To fight AI, cyber defenders will need to use AI

Complex cybersecurity investigations once took hours or days. AI is collapsing that to minutes.

In the last 12 months, one recurring topic when I spoke with cyber experts was this: to fight AI, defenders must use AI. And that's exactly what I witnessed at ElasticON Singapore.

AI-speed is the new norm

As with every new technology, hackers have sought to harness AI. Today, AI is increasingly used to find software flaws and craft exploits in one go, execute cyberattacks on enterprise networks, and scan and exploit internet systems at scale.

Love AI or hate AI, defenders can no longer contain explosive AI-powered lateral movements in breached networks using the old playbook.

This is where an AI-powered automation engine like Elastic's Workflows for Security, currently in technical preview, comes into play. Here's what I saw.

From noise to signal

In the demo, a security analyst logged into the security console to be inundated with over a thousand alerts.

With a click, the analyst whittled the list to 35 alerts across six vectors. An AI agent then reviewed a selected alert and made recommendations. Another agent retrieved running apps on the target account. A third verified the presence of malware.

No more switching across multiple systems, poring through extensive log entries, or manually retrieving individual files to check for malware. In its place are natural-language queries via a chat interface, powered by AI agents to quickly separate false alerts from genuine alarms, and act on them.

A Claude Code for cybersecurity

How the tool made use of various resources and its step-by-step outline of solutions reminded me strongly of Claude Code. Except this is tailored squarely at cybersecurity professionals.

In fact, Opus 4.6 was used for the demonstration - the top model at the time of the event - though AI providers such as OpenAI, Amazon Bedrock, and others are also supported.

Build-your-own workflows

Another thing that struck me was how workflows can be created for general automation or for specific responses such as handling recurring triage tasks.

For example, a custom workflow could invoke an agent, run a web search, create a Slack channel, find the next available responder, and compile a report with evidence and IOCs.

In short, defenders who embrace AI can identify problems in minutes. Those who don't will probably still be stuck clicking through alert queues hours later.

A year ago, AI in cybersecurity was a talking point. At ElasticON, it was a working demo. I expect this to be the baseline by next year.