AI in Cybersecurity: Offensive AI, Defensive AI & the Crucial Data Foundation, Part 2 of 3
The AI Shield: Harnessing Artificial Intelligence for Defense
The second in a series of 3 guest blogposts by Roy Chua, Founder and Principal at AvidThink
Welcome back to our series on AI in cybersecurity. Our previous post discussed how threat actors are weaponizing AI/GenAI, creating faster, stealthier, and more convincing attacks. We also briefly touched on how AI/ML can be used for defense. In this post, we will spend more time discussing how organizations harness AI as a shield. As the offense leverages AI for speed and scale, cybersecurity defense must do likewise. Beyond covering the core strategies and key technologies for AI defense, we will also touch on the key role of observability.
Forging the Shield: AI Defensive Strategies
Traditional security is ineffective against new AI-powered cyberattacks. However, AI offers defenders the opportunity to shift their security operations towards a more predictive, adaptive, and, ultimately, intelligent posture. Recent announcements from numerous organizations at RSAC 2025 security conference support this — for example, Google Cloud at RSAC discussed the use of AI agents to help cybersecurity defenders.
As we briefly touched on in the first post, AI is being used for advanced behavioral analysis. Machine learning techniques excel at learning the complex patterns of “normal” activity within an organization’s unique environment — how users access data, how servers communicate, what network traffic patterns look like during business hours, etc. Once these baselines are established, AI systems can continuously monitor and spot subtle deviations that may indicate compromise, insider threats, or novel attack techniques.
AI also offers immediate benefits by reducing alert fatigue, which is one of the most persistent challenges in security operations. Alert fatigue has plagued cybersecurity defenders for many years, and continues to do so, as indicated by a recent Enea survey. 52% of survey takers cited the difficulty of prioritizing alerts as the most significant challenge for security teams.
Human analysts are simply overwhelmed by the sheer volume of alerts, many of which are, unfortunately, false positives. AI algorithms can intelligently filter this noise, correlating related events across time and space, assessing impact based on context, and prioritizing the most critical threats for human action. Compared to humans, AI can spot correlations across a broader set of data and over a larger time window, improving the odds of spotting potentially malicious behavior.
AI is also enhancing other activities across the entire lifecycle of security operations (SecOps). AI/ML powers detection engines in Network Detection and Response (NDR), Endpoint Detection and Response (EDR), and Network Traffic Analysis (NTA) tools. Likewise, It has been used to enhance analysis within Security Information and Event Management (SIEM) platforms, helping identify patterns across huge datasets. It also informs and drives response actions through Security Orchestration, Automation, and Response (SOAR) platforms and increasingly enables autonomous response (as the accuracy of these systems improves).
AI has demonstrated that it performs well in identifying complex patterns across disparate data sources. Modern attacks now span multiple domains. For example, an initial targeted phishing email (identity and social) may be followed by endpoint malware installation (endpoint), then lateral movement across the network (network), and finally, the initiation of data exfiltration via a cloud service (cloud). AI/ML can be used to mine and connect isolated events, providing a holistic view of the attack chain. This is a key driver behind the rise of Extended Detection and Response (XDR) platforms, which aim to break down traditional data silos to feed AI correlation engines.
Autonomous response systems represent another leading-edge AI defense aiming to neutralize threats at machine speed. Campus, branch, and remote security products, including Secure Access Service Edge (SASE), Security Service Edge (SSE), and Zero Trust Network Access (ZTNA), have started to introduce systems that automate targeted actions within seconds of detecting a high-confidence threat, such as ransomware propagation. Multiple vendors at RSAC 2025 were touting their capabilities to block specific malicious traffic, isolate a compromised device, or suspend a suspicious user account. However, the prospect of machines acting without human approval can bring significant risks. For example, having too many false positives can cause operational disruption. Today, autonomous capabilities are reserved for specific, high-confidence scenarios, while most systems operate with human oversight (“human-in-the-loop”).
