How AI Is Changing Detection Engineering. And Why It Still Needs Human Expertise

Add as preferred source on Google

Detection engineering is the process of designing, testing, and refining custom detection logic to identify cyber threats in real time. It uses an iterative approach to create high-fidelity alerts tailored to an organisation’s specific environment.

In most SOCs, detection engineering is the “sharpening the sword” equivalent that typically gets pushed to the back burner because alert triage consumes the majority of analysts’ time.

This is a mistake. And one that AI can correct.

The trick is to understand how AI can be applied to this problem. It isn’t a matter of automating rule creation: there is still a large chance of proliferating faulty logic at this point. It’s about scaling expert judgement across the SOC.

And for that, you need humans.

Why Detection Engineering Matters (More) in an AI-Driven SOC

If anything, detection engineering becomes more critical, not less, in an AI SOC environment.

While AI can summarize alerts, cluster incidents, enrich IOCs, and write draft queries, that all depends on the data it’s standing on. If the telemetry is dirty, or the logic is stale, or the detections are weak, AI is only going to help you fail faster. It’s going to scale whatever you feed it, good or bad, so it’s crucial to craft the right rules upstream.

Detection engineering is always going to be what underpins the work of nearly every other tool: deciding what behavior is worth alerting on, tuning thresholds, suppressing garbage, validating coverage, and constantly reworking logic as the environment changes. None of that disappears because you added an LLM to the stack.

In a traditional SOC, bad detection rules waste hours. But in an AI SOC, those bad rules get amplified at machine speed. In practice, this looks familiar: a detection that seemed to be sound in testing is deployed into production and suddenly, it generates thousands of alerts overnight. Analysts suppress it to stay afloat, coverage silently disappears, and the organization is left with a false sense of security. AI doesn’t solve that problem -  it accelerates it.  

In practice, this means that you don’t just get false positives: you get automated triage on false positives. You get auto-generated summaries of false positives. You get escalations based on false positives, dashboards displaying nonsense, and ultimately, more wasted time. In this context, like anywhere, AI only magnifies the dysfunction.

To drive home the point: while AI might help write a Sigma rule or summarize an alert, it cannot replace the core work of mapping techniques to telemetry and engineering detections that hold up in production.

In an AI-driven SOC, those MITRE ATT&CK-aligned detections are the signal layer AI depends on. If that signal is shallow or noisy, or stale, the AI is running on garbage.

Putting First Things Last: Why Detection Engineering Gets Neglected

In most SOCs, urgent work always beats important work. Leadership wants dashboards, incidents need handling, tickets pile up, and SOCs resort to survival mode, triaging whatever the stack spits out.

This means there’s nobody with the dedicated time to fix the rules, validate coverage, or engineer new rules based on new attacker behaviors. It’s the embodiment of the adage: everyone’s driving, and no one has time to stop for gas.

You see this time and again: organizations spend six figures on SIEM/EDR, then drastically underutilize the investment because they’ve assigned nobody clear ownership of upkeep/detection quality. That’s always a job for “when there’s time,” and there’s never time.

This produces not only gradual drift but chronic mistrust as SOCs get used to not trusting alerts and false positives become the norm. Companies can choose to pay upfront by setting aside engineering time for content development, telemetry QA, and post-incident feedback, or they can pay interest on what amounts to neglect.

Failure to prioritize rule pruning might be the number one issue. Failure to surmount the technical and operational roadblocks that exist is the second.

IBM’s findings that organizations manage 83 security solutions from 29 vendors paint the picture: deriving clean detection rules is proportionately difficult to the number of tools you’re working with.  No one is engineering cleanly across that stack, and it’s probably not for lack of trying.

Detection engineering is a "priority problem” only as much as it’s an engineering one. And this is where AI becomes useful.

What AI Actually Changes in Detection Engineering

Half of effective detection engineering still depends on human insight, context, and oversight. The other half depends on AI to push the changes out.

As Gartner put it back in October, “AI SOC agents present an opportunity to transform security operations by using AI to assist human operators in performing common tasks;” assist being the operative word.

The bottleneck was never typing out the rules but rather having the judgment to create them. In a mature SOC, detection engineering is entirely made up of human decisions. This creates a constant trade-off for SOC teams: increasing detection coverage often introduces more noise, while aggressively reducing false positives risks creating blind spots. 

Every detection decision sits somewhere on that spectrum. AI can help surface patterns and accelerate tuning, but it doesn’t remove the need to make those judgment calls — it just forces teams to make them faster and more often.

Those trade-offs

• Which ATT&CK technique is relevant to this environment
• Where should thresholds sit, given real-world user and attacker behavior
• Which logs are reliable enough to base detections on

The answers are dependent on environment, context, and ultimately human expertise. AI can only help so much there, and humans do it better. The real job of AI in a detection engineering role is to support human judgement. AI can tee an analyst up by:

• Surfacing weak detections faster based on alert patterns
• Summarizing incidents automatically (vs manual correlation)
• Accelerating iteration cycles (that used to take weeks)
• Clustering alert patterns across telemetry for faster finding
• Proposing detections based on observed behavior

It cannot and does not create the detection rules themselves; only the environment for analysts to identify the best ones.

Why Human Insight Still Drives Effective Detection

AI doesn’t eliminate the need for expertise. It raises its value.

AI exposes weaknesses faster, makes bad signals more obvious, and improves the minimum accepted quality of telemetry and logic that informs SOC decisions. But AI won’t fix an inconsistent detection layer. Rather, it will just industrialize it, spreading the blast radius. Human judgement is needed at the helm.

In an AI SOC, a human analyst’s role consists of:

• Defining what a good signal looks like
• Setting guardrails for automated suggestions (from AI)
• Validating AI-generated hypotheses against real telemetry
• Tuning the feedback loop

In this scenario, humans are basically QA for AI. An AI SOC without strong human-led detection engineering runs the risk of running on slop and confidently producing the wrong information.

But an AI SOC with AI used in the right way extends human decision-making capabilities outward. It produces the data necessary for humans to make the right rules, then makes those rules scale. At all times, human judgment is still the control plane.

It’s like sharpening the sword and using it at the same time.

Related

Why Encrypted Data Today May Not Stay Secure in a Quantum Future

Overprivileged Accounts: The Key Factor in Identity-Based Attacks, Cloud Security Report States

Enterprise Security was Built Around Data Loss While AI Agent Autonomy Enables Action Abuse

Huawei Zero-Day Vulnerability Caused Luxembourg Telecom Outage

Spot Fake Remote Workers Who Bypass Hiring and Security Checks 

Microsoft Disrupts Fox Tempest Malware-Signing-as-a-Service Operation Linked to Qilin, Akira, More