The challenge of keeping up with the tsunami of security alerts, at a time when bad actors are ramping up the
speed and volume of their attacks, and AI-based tools used by corporate security teams and MSSPs pulling in massive amounts of data, is becoming a central issue for defenders.
Vectra AI, which offers an AI-driven cybersecurity platform, found that organizations, on average, receive 2,992 security alerts a day, but that
63% go unaddressed.
“Every security operations center (SOC) faces the same paradox: the tools designed to protect organizations are drowning analysts in noise,” the company
wrote, adding that the “gap between what gets flagged and what gets investigated is where breaches begin.”
Prophet AI, which delivers an agentic AI security platform, found that a four-analyst SOC
investigates between 300 and 400 high-fidelity alerts each week, and that 90% turn out to be benign.
“The other ten percent are the reason the team exists,” the company wrote. “Every alert, benign or not, still has to be pulled apart, correlated, decided on, and documented. The math runs out long before the week does.”
Blumira's Agentic AI SIEM Platform
Cybersecurity vendors are
rushing to get tools to SOCs and MSSPs to manage the overwhelming number of incoming alerts, with AI capabilities being central to the solution. Blumira, this week, announced the pilot release of
Kindling, an agentic AI-based SIEM investigation platform engineered for SOCs that uses a two-stage analysis of alerts to sort out those that can be set aside and send along only alerts that are verified and actionable.
Company executives say that for security teams and MSSPs, the result is that the number of alerts is reduced by as much as 30 to 50 times while actual threats are sent to defenders at a 98.5% auto-triage accuracy rate. Blumira validated Kindling’s results against more than 2,000 real-world incidents that were resolved through companies’ support teams.
“Current AI models excel at the kind of analysis, correlation, and comparison required for effective triage,” Blumira co-founder and CEO
Matt Warner told MSSP Alert. “Starting with deterministic analysis, using those AI strengths to pull the pieces together into a logical chain, and reviewing that verdict against a multi-model judging panel makes sure threats don’t get overlooked – and doing that in a matter of seconds with each new finding – measurably improves your analyst’s capacity, making sure their time is spent where it matters most.”
'The Math Doesn't Work'
Kindling uses data that’s already been ingested by Blumira’s platform, not only from endpoints but also from the cloud, networks, and identity resources. For MSPs and MSSPs, such tools are crucial, Warner said. The service providers are trying to keep up with today’s AI-driven attacks with the same headcount they had two years ago.
“The math doesn't work,” he said. “Even with good filtering, analysts are getting more alerts than they can reasonably keep up with, and that risks overlooking or missing real threats.”
Kindling delivers threat context that’s based on its eight years of detection data, an entire year of lot retention information, and analysis, according to the company. It reviews each finding and dynamically weighs its severity as well as the behavioral baseline for the user’s environment. It also evaluates how similar organizations have resolved the same issue. It determines what to send to security teams through the weighted scoring and includes evidence timelines and next steps.
Security teams get an analysis, a detailed attack, a graph showing the identities and assets affected by the threat, and recommended actions to protect against it.
Going on Defense
In cybersecurity, most advancements in using AI for defenders have been in offensive security, which Warner said makes sense.
“Defense has always been the more challenging part of the equation, because looking for a single flaw to exploit is much easier than making sure there aren’t any flaws to be exploited,” he said. “A lot of noise has been made about faster turnaround from disclosed research to weaponized exploit, or discovering new bugs in decades-old code. If that awareness translates to a linear increase in work for the SOC, there’s no real way to keep up.”
Kindling evens that playing field for MSSPs and MSPs as well as enterprises, the CEO said, adding that the tool’s ability to auto-triage every finding cuts 90% of the work for MSSPs in managing the platform.
More Client Support, Better Results
“Then, only cases that need human eyes and action to resolve are escalated, so your team knows when they get an alert, it’s relevant and requires review,” he said. “Now the same analyst can support more clients without missing threats and without burning out. That's how partners are going to scale a security practice now, and it's what we built Kindling to solve.”
The Kindling dashboard shows MSSPs where the risk for their clients is concentrated, which findings are recurring, and an organization’s security posture compared with similar companies. It also highlights what the MSSP and their client can do to improve their security and the cost-value security services providers are providing their customers.
The dashboard is part of Blumira’s efforts to harden its security operations platform for MSSPs and MSPs, which includes tighter integration with ConnectWise and Autotask over the past few months. The company has already
updated endpoint detection and response (EDR) and identity threat detection and response (ITDR) capabilities.