The Problem We Both See
Security teams already generate more risk and noise than IT partners can absorb. AI will amplify that signal by creating more findings and more decisions. If we do not change the operating model, the backlog grows and real risk stays on the field.
Industry research continues to show the same pattern: alert overload, tool sprawl, manual handoffs, and long time-to-remediate. Automation exists in many SOCs, but it often stops at the point of detection. The work that actually reduces risk still depends on manual coordination with IT, change control, and validation.
This edition of C2 Corner features John Perkins, a cybersecurity professional with deep expertise in managed security services, operations, and product development. Since November 2017, he has been leading Threat Angler as its founder and operator and earlier in his career, held leadership roles such as Director of Managed Security Services at Insight, where he built a practice and centered on cybersecurity outcomes, and VP of MSS Service Delivery at Guidepoint Security, where he managed SOC functions.
John's Take
We are spending too much time automating the SOC and not enough time automating the work that reduces risk. We chase AI SOC buzzwords while remediation stays manual and fragmented. The separation between IT and security keeps the backlog in place.
Security needs to leave the reporting tower. We cannot just publish risks and hand over recommendations. We need to join customers and IT in the remediation game and own the outcome together.
Chris's Take
The win is not more alerts or nicer dashboards. The win is risk down. That means shrinking time to remediate and doing it in a way that IT can trust and operate with every day. Across enterprises the pattern is consistent: findings are cheap, fixes are expensive. Tooling is fragmented, and workflows are the bottleneck.
AI can help with triage, drafting remediation steps, and summarizing status, but it must be grounded in real configuration and asset data, with humans approving production changes. Guardrails matter.
A Practical Blueprint: From Findings to Fixes
Here is a pragmatic model any security and IT team can run starting this quarter.
One backlog, shared ownership
Move to a single remediation backlog that both IT and security can see and update. Tickets for vulnerabilities, misconfigurations, and high risk detections flow into the same queue with owners and due dates. Measure time to first action and mean time to remediate by asset class. Make MTTR a board level metric.
Tighten the intake
Reduce duplicate and low value alerts at the source. Consolidate tools where practical and suppress duplicates before they hit people. This step alone can free a meaningful share of analyst time.
Automate the boring parts of fixes
Automate evidence collection, change requests, CAB templates, and rollback plans. Let AI draft remediation plans, but require grounding on live data and a human to approve the change.
Close the loop, not just the case
Push status back into detection and risk views automatically. When a patch deploys or a control is hardened, analytics should reflect the change the same day.
Prove risk moved
Track MTTR, percent of critical issues closed within the defined SLO, and repeat offender assets. Use these three numbers in quarterly reviews. They are simple and difficult to game.
How Abstract Security Fits
Security first data pipeline: We cut duplicate and low value noise at ingestion and enrichment, so fewer junk items reach the queue.
Built in detections and intel with AIG: Higher quality findings with lower volume, aligned to real attack behaviors.
Closed loop workflow: We stream outcomes back into analytics when a change lands, so the picture reflects reality.
Guardrailed automation: We support automation where it is safe and measurable. AI is grounded on your telemetry and gated by human checkpoints for production changes.
What Good Looks Like in 90 Days
Duplicate alerts down and a smaller tool surface for analysts.
A single remediation backlog with clear owners and SLAs.
MTTR and percent of critical issues remediated become shared KPIs for security and IT.
Automation handles intake, enrichment, evidence, and status updates. People focus on changes and validation.
Executive reviews focus on risk removed, not just alerts investigated.
Closing Thought
Automating the SOC without automating remediation is like calling plays without moving the chains. Security teams need to get on the field with IT, own the fix as much as the finding, and use AI carefully to speed safe changes. That is how we turn more signal into less risk.