MSSPs and security teams are struggling with leveraging AI for cybersecurity, even as the number of AI-based security threats against them continues to mount.
In a recent blog post,
Jon Munshaw, content marketing manager with
Sophos, pointed to an estimate by Gartner analysts who found that fewer than a quarter of enterprises are using AI-enhanced security tools despite the hype around them.
“That mismatch creates a dilemma,” Munshaw
wrote. “Many SOCs feel pressure to ‘do something with AI,’ yet most are still evaluating where it fits — or whether it fits at all. And behind the hype lies a practical truth: SOC teams are already under strain.”
Predictably, the focus of the recent RSAC 2026 event in San Francisco late last month
was on AI and agents – the threat this poses in the hands of cybercriminals and the promise it holds for security teams and security services providers alike.
One of the vendors making noise at the show was
Arctic Wolf, which
staked its claim in AI-based security with new offerings highlighting its platform approach while upholding the notion that humans will continue to play an active role. As the company wrote, the new era of security operations will be “agent-led with humans in the loop.”
Leveling the Playing Field
Attackers and defenders alike have access to similar underlying AI models, with the difference being how effectively the models are applied in real operational environments, according to
Dan Schiappa, president of technology and services at Arctic Wolf.
Most organizations are doing the early work, experimenting with AI, but in isolated ways that don’t always translate into true improvements in detection or response, Schiappa told MSSP Alert. That is where the gap exists between how bad actors and security pros are using AI.
“What
levels the playing field
is applying AI with context and discipline, grounding it in real telemetry, embedding it into workflows, and ensuring there’s human validation when it matters,” he said. “When you do that well, AI becomes an accelerator for better decisions.”
AI, with Humans in the loop
At RSAC 2026, Arctic Wolf released its
Aurora Superintelligence Platform, which includes a Swarm-of-Experts framework that plans and executes for most cybersecurity actions instead of focusing on individual tasks. The swarm comprises hundreds of agents that run tasks end-to-end that adapt to threats, with security pros in place as validation for escalating incidents and improving the performance of the model.
Its Security Operations Graph is created from more than 9 trillion telemetry events the SOC takes in each week from an array of sources to generate insights from multiple signals without exposing customer-specific data, while the AI Trust Engine provides a validation process and guardrails for agents.
Meanwhile, the vendor’s
Aurora Agentic SOC, built atop the Superintelligence Platform, makes the shift from a human-led to agent-led approach. It includes three types of AI agents for overseeing activity and validating results, planning and running SOC tasks, and automating SOAR jobs.
“The future of cybersecurity will not be decided by the next model with better generic-scenario benchmarks,” Schiappa
wrote in a blog post this month. “It will be decided by who delivers the most accurate, reliable outcomes in real environments. That requires more than access to frontier models; it requires a platform that can continuously learn, adapt, and operationalize AI in the context of each customer.”
Allowing MSSPs to Scale
For MSSPs, the goal is to help address the challenge of scale to deliver high-quality security results across an expanding number of customers without increasing costs or complexity.
“What changes with this approach is that more of the operational burden — triage, investigation, and response — can be handled in a consistent, repeatable way, supported by AI but grounded in real operational experience,” he said. “That allows MSSPs to extend their capabilities without having to build everything themselves.”
The result is that they can bring on more clients, deliver more consistent outcomes, and focus on higher-value work instead of managing alert volume, Schiappa said.
The Speed of AI Cyberthreats
As a backdrop to all of this, Arctic Wolf released a report detailing the evolving
number and nature of AI-based threats organizations face. Over 12 months running from early last year to February, ArcticWolf Labs researchers detected more than 22,000 distinct files across a range of malware repositories that included AI-generated code, large language model (LLM)-like scaffolding, runtime AI API integration, and artifacts from the popular DeepSeek R1 AI model.
“AI is reshaping the threat landscape primarily through scale: it broadens who can build malware and accelerates how quickly functional tools emerge,” they wrote. “In our research, we observed threat actors using LLMs to produce infostealers, RATs, droppers, ransomware engines, or other malicious scripts.”
Threat actors no longer need deep technical skills to develop malware, and malware that is developed can be deployed more quickly, they found.
“What we’re seeing is ... how quickly these tools can be applied to structured tasks like code generation, scripting, and content creation,” Schiappa said. “That accelerates activity and increases volume, but it doesn’t fundamentally change the nature of attacks. The techniques are still familiar; they’re just moving faster.”