This week I attended the Gartner SRM conference in National Harbor, Maryland. I generally like going to the Gartner conferences for a couple of reasons:
1. I enjoy the audience. It’s mostly director to C-suite contacts attending from a variety of organizations that leverage Gartner. As a vendor, this gives us direct access to many buyers and decision makers. As a security professional, it gives me great perspective on what organization leaders are thinking about while building out their security program.
2. I think the conference material presented is quite good and highly regarded by the security leaders that attend the conference.
While there was no shortage of AI speak on the exhibition floor, this blog is my own hot take written without the help of AI.
The exhibit show floor divided manufacturers into common areas. Our booth was surrounded by AI SecOps platforms and MDR providers, all of whom are now integrating AI capabilities into their offering. Of the roughly 220 total exhibitors at the Gartner conference, just over 30 could be categorized as AI SecOps platforms or AI-enabled MDRs.
After a number of conversations with different organizations asking what the differences are and what would be the best fit for them, and listening to a timely and clarifying talk by Pete Shoard on the future of SOC staffing, I decided it may be valuable to explain how I’m looking at the market and proper fit for organizations.
In his talk “Staffing the SOC in 2030”, Pete highlighted the shift in the role of a SOC analyst from investigating alerts to validating the investigation done by AI, with 60% of Gartner surveyed organizations seeing AI SOC agents as augmenting human decision making, and 64% believing they would always require human validation with strong governance and approval. I agree with this, and we see this transition happening in our own SOC with our recent release of SOC AI.
Thinking about the evolution of security operations from an organizational point of view, if you’re deciding between an AI SecOps platform and an AI-enabled MDR, it really comes down to expertise and headcount. AI SecOps platforms can almost be looked at as the second coming of SOAR platforms. Initially, the thought was they would replace analysts by automating all of their work, though that proved to be largely incorrect. Playbooks were complicated to make, APIs weren’t as readily available, and many products didn’t have native integrations built in.
The age of AI has changed much of this, with APIs being readily available, if not full-blown MCP servers easily integrated into a single platform, and allowing AI to run its own playbook or follow drag-and-drop playbooks that are quickly built.
With SOAR, we saw organizations replacing analysts with engineers to build out and administer the playbooks. This often resulted in increased expenses, as analysts were still required to validate the steps that were taken and perform response actions that weren’t automated. With AI, the automation may be entirely handled and built out, but most organizations still have trepidation around letting autonomous AI perform more sensitive actions like threat containment via host isolation, file banning, password resets, disabling user accounts, or deleting emails. This skepticism is justifiable with the countless examples of autonomous AI running amok from deleted databases to improperly reset passwords for attackers. Even Gartner’s “Hype Cycle for Security Operations, 2026” pins AI SOC Agents to the Peak of Inflated Expectations.
What this really boils down to is organizational maturity around security operations. Larger enterprises that have 10 or more analysts working 24/7 may see significant gains from implementing an AI SecOps platform. They can transition some of those analysts to administer the platform and improve on playbooks, while other analysts are validating the verdicts rendered by the platform and executing the response actions necessary. For organizations that don’t have the requisite headcount or expertise, managed detection and response provide the expected outcomes without the necessary input from internal teams.
If you fit into the camp that feels an AI SecOps platform is right for your organization’s size and security maturity, you have countless options available. I would caution against some of these newer fly-by-night platforms that have been vibe-coded over the last three months and managed to pull a Series A based on the market hype and instead focus on market leaders with larger customer bases that have tested and validated the solution. Notable players in this space include BlinkOps, 7ai, Intezer, Dropzone, Exaforce, and Conifers, with dozens of smaller and newer players launching weekly. When evaluating these solutions, it’s important to understand:
· Native integrations and detections
· Investigations and blast-radius analysis
· Analyst-facing output
· Conversational interaction with AI output
· Guard-railed autonomous response
· Auditable actions for accountability
We’ve all seen examples where AI comes up with a plan, then, once the plan is agreed upon, performs a completely different action that was never discussed.
If you’re in the second camp where you require expertise and headcount to maintain 24/7 operations, MDR seems a better fit for you, delivering a service rather than technology (though transparent access to the underlying technology should be a requirement). Some AI SecOps platforms have started bolting on MDR but may lack the longevity and knowledge to train models on exactly how alerts should be investigated. Other MDRs are transitioning to AI SecOps platforms without saying it and automatically escalating AI investigations to customers as if they were written by humans, with little to no validation being done, especially on lower severity alerts.
Since I’ve had these conversations countless times, I think it’s beneficial to highlight some of the things to consider when evaluating AI-enabled MDRs along with Critical Start’s approach. Potential questions for AI MDR providers include:
How are you using AI?
At Critical Start, we leverage AI to decrease analyst time to investigation. Humans are always in the loop validating the AI investigation and taking response actions.
How are you using AI to perform investigations?
Many other MDR companies are just throwing data at an LLM and letting it run wild. We see similar approaches in AI SecOps platforms adding “MDR”-like oversight or capabilities. At Critical Start, we’ve built a catalog over the last decade of analyst investigation procedures that serves as a basis for SOC AI to understand what a human would do to investigate the alert and can expand the investigation based on the returned information.
How are you using deterministic data sets vs. probabilistic AI?
This is a subset of the last question. AI is probabilistic. It is literally guessing at the next word, and without a factual database to reference, providing a likelihood that a specific threat could be malicious.
At Critical Start, we use deterministic data that we’ve gathered over the last decade to feed the probabilistic AI before presenting the proposed verdict to an analyst for validation. Once validated, that data is fed back into the deterministic data set for future reference in a model of recursive self-improvement.
What models are you using for investigation?
This also applies to AI SecOps platforms where the underlying model is not exposed or configurable. We see other providers leveraging outdated models to save on token cost. At Critical Start, we’ve built a framework on LangChain that allows us to swap models as well as perform A/B testing to identify leaps in efficiency and efficacy.
How is AI being used to respond?
Referring back to my previous point, AI should not be allowed to autonomously take response actions. This is different than automated responses, which use deterministic rules to drive a pre-configured response. AI should not have direct access to response capabilities.
At Critical Start, this is explicitly guard-railed. As we continue to drive down TTR with AI, AI will build and recommend response automations that can be executed automatically or after review by an analyst. LLMs have no access to response APIs.
There are, of course, a lot of nuances I haven’t gone into. We’ve seen examples of mid-market organizations successfully lean forward into AI SecOps Platforms, while large enterprises were better served by Critical Start’s MDR. This certainly doesn’t cover every consideration but hopefully provides high-level guidance to steer your organization to the best solution, whether it’s Critical Start or not. As a vendor, we compete to win business, but as a security company, we’re more concerned about the protection of customers and the goods and services they provide to the broader public.
I’m always happy to discuss my opinion or provide more detail, context, or consideration. Please don’t hesitate to reach out for further conversation, or to provide your own perspective.
