By Byron V. Acohido

The cybersecurity world is deep into an AI pivot.

The headlines fixate on doomsday threats and autonomous cyber weapons. But the real revolution may be happening at a quieter layer: inside the SOC.

Security operations teams are under intense pressure. According to IBM’s 2024 Cost of a Data Breach report, organizations are now storing log and telemetry data across an average of 13 different environments — from cloud services to on-prem tools to third-party SaaS platforms. Meanwhile, the average time to identify and contain a breach remains stuck at 277 days.

Legacy SIEMs (security information and event management systems) were never built for this sprawl. Licensing models penalize data volume, siloed tools create blind spots, and even the best-run SOCs struggle with alert fatigue and staffing gaps. What if the answer isn’t more humans, but smarter automation?

At Black Hat 2025, I caught up with George Moser, Chief Growth Officer at Anomali, to unpack a promising shift: the rise of AI-native SIEMs. Moser argues that the combination of data lakes, LLMs, and agentic AI can reduce noise, tighten detection, and even autonomously neutralize threats in real time — all while cutting platform costs by 50%.

Here are excerpts from our conversation.

LW: Why are legacy SIEMs falling short for today’s SOC teams?

Moser: It comes down to scale and complexity. The SOC’s job now involves defending this sprawling cyber footprint: cloud apps, SaaS vendors, remote endpoints, third-party partners. Each generates its own logs. And legacy SIEMs weren’t built to ingest and correlate that volume of telemetry, especially not affordably.

What we hear from customers is that their data is siloed, and licensing costs are prohibitive. You want to centralize logs, but every new data source adds cost. That’s a huge barrier.

LW: So how does an AI-native SIEM change the model — and how does a centralized data lake help break down those silos?

Moser: Once the data is in that proverbial lake, there are no silos. You’re no longer stuck trying to manage logs from all over the place — firewalls, email, endpoint systems, SaaS apps — each in their own box with limited integration. At Anomali, everything goes into a single object store, whether it’s structured or unstructured. That lets our AI correlate across all of it, in real time. And because we’re not bound by legacy SIEM licensing models, customers are seeing more than 50% savings on log ingestion and storage.

But the real power comes from what happens once everything’s in that lake. Because now, it’s not siloed. It’s just one big object store, and our AI can look across all of it. It knows what the threat actors are trying to do — it understands the known vectors, the tactics, the behavior patterns. And it’s not just matching against a list. It’s able to predict what those actors might try next, based on what it sees in your data. That’s how you get from reactive to proactive. That’s the shift.

LW: And this is where agentic AI comes into play?

Moser: Exactly. That’s one of the biggest benefits of the platform. You can define workflows in advance — actions to take if a threat is detected with high confidence. Think of things like disabling a compromised account, blocking a suspicious IP, or taking a device off the network. If there’s a strong match to a known threat vector, those steps can happen automatically, in real time. We’re talking seconds, not hours.

But here’s the key: these are known-good procedures, already written and approved by change management. The system isn’t hallucinating or making things up. It’s just inserting the right variables into vetted routines and executing them. So yes, it’s autonomous — but always with guardrails. Humans are still in control. The AI is just doing the heavy lifting.

LW: What about false positives? That’s a longstanding pain point.

Moser: Yeah, that’s still a challenge — no question. But we’re making real progress. The power of AI here isn’t just in detection. It’s in helping analysts figure out what matters. Too many alerts, not enough skilled humans — that’s been the problem for years. Especially when you’re dealing with unstructured data coming in from a dozen different systems.

What our platform does is look at that mess — across email, endpoint, SaaS logs, everything — and make sense of it in context. It helps the SOC distinguish between a one-off blip and a true signal of compromise. So instead of chasing ghosts, your team can focus on the threats that really matter. And when the platform can act automatically on high-confidence events, it takes even more pressure off your analysts.

LW: Can you share what this looks like in the field?

Moser: Sure — we’ve had a couple large financial organizations really lean in and deploy the full Anomali Platform: the data lake, Secure Analytics, ThreatStream, and our AI automation layer. One of them — a major financial institution — saw something like a 90% reduction in critical incidents. And I’m not just talking about alerts. I mean real, high-severity events that would’ve normally triggered full response cycles.

What made the difference? They were able to identify potential threats before they became realized threats. The system predicted what was coming, and acted early. That’s what happens when you bring everything into one place, tie it to live threat intel, and give your AI room to work..

LW: Let’s talk about ThreatStream. How does that layer into all of this?

Moser: ThreatStream was actually our first product — and it’s still core to everything we do. In my opinion, Anomali is the leading vendor when it comes to the volume and variety of threat intel sources we can pull together into one stream. But we don’t just aggregate feeds. We enrich that intel. We can tell you which threat actor is likely behind a given set of indicators — and what their intent might be.

Now we’ve taken that even further with ThreatStream AI. That’s where the LLMs come in. They help interpret not just the what, but the why — the pattern, the likely objective, the tactics in play. So instead of just handing you IPs and hashes, we’re giving you context. We’re giving you intelligence you can actually act on.

LW: Any final thoughts on where this is headed?

Moser: I think we’re still early in this — especially with generative AI and autonomous response. There’s a lot we’re still figuring out. But the direction is clear. The goal isn’t to replace people. It’s to get defenders out of constant firefighting mode — to give them tools that can see a little further ahead, and act a little faster than humans alone ever could.

When we talk about leveling the playing field with threat actors, this is how we do it. Not by throwing more dashboards at the problem, but by giving security teams some real breathing room — and a platform that helps them stay ahead instead of always catching up.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

October 19th, 2025 | Q & A | Top Stories