidence in automated findings over time.

• Isolated Infrastructure: Panther operates its AI infrastructure utilizing Amazon Bedrock for tenant isolation and does not use customer responses to train or share knowledge across boundaries. This was a crucial security control requested by customers.

These capabilities represent our vision for how AI can transform security operations—not by replacing human expertise, but by removing the tedious, time-consuming tasks that prevent analysts from fully applying their skills. Panther AI allows security teams to focus on what matters most: making critical security decisions based on comprehensive, contextual information.

This launch marks the beginning of our journey to develop a more intelligent and responsive security operations platform!

Learn More

The Future of Agentic Security Operations

Throughout this blog post, we've explored how AI agents are fundamentally transforming security operations by closing the critical time gap between alert generation and meaningful action. The benefits are clear and compelling:

1. Unprecedented Efficiency: By automating context gathering and correlation, AI agents reduce triage time from over 30 minutes to just a few minutes, enabling teams to handle more alerts without increasing headcount.

2. Deeper Analysis: Freed from manual data collection, analysts can focus on meaningful decision-making and complex threats, leading to more thorough investigations and fewer missed signals.

3. Consistent Quality: AI agents apply the same analytical rigor to every alert, regardless of time of day or analyst workload, eliminating dangerous security blind spots.

4. Continuous Improvement: The closed-loop nature of agent-assisted operations ensures that each investigation enhances future detection and response capabilities.

5. Human Augmentation: Rather than replacing analysts, these systems augment human expertise by handling routine tasks while maintaining human control over key decisions.

The transformation we're witnessing isn't just about faster alert processing—it's a fundamental shift in how security teams operate. By breaking the linear relationship between alert volume and analyst headcount, organizations can finally scale their security operations to meet growing threats without unsustainable cost increases.

The future of security operations is here—and it's agentic, intelligent, and human-centered.