14 min read
By: RedLegg Blog
“AI-only MDR? Even if it’s 90% accurate, that still means you’re missing things — and the risk of missing one breach isn’t worth the savings.” - Reddit user, r/cybersecurity
AI hype is everywhere in cybersecurity. Promises of autonomous detection and analyst-free SOCs sound impressive, but inside real SOCs, the conversation is far more grounded.
At RedLegg, we see automation as a force multiplier and not a replacement for human judgment. The point is not to remove people from the loop, but to use automation where it makes work faster and safer while keeping analysts focused on decisions that require experience and context.
What (and When) to Automate
“Tell me about the pieces of your job that you find painful or frustrating… the things that feel like time-wasters.”
According to RedLegg’s MSS SOC Manager, Vincent Mugnolo, “When we start the conversation about what should be automated versus what needs to stay manual, one of the first factors to consider is level of effort. If it reduces the team’s time and can deliver something more meaningful to a client, that’s a pretty good candidate.”
Automation should reduce repetitive effort while preserving the quality and context that security teams depend on.
Vinny shared a recent example involving a high-volume alarm pattern: multiple privilege failed user logins. After analyzing thousands of similar alerts, the team found that 90 percent could be safely handled through XSOAR automation with no reduction in accuracy. “The other 10 percent,” he explained, “stay with the analysts. Those still require reasoning and context.”
What Automation Is Good At: What Humans Are Essential For:
- High-volume repetitive alerts
- Context gathering and enrichment
- Known, predictable patterns
- Standardized response tasks
- Isolation or user-impacting decisions
- Novel or ambiguous behavior
- Business-context implications
- Risk acceptance and escalation
That is how you reduce operational workload and scale MDR effectively.
When Automation Goes Wrong
Deciding what to automate isn’t only about what’s possible. It’s about what’s practical and safe. In security, there is little margin for error.
“It doesn’t matter how good your detection logic is,” explains Senior Security Engineer, Andrew Hale. “A subset of those [alarms] are always going to be false positives.”
If a false positive triggers the wrong automated action, you can disrupt critical services across the organization. Automated responses should never create more disruption than the alert that prompted them.
“Whenever you talk about automation, you have to talk about risk acceptance,” he said. “You need to balance the potential benefit and time savings versus the risk of automating the entire process. Computers just listen to what you tell them to do, and it’s going to do it. You have to think about all the ways it could go wrong before you turn it loose.”
Automation can create damage faster than a human could ever respond.
Boosting Detection Speed with Human-Guided Automation
By streamlining the most time-consuming early steps of triage, automation reduces MTTD and ensures analysts begin their investigation with better context and clearer direction.
“Depending on what the playbook finds, it will either close itself out in a totally automated fashion or it will alert the SOC to continue the investigation.”
In practice, this means RedLegg’s playbooks can automatically resolve alerts that follow a known, low-risk, and highly predictable pattern. Analysts still maintain full visibility and oversight. Automation simply reduces the volume of repetitive work so teams can focus where their reasoning is needed most.
This hybrid model improves both MTTD and MTTR:
- Automation handles the repetitive, low-risk work quickly
- Analysts stay focused on the decisions that carry real impact
Clients get faster movement on common alerts without losing the accuracy, judgment, and nuance that only humans can bring.
Guardrails: What Should Never Be Automated
Some security actions seem tempting to automate, but the risks outweigh the reward.
“We don’t do any type of isolation automatically because of the propensity for that to go terribly wrong,” said Hale. “You could literally nuke a critical system just by taking an automatic action because it thinks it’s doing the right thing.”
The RedLegg team avoids automating host-based isolation, disabling user accounts, or touching domain controllers. These are high-impact decisions that demand human judgment.
Hale explained why: “It’s one thing to disable a junior staff member’s account temporarily, but it’s a completely different situation if you disable an executive’s account in the middle of a major client conversation. These are completely different situations, and they need to be treated with care.”
Building Smarter Automation Over Time
Smart automation doesn’t happen overnight, it’s a process.
“An important way to think about automation is like a snowball,” said Hale. “The first couple automations you do, you’re probably not going to see massive return. It’s really the collection of automations over a long period of time where you start to see the benefit.”
RedLegg’s teams constantly refine and expand automation playbooks based on client and analyst feedback. Each improvement removes more noise, frees up more time, and increases consistency, but only after it’s tested, reviewed, and verified.
The result is sustainable efficiency.
The Client Benefit: Operational Stability for the Whole Security Team
For clients, the impact of smart automation extends beyond the SOC. By reducing repetitive, low-value tasks, automation lightens the load not only on analysts, but on the broader security and IT teams who participate in detection, investigation, and response. It gives internal teams more breathing room to focus on strategic work, improvements, and business initiatives.
During spikes in activity or high-alert periods, automation also helps stabilize operations. Routine patterns are handled consistently, so internal teams aren’t overwhelmed when alert volumes climb or multiple issues hit at once.
The result is a more resilient security program. One where internal stakeholders have clearer priorities, fewer interruptions, and greater confidence that every action is validated with the right level of human judgment.
Why the Future Isn’t AI-Only
The future of MDR does not rely on AI or human effort alone. It depends on teams that use automation to accelerate the work machines do well, and expertise to guide the decisions that machines shouldn’t be making. That balance is what keeps security effective, accountable, and adaptable.
If you want to explore how automation can strengthen your security operations without sacrificing oversight, our team would be happy to help.
Want more? Read about...
