Artificial intelligence is increasingly changing how security operations centers investigate cyber threats, moving beyond basic alert triage to deeper contextual analysis. While many discussions around AI in cybersecurity have focused on improving efficiency by reducing analyst workload and speeding up alert handling, security experts say the real shift lies in AI’s ability to conduct complex investigations that previously required experienced analysts. For many security teams facing high volumes of alerts, analysts must often make decisions under time pressure with incomplete context. AI systems capable of conducting multi source analysis and hypothesis driven investigations are beginning to address this challenge by providing more comprehensive threat analysis across different telemetry sources.
Security researchers and practitioners highlight that traditional AI assisted workflows usually concentrate on classification tasks such as identifying whether an alert appears benign or malicious. Although this approach helps reduce workload for entry level analysts, the detailed investigation stage still depends heavily on human expertise. The newer generation of AI security platforms attempts to close that gap by actively querying different systems across the security stack, correlating information, and testing investigative hypotheses until a clear explanation emerges. This approach mirrors the investigative reasoning normally performed by experienced tier two and tier three analysts, allowing complex cases to be analyzed at scale rather than relying solely on manual processes.
Two real world investigations conducted by Prophet Security illustrate how this model works in operational environments. In the first case, the platform analyzed suspicious activity involving a dormant identity and access management user within a subsidiary Amazon Web Services environment. The account contained an access key that had been inactive for four years but suddenly began making discovery related API calls such as listing storage buckets and enumerating CloudFront distributions. At first glance, such activity could appear normal for development related tasks. However, the AI investigation engine correlated several contextual indicators across multiple data sources to determine whether the activity represented a genuine threat. The system discovered that the API calls originated from an unfamiliar IP address located in Turkey that had never been associated with the account. Threat intelligence analysis linked the address to a VPN provider commonly used to hide attacker infrastructure. It also detected that the session used a third party S3 browser tool instead of the command line or software development tools typically used in the organization. In addition, the account had no history of performing discovery commands in the previous month. To reach its conclusion, the AI engine queried six different data sources including the organization’s SIEM platform, AWS GuardDuty, Wiz, CrowdStrike endpoint telemetry, IPINFO, and Spur threat intelligence services. The system generated 17 investigative questions and executed 265 queries before determining that the activity represented a confirmed credential compromise used for cloud reconnaissance. Although strict privilege controls prevented the attacker from accessing sensitive data, the compromised access key was revoked and the investigation prompted a broader audit that uncovered additional outdated credentials across the organization’s infrastructure.
A second case involved a phishing technique that bypassed conventional email authentication checks. An attacker created a Zoom account and configured the display name to resemble a PayPal auto debit notification that included a phone number for victims to call. The attacker then triggered a standard Zoom one time password message which was automatically forwarded to the intended victim. Because the email originated directly from Zoom infrastructure, it successfully passed SPF and DKIM authentication checks and contained no malicious links, malware, or spoofed headers. Many secure email gateways that allow messages from zoom.us would likely permit it to reach users without raising an alert. Instead of focusing only on technical email headers, the AI system analyzed the semantic mismatch between the sender identity and the message content. The text attempted to create financial urgency related to PayPal while directing recipients to call a phone number, a tactic commonly associated with telephone oriented attack delivery scams. The investigation followed established phishing analysis practices and conducted 138 queries across 11 data sources in approximately five minutes to confirm the malicious intent.
Security researchers say both incidents demonstrate a common challenge in cybersecurity investigations. Individual indicators in these attacks appeared legitimate when viewed separately. The compromised cloud credential belonged to a valid account performing standard API calls, while the phishing message originated from an authentic email service with valid authentication. The malicious activity only became visible when multiple weak signals were correlated through deeper contextual analysis. This type of reasoning has traditionally required experienced analysts who have sufficient time to explore data across multiple systems.
AI driven investigation platforms are designed to apply that same analytical depth consistently to every alert, even when security teams face staffing limitations or high alert volumes. Analysts reviewing the investigation results can access a full record of the process including every query executed, the data sources consulted, and the reasoning behind each analytical step. Security professionals say such transparency is essential for building trust in automated systems, as analysts must be able to verify findings and use them to guide remediation efforts.
The investigations referenced in these cases were carried out using Prophet Security’s AI driven SOC platform, which automates alert triage, investigation, and response across different operational tiers. The platform analyzes telemetry from multiple security tools, correlates signals, and generates full investigative reports that analysts can review and validate.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
