How one CISO got 4 budget offers in a single afternoon and how the AI SOC is evolving
A field report from AI SOC Live at Nasdaq.
Welcome to The Cybersecurity Pulse (TCP)! I’m Darwin Salazar, Head of Growth at Monad and former detection engineer in big tech. Each week, I bring you the latest security innovation and industry news. Subscribe to receive weekly updates! 📧
I recently attended Intezer’s AI SOC Live show, a one-day, invite-only gathering of CISOs and security leaders at Nasdaq’s MarketSite. While this trip was sponsored, this piece highlights what I extracted from the experience and thought would be most valuable to you.
One thing that kept coming up across nearly every session is that it's the hardest time to be a CISO and also the most exciting. Pavi laid out everything stacking against defenders right now and Doug kept coming back to how AI is making the CISO seat more rewarding than it's been in years. While we covered a lot of ground in one day, that tension was kind of the undercurrent for everything else.
TL;DR
Mythos quietly opened a budget window. It spooked many execs and brought security to the forefront even more. CISOs can and should parlay this into more funding to bolster their security programs for what comes next.
The walls between SIEM, SOAR, MDR, and EDR are collapsing. The AI SOC unlocks the speed and coverage to investigate every alert, not just the obvious ones.
Tier 1 is dead, Tier 2 is dying. MSSPs and MDRs whose business model depends on selling tiered analysis have a real problem.
Mitchem Boles proposed AVERT (Action-Verified Resolution Time) as the executive metric to replace MTTR.
Procurement is shifting from multi-year to one-year deals. Renewal motions just got harder.
Mature SOCs will win bigger from AI than immature ones. Good brakes make the car go faster.
While AI SOC was at the forefront, the takeaways ranged well beyond that: procurement strategy, MSSP business models, board-level budget dynamics, metric reframes, and architectural patterns for adopting autonomous approaches to security.
This post covers the 8 things I walked away with.
Mythos quietly rewrote the budget conversation in real time
When the Mythos news broke, one of the panelist CISOs (I forget which one) got pulled aside by four different C-suite executives in short succession, each offering more budget. Not “send us a plan.” More money, now, because they were genuinely worried Mythos-class capability in the wrong hands could end the company.
Doug Mayer (CISO, WCG Clinical) made the same point from another angle: “I’m a huge fan of the marketing around Mythos because it opens eyes and interest into security. CISOs should use this moment to educate the board and get more funding.”
The window is open. CISOs who go to their boards in the next two quarters with a clear-eyed plan for AI-era threats will get funded in ways they wouldn’t have a year ago. The ones who wait may already be being questioned behind closed doors. Everyone is AI-pilled and security leaders who aren’t being vocal + tactical about securing it, securing from it, and using it to secure things, risk falling behind.
We’re tuning out the wrong alerts
Itai Tevet (co-founder and CEO of Intezer) opened by addressing the elephant in the room. SIEM, SOAR, MDR, and traditional SOC models are all broken in the same way. Each layer requires humans to operationalize, and humans don’t scale. So teams tune out, filter down, and only chase what looks obviously anomalous or bad.
Alert fatigue and analyst burnout are real, but they’re organization-specific problems with organization-specific fixes. The bigger issue is the industry-wide pattern that we’ve been forced to accept for over a decade. We collectively decided low-severity alerts aren’t worth investigating, and we built our entire SOC operating model around that assumption. Intezer’s 2026 AI SOC Report puts a number on what that costs us: nearly 2% of low-severity endpoint alerts turn out to be real threats.. Tune those out at scale, you tune out real attacks at scale.
Itai’s reframe of the SOC operating model boils down to three rules: every alert is investigated, every investigation is consistent, detection posture improves with every alert. None of those work with a human-bottlenecked tier 1 queue.
The offense has gotten too fast for human-in-the-loop on every alert
Alon Cohen (CyberArk founder, Intezer executive chairman) followed with: “In a world of machine-speed attacks, human-speed defense is a suicide mission.”
A few months ago I would have called that fearmongering or an overstatement but this has only become increasingly true. Anthropic’ showed a model that weaponized 181 working attacks from a single Firefox vulnerability set, where the prior generation managed two. The November 2025 GTG-1002 disclosure showed nation-state actors running 80 to 90% of an espionage campaign autonomously through Claude Code at thousands of requests per second. Now think about the capabilities nation-state actors have which don’t come up on traditional radars; the landscape has truly shifted and automation is one of our best answers for this.
If you’ve architected your SOC around human-in-the-loop on every alert, you’re not building a SOC. You’re building a forensics team.
