HomeTechnology

Rethinking MDR: 60% of Alerts Go Unreviewed Amid Surge in AI-Driven Cyber Threats

Rethinking MDR: 60% of Alerts Go Unreviewed Amid Surge in AI-Driven Cyber Threats

In the evolving landscape of cybersecurity, managed detection and response (MDR) services have become essential for organizations grappling with persistent threats. Initially designed to fill the gaps in 24/7 monitoring, the MDR model is now facing scrutiny as the sophistication of cyberattacks increases. Recent data reveals that a staggering 60% of alerts generated by organizations remain unreviewed, raising concerns about the effectiveness of current security measures.

The Impact of AI on Cyber Threats

The integration of artificial intelligence (AI) into cyberattacks has fundamentally altered threat detection dynamics. Cybercriminals are now employing AI to launch complex phishing campaigns, automate reconnaissance, and create malware capable of evading traditional detection methods. This expansion of the attack surface includes endpoints, cloud environments, identities, and networks. Despite this, MDR services continue to function reactively, primarily forwarding alerts to human analysts who prioritize them based on severity.

This reactive approach has proven inadequate. The overwhelming volume of alerts generated in modern environments has led to a backlog, where lower-severity alerts often accumulate unnoticed. This is precisely where attackers frequently hide their activities.

The Illusion of 24/7 Coverage

MDR services often promote their 24/7 human coverage, yet the reality is that they primarily triage high-severity alerts. Approximately 60% of alerts remain unexamined, according to a recent analysis of 25 million alerts across global enterprises. This study found that nearly 1% of genuine threats arise from low-severity and informational alerts. For organizations generating around 450,000 alerts annually, this translates to about 54 real incidents per year—one every week—sitting in a deprioritized queue.

These breaches are not hypothetical; they are occurring in organizations that believe they have adequate coverage. The implications are severe, as attackers exploit these gaps to execute their strategies undetected.

Variability in Investigation Quality

When alerts are reviewed, the quality of investigations can vary significantly. Factors such as the analyst’s experience, the time of day, and current workload can all influence the thoroughness of an investigation. For example, a high-priority alert at 3 AM may receive less scrutiny than the same alert during peak hours.

This variability highlights the challenges inherent in human-driven processes operating under pressure. When investigations lack depth, threats may be misclassified as noise, allowing attackers to move laterally within the network without detection.

Disconnect in Detection Engineering

In many MDR deployments, detection engineering is treated as a periodic exercise rather than an ongoing process. Adjustments to detection rules typically occur only in response to customer complaints about alert volume or following significant vulnerabilities in the news. Consequently, the detection posture can drift over time.

This disconnect is structural; investigation and detection engineering often function in silos. Insights gained from investigating alerts rarely feed back into the detection system, resulting in a scenario where broken rules persist and new attacker techniques go undetected. The overall detection posture can deteriorate faster than it improves, leading to a significant gap in coverage.

Lack of Transparency and Accountability

Most MDR services operate as a black box. Customers receive escalations and summaries but lack visibility into the investigation logic, evidence trails, and the rationale behind verdicts. This opacity poses a significant liability, especially in an era where accountability and transparency are paramount. When incidents are missed, organizations cannot diagnose root causes, complicating regulatory inquiries.

Vendor-Centric Nature of AI Savings

While AI is being utilized to enhance operational efficiency in MDR services, the benefits are often not passed on to customers. Providers use AI to automate triage processes and reduce the need for human analysts, thereby increasing profit margins. However, the fundamental coverage gaps remain unchanged, and organizations continue to pay the same or even higher rates without receiving expanded services.

Ownership of Detection Knowledge

Detection rules, triage logic, and investigation insights accumulate within the MDR vendor’s platform throughout the contract. When the contract concludes, this knowledge does not transfer to the organization. Consequently, companies that switch providers must rebuild institutional knowledge, while those seeking to develop internal capabilities find themselves starting from scratch.

This knowledge lock-in is not merely a switching-cost issue; it also hampers organizations’ readiness to adopt AI-driven solutions for their security operations. If foundational knowledge resides within the MDR vendor’s platform, any new AI agent deployed will lack the necessary context to function effectively.

