Karakor
CYBERSECURITY · DETECTION

Generative models are everywhere in the security marketing layer. The detection capability that justifies the spend is narrower.

An analyst's workstation: a monitor displays a dense graph of telemetry with one anomaly spike highlighted in brass, alongside a ranked queue of alerts with the top items marked in brass and lower-priority items fading to grey. A keyboard, notebook, and coffee cup sit on the desk.
Shahed Daoud5 min read

Every security vendor's pitch deck has the same slide now. It says the product is AI-powered, predictive, autonomous, and learning. Three of those four words are doing no real work.

We have spent the last year evaluating these products on behalf of mid-market firms. A few honest observations from that work.

What AI is genuinely good at

Two narrow categories of detection have improved meaningfully because of recent advances in machine learning.

The first is anomaly detection over high-volume telemetry. Login patterns, network flow records, endpoint process trees — places where the dataset is large enough and the baseline stable enough that a model can flag a deviation a human would miss. This is not new science, but the tooling has become cheap enough to deploy outside large enterprises.

The second is classification of known-unknowns at scale — sorting through alerts that a SIEM has already raised and ranking them by likely severity. The model is not detecting the threat; it is reducing the queue a human analyst has to read. That is a real productivity gain.

What AI is not yet good at

Most of what vendors claim falls outside those two categories.

A model does not know what your firm is. It does not know which user is on a deal team, which device is the managing partner's, which database holds privileged material. Detection that depends on understanding *what to protect* still depends on a human practitioner specifying it.

"Predictive" is the word doing the most marketing work in this space. The honest version is: the model has learned what normal looks like, and it can flag departures from normal. It is not predicting an attack; it is recognising that something is unusual, after the fact, faster than a human would.

Where the engagement actually goes

When a firm asks us to evaluate an AI-powered detection product, the work is rarely about the model. It is about three more boring questions:

  • What does the product see, and what does it miss?
  • Who acts on its findings, and what authority do they have?
  • When the model is wrong — and it will be — what is the cost?

A firm with answers to those three questions and a competent SIEM operator will outperform a firm with the most expensive AI detection product and no operating discipline. We have watched that pattern play out at every firm we have advised in the last twelve months.

The technology is real. The marketing around it is not. The work is figuring out which is which.

← All insightsRequest a consultation →
AI in threat detection — what actually works — Karakor Insights