Getting the most from AI starts with a clear understanding of where it can have the biggest and most measurable impact. Sumedh identifies core capabilities and shares examples of the results customers have seen from their AI SecOps deployments.

The first uses of generative AI in security circa 2023 were tactical, such as alert summaries, natural language queries, and investigation guidance. They eased tasks that analysts did reasonably well already. Consequently, they made only incremental gains in overall security outcomes.

Fast forward to 2026 and we have come a long way. Many enterprises and MDRs have re-architected their security operations around AI, with GenAI playing a big role. The first realization that drove this was that when used correctly, AI enables security wins that are out of reach of humans and traditional automation. Shortly after this, as threat actors embraced AI and made massive gains on time to exploit (see Figure 1), a second realization emerged – AI is a necessity for defense to scale near-infinitely and stay ahead.

Figure 1: Average time from vulnerability disclosure to exploit generation (credit Sergej Epp, CISO Sysdig)

Any tool produces wins only when it is used for the tasks it is strong at. The following are some tasks where AI produces outcomes faster and/or better than humans. Trivial uses like generating summaries and reports are excluded from this list as they are common knowledge.

Generating Code

Modern frontier models, coupled with the right instructions and examples, can reliably generate code to use common IT and security tools. This skill is useful in the SOC and in Threat Hunting, where investigations often need data from dozens of diverse APIs (your EDR, your SIEM, your IAM, your AWS / Azure / GCP services, …). Very few security analysts know all these tools well. Automating this step not only speeds up investigations but also improves the accuracy of investigations. This skill of LLMs is also useful in Penetration Testing, to generate and validate exploits against web apps and APIs.

Parsing and Transforming Security Data

Every branch of security operations must make sense out of data in diverse and evolving data formats and schemas – JSON/XML, syslog, OCSF, etc. With the right instructions and examples, LLMs excel at parsing these and transforming them into the required structure. This is a big enabler for automation in security.

Correlate Diverse Data and Context

Security decisions often need a large corpus of data, including both semi-structured telemetry and API responses from your systems and unstructured input from employees. Additionally, many security decisions depend critically on context not available from security tools. E.g. an alert investigation may involve a Q&A with an employee via Slack or Teams. A pentest may require application context. A threat hunt often benefits from contextual knowledge about the entities it is searching through. Such data is in natural language, and it needs to be incorporated into the decision as well. LLMs are a useful building block in correlating, finding patterns in, and extracting the highlights from such diverse data and context. This does require a fair amount of application logic (homework left to the reader, or to a product) and use of the right LLM for each use case.

Agency to Act Beyond Canned Automation

The number of permutations of threats and IT environments is infinite and evolving continuously, and it is not possible to build canned automation for all of them. This is why SOAR failed. However the basic principles of security investigation are a smaller set. LLMs can be leveraged to break down a security decision into its constituents and suggest the actions to be taken to answer those. When used carefully, this superpower helps SecOps personnel generate automation dynamically for each situation and incorporate significantly more data in their decisions than they could in the past, leading to more accurate as well as faster decisions.

Thinking from Different Perspectives

It is not uncommon that SecOps personnel are faced with ambiguous data, at least at first glance. For example, let's say you get an alert for atypical travel for user John. The signals that are used to investigate this alert, such as whether he was using a VPN, or his recent pattern of activity, increase confidence of it being a true positive or false positive, but rarely is that confidence 100%. Humans benefit from having another critical thinker bounce their thoughts off. What is the equivalent for automation? This is where thinking models, or even standard models when instructed to counter-argue and identify evidence gaps, can be used to think about a problem from various perspectives to arrive at the highest confidence answer, significantly improving the accuracy of security decisions.

Examples of Security Wins with AI

You can see the impact of these capabilities in real-world customer use cases. Let's look at the specific security wins that some of Simbian's large customers realized with AI.

Case Study 1: Leading U.S. Semiconductor Company

The Head of Security/Infrastructure wanted to step up the security diligence on their applications before they were released. A full penetration test before release was desirable but not possible because it would take multiple weeks. Vulnerability scans were quick but too shallow to meet the bar.

They looked to AI to solve this gap. With Simbian's AI Pentest Agent they are able to conduct penetration tests at short notice and get results the same day. They now can fix all issues before release, without delays.

Case Study 2: Large Global MDR

Growing SOC complexity had pushed their MTTR to over 2 hours. In contrast, AI-armed threat actors now take on average under 1 hour to move laterally, which means threat actors are moving faster than analysts can contain them. The right answer is automation, but legacy frameworks like SOAR that are built around pre-defined rules and playbooks cannot keep up with the rapidly evolving threat and IT landscape.

They looked to AI to implement a reasoning-based auto-learning system. Simbian's AI SOC Agent could accurately investigate ~95% of alerts, with zero playbooks. This has brought down MTTR from over 2 hours to 12 minutes, back to being faster than the average threat actor.

Case Study 3: Fortune 500 Utility Company

The company uses Microsoft Purview to flag potential data leaks. Analysts must investigate each alert using non-security context such as whether the recipient is a legitimate business contact. The volume and diversity of such context lead to judgment errors as well as an overwhelming workload.

Automation, including AI, can deal with large amounts of data around the clock with no fatigue. Simbian's AI SOC Agent was able to investigate their alerts autonomously applying both business context and analyst feedback. The result is consistent investigations for their DLP alerts at scale, with 100% coverage 24x7.

"The Right Instructions & Examples"

The key phrase throughout this article is "with the right instructions and examples". An LLM's answer is only as good as the prompt given to it. Producing the right prompts and examples takes practice and a lot of benchmarking. A naïve use of off-the-shelf LLMs can result in hallucination and prompt injection risks. As a result, DIY approaches to using LLMs for security can carry significant risks. However, when used correctly, LLMs are an indispensable tool that produces significantly better security outcomes at an infinite scale.

---

Read the full ebook → Security for Winners: The Art of Using AI to Secure Your Company and Get Yourself Promoted