Thought Leaders

The Context Crisis in the Age of Frontier AI: It Takes AI to Defend Against AI

mm
Published

Security operations are no longer constrained by human speed. It is being outpaced by adversaries operating at machine speed, exploiting vulnerabilities often long before defenders even catch the first signal. Frontier AI models like Claude Mythos have led to a shift in the playing field further, able to discover vulnerabilities that have survived decades of human review and millions of automated tests. More importantly, these frontier AI models can chain vulnerabilities into complex, critical exploit paths in seconds. 

The modern Security Operations Center (SOC) was not designed for this velocity. For a decade, we have scaled telemetry, yet analysts are drowning in thousands of daily alerts, desperately seeking meaning among disparate clues. To survive AI-orchestrated attacks, the SOC must evolve from a human-centric hub into a machine-speed, agentic-driven operation.

Success requires a fundamental shift from visibility to real-time context. While AI enables bad actors to gain deep network access with unprecedented stealth, it still produces observable artifacts like authentication events, data movement, and anomalous behaviors. However, for agentic defense operations to counter machine-speed threats, organizations must possess a contextualization layer that transforms raw telemetry into structured, machine-readable insight. Without it, AI agents are blind.

As enterprises adopt AI-driven security tools, it’s important to remember that autonomy without structured context will more than likely introduce more operational risk. Agents that are designed to oversee and govern AI systems themselves need more than just standalone automation – they need contextual control layers to avoid hallucination or context drift. Without that foundation, AI systems operate reactively rather than intelligently.

Visibility without comprehension

ique baseline of relationships, behaviors, and dependencies, and no single AI can perfectly work within every organization. A true AI-powered defense is only as effective as its ability to understand these key components of how an organization works.

Traditional SOCs are built on static inventories (period snapshots), isolated alerts that lack historical sequence, and human-paced workflows where the analyst is the connection between context and tools. This lack of comprehension or meaning pushes the Mean Time to Detect (MTTD) into hours or days, timelines simply no longer acceptable against a machine-speed attack.

As agentic AI moves from exploration to operational deployment within SOCs, we’re seeing a shift toward systems capable of executing security tasks rather than just supporting human analysts. This shift is changing expectations around what the SOC should do versus what still requires human involvement.

But as organizations race to deploy AI across SOC operations, many leaders are making a critical mistake, and that’s treating AI as a replacement for analysts rather than an accelerator built on context. While Large Language Models (LLMs) can summarize alerts, improve investigations, and recommend actions, without an accurate understanding of the environment it operates in, outputs are limited by the quality of information they receive.

Enterprise environments are not static, and that’s the challenge. Assets are constantly added or removed while identities change roles and permissions, and business processes evolve over time. Security teams have historically relied on human analysts to connect these moving parts during an investigation, but that approach does not translate to autonomous operations. Machine-speed defenses require a foundational understanding of how systems, users, applications, and data interact with one another in real time.

Context becomes more important than a supporting capability. It’s the critical operating system for agentic security. The organizations that succeed at AI integration in the SOC will not necessarily be those with the most advanced AI tools, but those that can provide those tools with the most complete picture of the environment – backed by data. Everything else in the SOC depends on how complete and structured that context is at the moment of detection or response.

To get there, security teams must rethink how they collect and operationalize data across the SOC.

Five shifts towards readiness

To reclaim the advantage, organizations must prioritize the ability to rapidly interpret data over the simple ability to collect it.

  1. From asset lists to a living attack surface

Most organizations rely on a static snapshot unable to keep up with dynamic changes. The modern attack surface, spanning ephemeral cloud functions, shadow IT, and AI model endpoints, often cannot run a traditional EDR agent, leaving blind spots where critical security logic now lives. You cannot triage a flood of disclosures if you don’t know what you run or what it touches.

Eliminating this gap requires real-time visibility set in context. This allows the SOC to maintain a continuously updated asset graph that captures not just what exists, but its typical activity and web of connections.

  1. From alerts to behavioral understanding

Detections are isolated events, but real attacks are patterns that must be recognized over a period of time. For example, a compromised AI agent doesn’t just install malware; it uses authorized access in unauthorized ways until malware is installed. Noticing odd behaviors before attack behaviors are alerted is key in this regard. With behavioral baselines and understandings, security analysts can move away from disparate events and correlate activity into a coherent narrative.

  1. From analyst-driven to agent-ready operations

If a SOC has full reliance on humans to assemble context during an investigation, they will almost always lose against an AI-powered threat. However, autonomous agents require pre-built context so when a triage agent picks up a signal, it must be met with an immediate, high-fidelity dossier – not a raw data dump. By implementing a dedicated enrichment layer that correlates data across four layers of asset, identity, behavior, and threat relevance, context becomes a true foundation.

AI SOC agents are an emerging capability class designed to augment and automate core SOC workflows. But their effectiveness depends on whether they are deployed into environments where context is already structured, correlated, and maintained.

  1. From raw telemetry to efficient reasoning

Raw telemetry is massive, noisy, and prohibitively expensive to feed into LLMs. Pointing an LLM at unfiltered logs leads to degraded reasoning or hallucinations, adding more guesswork to the human analyst and slowing down investigations.

Shifting to high signal density, data that is already enriched and correlated, solves this. Already summarized telemetry, including the who, what, and how of a detection, and deviation from the baseline, can easily signal if an immediate investigation is warranted. By focusing on deep packet evidence only when a specific hypothesis demands it makes agentic SOC economics actually work.

Effective AI systems in the SOC require structured controls across the full lifecycle, from ingestion to response. This is because context is what converts signals into actionable reasoning.

  1. From one-dimensional data to multi-layer evidence

Different tasks require different data types to identify trends, relationships, and anomalies, including metrics, metadata, detections, and packets. A tiered strategy of both lightweight data for continuous reasoning and deep evidence is essential for balance.

Frontier AI hasn’t just introduced new threats; it has mandated a new architecture for defense. Security must become unified, adaptive, and most important, incorporate agentic capabilities.The enterprises that build layers of context today will be better prepared to meet the new standard for safety in the AI era. Those that rely on the old ways of manual correlation will be forced to react to a world that moves too fast for them to see.

AI-driven SOC operations require fundamentally new governance and operational models, underscoring that the ability to produce highly contextualized data (not tooling alone) will determine which organizations can scale most securely and effectively. Without it, automation will only scale noise, not the needed intelligence.

mm

Chad is the Chief Information Security Officer at ExtraHop. Chad is responsible for all aspects of cybersecurity risk for ExtraHop, as well as facility, personnel, and physical security. Chad previously served as a Cyber Operations officer in the U.S. Air Force for 31 years, holding five senior level cybersecurity roles developing and implementing cybersecurity roadmaps, strategies, and capabilities as well as advising executive leadership on critical cybersecurity issues. In addition, he was a qualified cyber operator and commanded threat hunting and cyber incident response teams for a global enterprise network. Immediately prior to ExtraHop, Chad was the Chief Security Officer for Echelon Risk + Cyber, where he drove strategy and integration of offensive and defensive security service lines. He also served as CISO and was a vCISO for several clients.