Additional Gaps in MDR Services

Beyond the significant issues outlined, MDR services exhibit several smaller gaps that compound over time. Customers often receive a generic playbook that fails to account for their specific risk profiles or compliance requirements. Integration tools designed to streamline findings into internal workflows have largely fallen short due to the inconsistent outputs generated by human-driven investigations. When real incidents occur, customers frequently find themselves interacting with automated systems rather than knowledgeable personnel.

The Need for a New Operating Model

As the threat landscape becomes increasingly dominated by AI-driven attacks, the operational model for cybersecurity must evolve. Attackers are executing campaigns at a speed that outpaces traditional response mechanisms. An investigative approach that examines every alert—regardless of severity—is critical.

An AI-driven Security Operations Center (SOC) can facilitate this shift. By automating the investigative process, organizations can ensure that every alert is triaged and investigated in real time, allowing human analysts to focus on decision-making rather than discovery.

Advantages of an AI SOC

An AI SOC can process 100% of alerts—covering endpoints, identities, cloud environments, networks, and more—automatically. This approach ensures that even low-severity alerts receive the same level of scrutiny as high-priority ones. Data indicates that less than 2% of alerts require human escalation, with over 98% resolved autonomously in under a minute, achieving a 98% accuracy rate.

This level of forensic depth is essential for trust in AI-driven investigations. Genuine inquiry must go beyond surface-level assessments to uncover the true nature of threats, especially those designed to evade detection.

Importance of Closed-Loop Detection Engineering

A true AI SOC benefits from a closed-loop system between investigation and detection. Each investigation provides valuable insights that can enhance detection quality, allowing for continuous improvement without waiting for annual audits or customer complaints. This dynamic approach ensures that detection capabilities evolve in tandem with emerging threats.

Pricing Models That Reflect Coverage

The economic model of an AI SOC should align with the coverage it provides. Unlike per-alert pricing, which incentivizes selective alert handling, per-endpoint pricing allows organizations to investigate every alert without incurring additional costs. This shift not only enhances coverage but also improves budget predictability.

Ownership and Control in an AI SOC

Under an AI SOC framework, detection rules, investigation histories, and organizational context belong to the organization, not the vendor. This ensures that if an organization decides to expand its internal capabilities or switch tools, it retains all relevant knowledge and insights.

Transitioning from MDR to AI SOC

Transitioning from an MDR model to an AI SOC does not necessarily require a complete overhaul. Organizations can begin by augmenting their existing MDR services with AI-driven investigations, allowing them to compare findings and build a case for a full transition at contract renewal.

The Critical Question for Security Leaders

The traditional MDR model was designed for a slower-paced threat landscape, where staffing was the primary challenge. As attackers leverage AI to execute rapid campaigns, security leaders must confront a pressing question: Of the 60% of alerts that go unreviewed, how confident are you that none contain real threats?

Data suggests that approximately 54 genuine threats are overlooked each year, underscoring the urgency for organizations to reevaluate their cybersecurity strategies.

As reported by cyberwarriorsmiddleeast.com, the AI SOC does not promise to eliminate all threats, but it addresses the coverage gaps inherent in the MDR model. By ensuring that every alert is investigated with forensic depth, organizations can enhance their security posture in an era where threats are evolving rapidly.

Explore the latest digital editions of FAME Delivered in the Magazine section: https://famedelivered.com/magazine/

Published on 2026-06-15 01:32:00 • By FAME Delivered News Desk

FAME Delivered News Desk

Rethinking MDR: 60% of Alerts Go Unreviewed Amid Surge in AI-Driven Cyber Threats

Rethinking MDR: 60% of Alerts Go Unreviewed Amid Surge in AI-Driven Cyber Threats

In the evolving landscape of cybersecurity, managed detection and response (MDR) services have become essential for organizations grappling with persistent threats. Initially designed to fill the gaps in 24/7 monitoring, the MDR model is now facing scrutiny as the sophistication of cyberattacks increases. Recent data reveals that a staggering 60% of alerts generated by organizations remain unreviewed, raising concerns about the effectiveness of current security measures.

The Impact of AI on Cyber Threats

The integration of artificial intelligence (AI) into cyberattacks has fundamentally altered threat detection dynamics. Cybercriminals are now employing AI to launch complex phishing campaigns, automate reconnaissance, and create malware capable of evading traditional detection methods. This expansion of the attack surface includes endpoints, cloud environments, identities, and networks. Despite this, MDR services continue to function reactively, primarily forwarding alerts to human analysts who prioritize them based on severity.

