Vectra AI Finds Disconnect Between SOC Teams, Threat Detection

Vectra AI, a pioneer of AI-driven cyber threat detection and response for hybrid and multi-cloud enterprises, released findings of its 2023 State of Threat Detection Research Report, providing insight into what is preventing security operations center (SOC) teams from securing their organizations from cyberattacks.

Today’s security operations (SecOps) teams are tasked with protecting sophisticated, fast-paced cyberattacks. Yet, the complexity of people, processes, and technology at their disposal is making cyber defense unsustainable.

The attack surface combined with evolving attacker methods and increasing SOC analyst workload results in a vicious spiral of more that is preventing security teams from securing their organization.

Based on a survey of 2,000 SecOps analysts, the report breaks down why the approach to security operations is not sustainable.

Manual alert triage costs organizations $3.3 billion annually in the United States alone, and security analysts are tasked with detecting, investigating and responding to threats as quickly and efficiently as possible while being challenged by an expanding attack surface and thousands of daily security alerts. The study found:

  • 63 percent report the size of their attack surface has increased in the past three years.
  • On average, SOC teams receive 4,484 alerts daily and spend nearly three hours a day manually triaging alerts.
  • Security analysts are unable to deal with 67 percent of the daily alerts received, with 83 percent reporting that alerts are false positives and not worth their time.

Despite most SOC analysts reporting their tools are effective, the combination of blind spots and a high volume of false positive alerts are preventing enterprises and their SOC teams from containing cyber risk.

Without visibility across the entire IT infrastructure, organizations are unable to identify the most common signs of an attack, including lateral movement, privilege escalation and cloud attack hijacking.

The study also found:

  • 97 percent of SOC analysts worry about missing a relevant security event because it’s buried under a flood of alerts, yet, the vast majority deem their tools effective overall.
  • 41 percent believe alert overload is the norm because vendors are afraid of not flagging an event that could turn out to be important.
  • 38 percent say security tools are purchased as a box-ticking exercise to meet compliance requirements, and 47 percent wish IT team members consulted them before investing in new products.

Despite the increasing adoption of AI and automation tools, the security industry requires workers to interpret data, launch investigations, and take remedial action based on the intelligence they are fed.

Faced with alert overload and repetitive, mundane tasks, two-thirds of security analysts report they are considering or leaving their jobs, a statistic that poses a potentially devastating long-term impact to the industry.

The study found:

  • Despite 74 percent of respondents saying their job matches expectations, 67 percent are considering leaving or are actively leaving their job.
  • Of the analysts considering leaving or actively leaving their role, 34 percent say they don’t have the necessary tools to secure their organization.
  • 55 percent of analysts say they’re so busy they feel like they’re doing the work of multiple people, and 52 percent say they believe working in the security sector is not a viable long-term career option.

“As enterprises shift to hybrid and multi-cloud environments, security teams are continually faced with more – more attack surface, more attacker methods that evade defenses, more noise, more complexity, and more hybrid attacks,” said Kevin Kennedy, senior vice president of products Vectra AI. “The current approach to threat detection is broken, and the findings of this report prove that the surplus of disparate, siloed tools has created too much detection noise for SOC analysts to successfully manage and instead fosters a noisy environment that’s ideal for attackers to invade. As an industry, we cannot continue to feed the spiral, and it’s time to hold security vendors accountable for the efficacy of their signal. The more effective the threat signal, the more cyber resilient and effective the SOC becomes.”

Click here to download the full report.

For more information, visit