Key AI Capabilities and Technologies in Defense
Looking deeper into the AI-assisted defensive strategies we’ve just covered, what we observe is that AI/ML can provide value in the following foundational capabilities within cybersecurity platforms:
- Anomaly Detection: Anomaly detection systems typically use unsupervised learning to model normal behavior across users, endpoints, and network flows and flag statistically significant deviations. These deviations could indicate threats like insider activity, zero-day malware, or account compromise. This technology forms the basis of many UEBA (User and Entity Behavior Analytics) solutions.
- Natural Language Processing (NLP): AI’s ability to understand and process human language can be used to analyze unstructured text data, plus the arrival of GenAI and LLMs has dramatically improved NLP capability. Such technology can be used to scan threat intelligence reports for relevant indicators, analyze emails for phishing, parse security logs for context, or monitor dark web forums for emerging threats.
- Predictive Analytics: By analyzing historical attack data, vulnerability trends, and an organization’s IT configuration, AI can forecast future attack vectors or identify assets most likely to be targeted. This should enable organizations to proactively prioritize resource allocation and defense hardening.
These AI capabilities aren’t standalone products but are increasingly integrated into comprehensive security platforms like XDR, AI-enhanced SIEMs, NDR, and EDR solutions.
The Crucial Role of Data and Observability
Most AI/ML, regardless of the domain of applicability, hinges on having access to comprehensive, high-quality data. It’s no different with cybersecurity. Ensuring that the AI/ML-powered systems are fed with a rich set of real-time and historical data derived from deep visibility across the entire IT environment is important to system performance.
This observability goes beyond traditional monitoring and involves collecting and correlating diverse telemetry — logs, metrics, and traces (and increasingly, network packets) — across the distributed infrastructure. This means having visibility into network traffic, endpoint activities, cloud configurations, application behavior, network and security system logs, and user interactions.
Without this comprehensive view, defensive AI systems cannot build accurate baselines, correlate cross-domain attack steps, or detect threats lurking in diverse environments from OT systems on the factory floor to VMs and containers in the cloud. Modern observability platforms are evolving to meet this need, often also incorporating AI to process vast amounts of telemetry data in real-time and provide actionable insights. There’s an ongoing trend towards “intelligent visibility,” where AI-powered analytics happen closer to the data source (e.g., within network packet brokers or local network security devices), aiming to enrich data and provide faster insights.
Laying the Groundwork: The Data Foundation Imperative
This leads us to an important observation: AI defensive systems are only as good as the data they are trained on and operate with. No matter how sophisticated the AI/ML algorithms are, if we feed them with incomplete, inaccurate, or low-quality data, we’ll get poor performance, resulting in missed threats and a high rate of false positives.
However, security data comes from diverse sources in varying formats: security appliance logs, endpoint agents, packet captures, threat feeds, cloud APIs, application logs, and more. Collecting, normalizing, and enriching this data into a consistent, usable format for AI consumption is a lot of work. Regardless, data quality is critical to success in using AI/ML. Tracking data KPIs like accuracy, completeness, timeliness, and relevance is an absolute prerequisite.
Furthermore, AI systems require access to vast amounts of historical data for initial training and model refinement, along with real-time data streams for ongoing operation and detection. Building the data pipeline infrastructure and processes to handle both is essential. Organizations must, therefore, think critically about their data architecture and strategy to support their AI security ambitions.
Managed security providers need to aid their clients with the same, as do solution vendors who must build capabilities that tap into high-quality historical and real-time data for model inference and regular fine-tuning.
Up Next — Data’s Role in AI-Powered Security Defenses
We’ve seen how AI offers powerful defensive capabilities, from intelligent detection to automated response, underpinned by the need for comprehensive visibility and observability. But how do organizations gather and prepare the necessary data across environments stretching from the cloud to the edge? What specific data quality hurdles must be overcome in a security context? And what are the different ways organizations can build or acquire the AI intelligence they need? How should solution vendors think about platform architecture and technology components that facilitate both historical and real-time data gathering, cleansing, and analysis?
Join us for the final post in this series, which will delve into the topic of data foundations. We’ll explore data gathering and processing across the cloud-to-edge continuum, data quality management, analytics pipeline building, and options for improving visibility.
Discover how to maximize the quality, impact and efficiency of AI in networking and cybersecurity solutions with Enea’s DPI technology: click here.