This reactive approach has proven inadequate. The overwhelming volume of alerts generated in modern environments has led to a backlog, where lower-severity alerts often accumulate unnoticed. This is precisely where attackers frequently hide their activities.

The Illusion of 24/7 Coverage

MDR services often promote their 24/7 human coverage, yet the reality is that they primarily triage high-severity alerts. Approximately 60% of alerts remain unexamined, according to a recent analysis of 25 million alerts across global enterprises. This study found that nearly 1% of genuine threats arise from low-severity and informational alerts. For organizations generating around 450,000 alerts annually, this translates to about 54 real incidents per year—one every week—sitting in a deprioritized queue.

These breaches are not hypothetical; they are occurring in organizations that believe they have adequate coverage. The implications are severe, as attackers exploit these gaps to execute their strategies undetected.

Variability in Investigation Quality

When alerts are reviewed, the quality of investigations can vary significantly. Factors such as the analyst’s experience, the time of day, and current workload can all influence the thoroughness of an investigation. For example, a high-priority alert at 3 AM may receive less scrutiny than the same alert during peak hours.

This variability highlights the challenges inherent in human-driven processes operating under pressure. When investigations lack depth, threats may be misclassified as noise, allowing attackers to move laterally within the network without detection.

Disconnect in Detection Engineering

In many MDR deployments, detection engineering is treated as a periodic exercise rather than an ongoing process. Adjustments to detection rules typically occur only in response to customer complaints about alert volume or following significant vulnerabilities in the news. Consequently, the detection posture can drift over time.

This disconnect is structural; investigation and detection engineering often function in silos. Insights gained from investigating alerts rarely feed back into the detection system, resulting in a scenario where broken rules persist and new attacker techniques go undetected. The overall detection posture can deteriorate faster than it improves, leading to a significant gap in coverage.

Lack of Transparency and Accountability

Most MDR services operate as a black box. Customers receive escalations and summaries but lack visibility into the investigation logic, evidence trails, and the rationale behind verdicts. This opacity poses a significant liability, especially in an era where accountability and transparency are paramount. When incidents are missed, organizations cannot diagnose root causes, complicating regulatory inquiries.

Vendor-Centric Nature of AI Savings

While AI is being utilized to enhance operational efficiency in MDR services, the benefits are often not passed on to customers. Providers use AI to automate triage processes and reduce the need for human analysts, thereby increasing profit margins. However, the fundamental coverage gaps remain unchanged, and organizations continue to pay the same or even higher rates without receiving expanded services.

Ownership of Detection Knowledge

Detection rules, triage logic, and investigation insights accumulate within the MDR vendor’s platform throughout the contract. When the contract concludes, this knowledge does not transfer to the organization. Consequently, companies that switch providers must rebuild institutional knowledge, while those seeking to develop internal capabilities find themselves starting from scratch.

This knowledge lock-in is not merely a switching-cost issue; it also hampers organizations’ readiness to adopt AI-driven solutions for their security operations. If foundational knowledge resides within the MDR vendor’s platform, any new AI agent deployed will lack the necessary context to function effectively.

Additional Gaps in MDR Services

Beyond the significant issues outlined, MDR services exhibit several smaller gaps that compound over time. Customers often receive a generic playbook that fails to account for their specific risk profiles or compliance requirements. Integration tools designed to streamline findings into internal workflows have largely fallen short due to the inconsistent outputs generated by human-driven investigations. When real incidents occur, customers frequently find themselves interacting with automated systems rather than knowledgeable personnel.

The Need for a New Operating Model

As the threat landscape becomes increasingly dominated by AI-driven attacks, the operational model for cybersecurity must evolve. Attackers are executing campaigns at a speed that outpaces traditional response mechanisms. An investigative approach that examines every alert—regardless of severity—is critical.

An AI-driven Security Operations Center (SOC) can facilitate this shift. By automating the investigative process, organizations can ensure that every alert is triaged and investigated in real time, allowing human analysts to focus on decision-making rather than discovery.

