Skip to main content
Cybersecurity

Cybersecurity Teams Must Leverage AI to Counter Accelerating Threats

Security analysts work at desks in a brightly-lit operations center with multiple screens displaying threat data and a…
" We don’t have a choice anymore. Quite simply, when it comes to security processes, those which are human-in-the-loop driven, just don’t adapt to new adversary timescales," said Joe Slowik, director of cybersecurity alerting strategy at Dataminr, speaking at Infosecurity Europe on Tuesday 2 June.

Joe Slowik’s warning at Infosecurity Europe

At the AI & Security Stage on 2 June, Slowik framed a blunt assessment: defenders who continue to rely on human-only workflows in their security operations will be left behind. Slowik said that the rapid adoption of technologies such as artificial intelligence, machine learning and large language models by cybercriminals has compressed the window between discovery of a vulnerability and active exploitation to "days or even hours," making prior assessment and human-centric reporting models impractical.

Adversary acceleration: AI, ML and LLMs

Slowik argued that threat actors are using emerging technologies to "enhance and speed up attacks," and that this trend fundamentally changes the cadence of incident response. He framed the problem as one of timescale alignment: "Adversary operations from time to breach to time to objectives are accelerating. It's a matter of fact defenders have to keep pace, this is not optional." The implication, from Slowik's remarks, is that defenses which cannot operate at or ahead of adversary timescales will increasingly fail to prevent or blunt attacks.

Rethinking security operations: AI agents and enriched workflows

Slowik called for a "rethinking of security operations" that goes beyond merely deploying large language models. He recommended embedding AI into workflows in ways that gather intelligence about vulnerabilities, identify the most exposed network elements, and suggest protective measures — effectively accelerating the decision cycle for defenders. "From these enrichments, I can embark on an informed and accelerated remediation lifecycle, in real-time, alongside events to enhance improved decision-making processes," he said.

He emphasized that the correct model is not human-replaced-by-AI but human-in-the-loop augmented by AI: "Humans are will still definitely be making decisions, but assisted with AI to align with adversary workflows." Slowik said his own prior skepticism of machine learning had passed as the operational reality changed.

React2Shell as a concrete test case

To illustrate the point, Slowik referenced the React2Shell vulnerability as an example of a flaw that adversaries moved to exploit within hours. He contrasted the speed of an AI-enhanced SOC with the slower pace of a "solely human-focused SOC," noting that the latter might require days to compile actionable guidance, while AI-assisted teams could more rapidly compile reports and harden defenses in near-real-time. The example underlines his argument that speed — not just accuracy — is now a primary determinant of defensive effectiveness.

What this means for technologists, policymakers, and affected enterprises

  • Technologists and security teams: Slowik’s prescription is operational change — integrate AI agents to automate intelligence collection, enrichment, and remediation planning so that human analysts can make faster, better-informed decisions.
  • Policymakers and regulators: The shift toward AI-assisted defence suggests a need to consider rules or guidance that address how AI is used in incident response workflows, particularly around speed, decision oversight, and the continued role of human judgment.
  • Affected enterprises and procurement leaders: Organizations should evaluate whether their SOCs remain primarily human-in-the-loop and assess vendor tools that provide the specific enrichments Slowik described — vulnerability intelligence, network exposure mapping, and automated remediation playbooks — to close the gap with faster adversary lifecycles.

Slowik’s message at Infosecurity Europe was blunt but narrowly focused: defenders must match the speed and methods of attackers who now employ AI and related tools, and that doing so requires retooling operations as much as introducing new software. He framed the transition not as a surrender of human agency but as an operational necessity — humans making decisions, "assisted with AI to align with adversary workflows."

Original story