AI in Threat Detection: Signal or Expensive Noise?

Godfrey Maiwun  ·  January 2026  ·  Security Operations  ·  9 min read

The marketing claim is universal: AI-powered threat detection that catches what humans miss. The operational reality is more complicated — and the gap between the two is where most security teams are currently losing money and analyst trust.

The vendor promise vs. the SOC reality

Walk the floor at any major security conference and you will struggle to find a SIEM, EDR, or NDR vendor that does not claim AI or machine learning at the core of their detection engine. The pitch is compelling: systems that learn normal behaviour, identify anomalies, and surface threats before signatures are written for them.

But talk to tier-one SOC analysts — the people who live inside these tools — and a different picture emerges. Alert volumes that have tripled since ML was introduced. False positive rates that make triage feel like searching for a needle in a needle factory. Models that were trained on someone else's environment and confidently flag legitimate behaviour as suspicious because it looks unusual compared to a benchmark dataset that was never yours.

This is not an argument against AI in security. It is an argument for precision about where it works and where it doesn't.

Where ML genuinely adds value

User and Entity Behaviour Analytics (UEBA) is one of the clearest genuine wins. Detecting that a service account that has never accessed a particular file share suddenly exfiltrated 40GB overnight is exactly the kind of anomaly detection that rule-based systems miss and that humans cannot monitor at scale. The key is that UEBA requires a meaningful baseline — typically 30–90 days of training data from your specific environment — before it produces signal rather than noise.

Phishing detection at email gateways has improved dramatically with NLP-based classifiers. Detecting spear-phishing that evades keyword filters by analysing sender behaviour patterns, linguistic similarity to known good senders, and social graph anomalies is a genuinely difficult problem that ML handles better than rules alone.

Malware classification at the binary level — using features extracted from PE headers, import tables, and entropy patterns — has been a legitimate ML application in security for over a decade. The caveat is that adversaries adapt: adversarial ML techniques can fool classifiers, and novel malware families will always lag the training data.

The question is not whether AI can detect threats. It is whether the specific ML implementation in front of you was trained on data that resembles your environment, is tuned for your acceptable false positive rate, and is maintained by people who understand both domains.

The labelling problem

Supervised ML models learn from labelled data. In cybersecurity, labelled data means someone has already decided what is malicious and what is not — which means the model is, at best, as good as the human judgement that went into the labels. For well-understood threat categories with large public datasets (malware families, common phishing patterns), this works. For novel or environment-specific threats, the model has no labels to learn from.

Training data shapes what the model can and cannot see.

Most security vendors solve this with large datasets from their customer base. This is genuinely valuable — threat intelligence at scale that no single organisation could build alone. But it also means the model is optimised for the average customer, not for you. A financial institution's network behaves differently from a manufacturing plant. An AWS-native organisation has a different traffic profile from a hybrid on-premise estate. Generic models need significant tuning to produce acceptable precision in a specific environment, and that tuning requires expertise and time that most teams do not have.

The drift problem

Environments change. New services are deployed, user behaviour shifts, cloud footprints expand. An ML model trained on last year's traffic will gradually become less accurate as the environment it was trained on diverges from the environment it is now analysing. This is called model drift, and it is a maintenance problem that most vendors underemphasise and most buyers underestimate.

The consequence is not usually dramatic failure — it is slow degradation. False positive rates creep up as normal new behaviour gets flagged. True positive rates creep down as the model fails to recognise novel threat patterns. The security team adjusts by tuning alerts manually, which defeats the purpose of having an autonomous detection system. Eventually the model is running in parallel with a set of hand-crafted rules that do the actual detection work, and no one is quite sure what the ML layer is contributing.

What good looks like

The security teams that get genuine value from ML-based detection share a few characteristics. They treat the AI layer as one input among several, not as an authoritative oracle. They have a defined process for tuning models based on analyst feedback — when a false positive is closed, that closure feeds back into the model. They measure the right things: not "alerts generated" but "true positive rate" and "mean time to close a true positive."

The SOC that measures the right things.

They also have the analytics maturity to know when a model is degrading. That means logging model decisions alongside human decisions and comparing them over time — a practice that requires a level of observability that many security teams have not built.

Finally, they are honest about what the vendor actually delivers versus what is claimed in the sales process. Asking vendors for documented false positive rates in environments similar to yours, asking how models are retrained and how frequently, and asking what happens to detection quality during the baseline period — these are the questions that separate genuine capability from well-marketed pattern matching.

The practical guidance

If you are evaluating ML-based security tools: pilot in your environment, not in a vendor demo environment, for at least 60 days before drawing conclusions. Measure false positive rate from day one and set a maximum acceptable threshold before you begin. Ensure you have a tuning process agreed with the vendor before contract signature.

If you already have ML-based tools: audit model age and last retraining date. Review false positive trends over the past 12 months. Ask whether your analysts trust the tool — analyst trust is a leading indicator of model quality, because analysts develop intuitions about signal quality faster than any dashboard metric will show you.

AI in threat detection is real and improving. But the gap between the capability and the marketing is still wide enough to be expensive — in false positives, in analyst burnout, and in the genuine threats that get lost in the noise.

Filed under: Security Operations

More writing Feb. 2026
Why Post-Quantum Cryptography Matters Now, Not Later
Cryptography · Cybersecurity
 Sep. 2025
Zero Trust at Scale: A Reality Check for Practitioners
Security Architecture

All writing →