Advantages of an AI SOC

An AI SOC can process 100% of alerts—covering endpoints, identities, cloud environments, networks, and more—automatically. This approach ensures that even low-severity alerts receive the same level of scrutiny as high-priority ones. Data indicates that less than 2% of alerts require human escalation, with over 98% resolved autonomously in under a minute, achieving a 98% accuracy rate.

This level of forensic depth is essential for trust in AI-driven investigations. Genuine inquiry must go beyond surface-level assessments to uncover the true nature of threats, especially those designed to evade detection.

Importance of Closed-Loop Detection Engineering

A true AI SOC benefits from a closed-loop system between investigation and detection. Each investigation provides valuable insights that can enhance detection quality, allowing for continuous improvement without waiting for annual audits or customer complaints. This dynamic approach ensures that detection capabilities evolve in tandem with emerging threats.

Pricing Models That Reflect Coverage

The economic model of an AI SOC should align with the coverage it provides. Unlike per-alert pricing, which incentivizes selective alert handling, per-endpoint pricing allows organizations to investigate every alert without incurring additional costs. This shift not only enhances coverage but also improves budget predictability.

Ownership and Control in an AI SOC

Under an AI SOC framework, detection rules, investigation histories, and organizational context belong to the organization, not the vendor. This ensures that if an organization decides to expand its internal capabilities or switch tools, it retains all relevant knowledge and insights.

Transitioning from MDR to AI SOC

Transitioning from an MDR model to an AI SOC does not necessarily require a complete overhaul. Organizations can begin by augmenting their existing MDR services with AI-driven investigations, allowing them to compare findings and build a case for a full transition at contract renewal.

The Critical Question for Security Leaders

The traditional MDR model was designed for a slower-paced threat landscape, where staffing was the primary challenge. As attackers leverage AI to execute rapid campaigns, security leaders must confront a pressing question: Of the 60% of alerts that go unreviewed, how confident are you that none contain real threats?

Data suggests that approximately 54 genuine threats are overlooked each year, underscoring the urgency for organizations to reevaluate their cybersecurity strategies.

As reported by cyberwarriorsmiddleeast.com, the AI SOC does not promise to eliminate all threats, but it addresses the coverage gaps inherent in the MDR model. By ensuring that every alert is investigated with forensic depth, organizations can enhance their security posture in an era where threats are evolving rapidly.

Explore the latest digital editions of FAME Delivered in the Magazine section: https://famedelivered.com/magazine/

Published on 2026-06-15 01:32:00 • By FAME Delivered News Desk

RELATED ARTICLES

Technology

Fraudulent ₹20 Crore ‘Miraculous Stone’ Scam Uncovered in Vadodara; Three Arrested by Authorities

FAME Delivered News Desk -
Fraudulent ₹20 Crore 'Miraculous Stone' Scam Uncovered in Vadodara; Three Arrested by Authorities A sophisticated fraud scheme that intertwines superstition and technology has been uncovered...
Technology

Tyra Banks Files Defamation Lawsuit Against Netflix Over Misrepresentation in ‘America’s Next Top Model’ Docuseries

FAME Delivered News Desk -
Tyra Banks Files Defamation Lawsuit Against Netflix Over Misrepresentation in ‘America’s Next Top Model’ Docuseries Tyra Banks has initiated a defamation lawsuit against Netflix, alleging...
Technology

Albanian Villagers Claim Disputed Land Sold for Kushner Resort Development

FAME Delivered News Desk -
Albanian Villagers Claim Disputed Land Sold for Kushner Resort Development ZVERNEC, Albania: Villagers in the coastal town of Zvernec allege that their land was improperly...
Technology

Over 400 Arch Linux AUR Packages Compromised to Deploy Credential-Stealing Malware and eBPF Rootkit

FAME Delivered News Desk -
Over 400 Arch Linux AUR Packages Compromised to Deploy Credential-Stealing Malware and eBPF Rootkit A significant security breach has affected the Arch User Repository (AUR),...
Technology

Cybersecurity Crisis: 3.3 Billion Identity Records Exposed as Advanced Phishing and Malware Threats Surge

FAME Delivered News Desk -
Cybersecurity Crisis: 3.3 Billion Identity Records Exposed as Advanced Phishing and Malware Threats Surge In a significant escalation of cybersecurity threats, recent reports indicate that...

Latest Posts

Latest Posts

Don't Miss

Subscribe

To be updated with all the latest news, offers and special announcements.