Last updated at Fri, 14 Mar 2025 19:59:16 GMT

Security teams can be understandably hesitant to integrate artificial intelligence (AI) into incident response workflows. A single mistaken action could lead to widespread disruption, monetary loss, or reputational harm. Meanwhile, attackers  are increasingly leveraging AI to enhance the scale and sophistication of their operations. According to former CISA chief, Jen Easterly, “[it’s] not just teaching cyber bad guys new tricks — it's also making it easier for anyone to become a bad guy.”

This escalation in AI-driven threats contributes to a more complex attack landscape, intensifying pressures on security teams already grappling with limited resources, and an ever-increasing volume of alerts. As a result, the risks of ignoring AI now outweigh the risks of embracing it.

Whether or not you're a customer of Rapid7’s managed security offerings, it's worth understanding how AI is already transforming security operations today – not as a vague promise of the future, but as a real, tangible advantage in the fight against cyber threats. Rapid7 has been at the forefront of this shift. Last summer, my colleague Laura Ellis detailed in her blog post how Rapid7 first infused AI into our MDR workflows; and just a few weeks ago Kelcey Morgan outlined some of the ways AI is essential to integrate into SOC workflows. Now, we’re taking it even further, and customers are seeing the impact firsthand.

Below, we explore some of the key ways AI is actively driving secure, efficient, and transparent outcomes within Rapid7’s global Security Operations Center (SOC), and how customers of our Managed Threat Complete service are benefitting from these advancements firsthand.

AI-Powered Auto-Triage

Currently Available

What it is: AI-driven models that automatically analyze and close low-risk alerts, allowing analysts to focus on real threats. Using a layered ensemble approach, these machine learning models harness the collective expertise of Rapid7’s MDR analysts to instantly identify and resolve low-risk security alerts, as well as highlight potentially dangerous alerts. This allows our analysts to quickly identify and respond to the greatest threats to our customers’ networks.

Real-world impact: In a recent incident, a customer’s MDR environment generated over 8,000 benign alerts in a short time span. While Rapid7’s 24x7x365 SOC could have manually processed them, our AI models accurately triaged and identified them as benign without human intervention – freeing up analysts to focus on actual threats.

Why it matters: AI allows our SOC to reallocate human expertise to more complex investigations, reducing fatigue and response times while improving detection accuracy. Customers get faster, higher-quality security outcomes without being overwhelmed by false positives.

NEW: AI Alert Triage Decisioning Transparency

What it is: Complete transparency into alerts closed by the SOC with the assistance of AI-powered auto-triage capabilities.

Real-world impact: Transparency in auto-triage decisions is crucial for maintaining trust and security oversight. If an alert for potentially malicious certutil activity is closed as benign via our AI-powered Alert Triage capability, customers can review what input was relevant in driving the AI model’s rationale. Likewise, if a PowerShell execution on a critical server is escalated, they can see exactly why, based on factors like anomalous command sequences or credential access attempts. This visibility eliminates black-box decision-making, allowing security teams to confidently verify and act on AI-driven decisions.

Why it matters: Without visibility into auto-triage decisions, security teams risk over-reliance on automation without understanding its reasoning – potentially leading to missed threats or unnecessary escalations. By ensuring transparency, Rapid7’s AI-Powered Alert Triage empowers customers with insight into decision logic, helping them maintain security control, verify actions, and confidently respond to threats. This aligns with Rapid7’s TRISM Framework, which emphasizes trust in AI-driven security environments to ensure customers can harness AI without compromising visibility or control.

AI-Generated Incident Reports

Currently Available

What it is: AI-powered automation that initiates detailed incident reports, including root cause analysis and impacted systems, arming the SOC with foundational information to recommend next steps.

Real-world impact: Traditionally, analysts manually compile post-incident reports, a process that can take hours. With AI-driven automation, incident summaries are generated in minutes, pulling in relevant data, impact analysis, and remediation insights automatically. Analysts then validate and refine these reports before sharing them with customers.

Why it matters: Customers get faster, more actionable insights following security incidents, reducing downtime and allowing for quicker remediation. AI doesn’t replace expert analysis – it enhances it, giving security teams the information they need to act decisively.

AI-Powered MDR SOC Assistant

Currently Available

What it is: AI-driven assistants that provide real-time recommendations, enrichment, and decision support for Rapid7 SOC analysts during investigations.

Real-world impact: When Rapid7 SOC analysts investigate a suspicious event, AI automatically enriches it with historical attack patterns, threat intelligence, and behavioral context to provide suggested next steps. If similar cases exist in other environments, AI identifies patterns and highlights potential threats before they escalate.

Why it matters:The AI-Powered MDR SOC Assistant acts as an on-demand expert for Rapid7’s MDR analysts that speeds up investigations, helping analysts make data-driven decisions, and ensures no critical detail is overlooked. This translates to faster investigation and response times for customers.

AI-Driven Threat Detections

Currently Available

What it is: AI identifies subtle patterns and anomalies that might indicate emerging threats before they trigger traditional detection rules.

Real-world impact: AI-driven analytics help uncover a multi-stage attack in its earliest phase by detecting an unusual combination of process executions across multiple endpoints. Analysts are alerted to the activity and mitigate the threat before it can escalate into a full-blown breach.

Why it matters: Traditional security tools rely on known signatures or predefined rules. AI allows for earlier detection of nuanced threats, helping customers stay ahead of sophisticated attacks that might otherwise go unnoticed. Learn more about these detections.

The time to embrace AI is now

AI-powered SOC automations are no longer futuristic ideas – they are practical, real-world solutions already making security teams faster, smarter, and more effective. The question is no longer "Should we leverage AI?" but rather "How can we leverage AI responsibly and effectively within our Security Operations teams and workflows?"

As we outlined in our previous blog, the introduction of AI into security workflows is not about replacing humans – it’s about empowering them. At Rapid7, we’ve seen firsthand how AI can reduce noise, accelerate investigations, and help security teams stay ahead of evolving threats – and we’re just getting started.

Fortunately, security teams don’t have to navigate this new frontier alone. With Rapid7’s AI-enhanced MDR services, customers get the best of both worlds – AI-powered efficiency combined with expert human oversight. Whether through AI-Powered Alert Triage, AI-Generated Incident Reports, or AI-assisted investigation and threat detection, the message is clear: embracing AI isn’t just about adopting new technology – it’s about accelerating outcomes in an increasingly unpredictable digital world.

If you’re ready to explore how AI helps us to help you bolster your security operations, let’s talk.