Translating SOC outcomes into board language
Mitchem Boles (Field CISO at Intezer, four years previously as Field CISO and security advisor at GuidePoint) gave one of the most insightful talks of the day. I’ve never been a CISO so of course, I’ve never had to report to a board so aside from what I read or hear, I don’t truly know how CISOs navigate the dynamic.
“If you’ve seen a board, you’ve seen one board.” This means that every board is different, but every board is pretty much asking a version of the same three questions. Mitchem’s framework maps each one to what they actually need to hear: coverage to risk reduction, comparison to containment, operations to leverage. Reframe the conversation in those terms and you stop reporting activity and start reporting outcomes.
AVERT, a new executive-level metric. Action-Verified Resolution Time. The argument: MTTR is dead, MTTC is closer, but neither captures whether the threat was actually neutralized with forensic proof. AVERT bundles three sub-metrics:
RMV (Risk Mitigation Velocity): 20x faster than industry average.
ARR (Autonomous Resolution Rate): 85% resolved before an analyst touches them.
VRR (Verified Resolution Rate): 97% closed with forensic proof of neutralization.
Mitchem framed AVERT as a “proposed executive and board metric,” so I’m reading those numbers as aspirational targets for a mature AI SOC rather than industry averages.
Procurement is shifting from multi-year to one-year deals.
Pavi Ramamurthy (CISO, Blackhawk Network) flagged a shift that’s going to compound: CISOs are pulling back from multi-year contracts in favor of one-year deals.
Two reasons. The industry is moving fast enough that locking into a three-year deal with anyone, including the vendor you love today, looks reckless. And security incidents are increasingly hitting security vendors themselves, eroding trust and making the ability to switch a feature, not a bug. Another point of concern is what usually happens when a vendor gets acquired. Things inevitably change and sometimes for the worse.
Tier 1 is dead. Tier 2 is dying.
Across both CISO panels, the consensus was nearly unanimous, and Doug Mayer made the case clearly: siloed tier 1 / tier 2 / tier 3 categorization is a relic of a staffing model that no longer makes sense when AI can do the triage and enrichment work that filled tier 1 queues for the last 15 years.
Bad news for any MSSP or MDR whose business model depends on selling tier 1 and tier 2 analysis as a service. The shops that survive are investing in higher-order detection engineering, threat hunting, and complex investigation. Jen Greulich’s Legato Security is a good example of a shop already adapting.
Counterpoint from Deepak Kolingivadi (ServiceNow): the security practitioner role isn’t disappearing, it’s changing. The new bar is whether you can think in automation, orchestration, and scale.
Stop measuring MTTR. Start measuring dwell time and time-to-decision
Two CISOs in the same room landed on the same idea from different angles: MTTR is measuring the wrong thing.
Doug Mayer: “Screw MTTR. Mean time to contain, dwell time, is the real thing.” MTTR measures activity. Dwell time measures outcome.
Nick Vigier (CISO, Oscar Health), in the closing CISO Series podcast taping with David Spark, pushed it further. Most SOCs are slow because decision-making rests with too few operators. The bottleneck isn’t analysis speed. It’s decision ownership. Nick’s reframe: mean time to decision.
Together, dwell time and time-to-decision describe the SOC’s job better than any framework I’ve seen.
Mature SOCs with strong foundations will win
Paul Carpenito (CISO, ION Group): “Good brakes make the car go faster.” Easily my favorite quote of the day.
To me, it means that if your SOC is mature-ish and has good hygiene (trustworthy log ingestion and coverage, fine-tuned detection content, well-mapped MITRE ATT&CK coverage, defined runbooks, clear ownership), you can adopt AI faster and trust it more. The AI has structured ground truth to operate against. Tiered autonomy based on asset criticality becomes achievable because you actually know how certain events should be responded to.
If your SOC is immature, AI accelerates your dysfunction, automates decisions you didn’t realize were wrong, and produces confident outputs against a foundation that can’t validate them. The gap between mature and immature SOCs will widen dramatically. The decisions (or lack thereof) SOC leaders make in 2026 will compound for the next five years.
Wrapping Up
The offense has gotten a lot faster and the defense hasn’t necessarily caught up. The AI SOC conversation is no longer about whether to adopt. I think that’s a settled debate. It’s about whether you have a mature foundation that can absorb it, or on top of a stack that’s going to amplify your existing problems.
Good brakes make the car go faster. If you don’t have good brakes, this is the year to build them.
Big kudos to Sarah, Lital, Ada and the Intezer marketing team for putting this together. A Nasdaq venue, a CISO-only invite list, and a David Spark podcast taping in a single day takes serious coordination, and they made it look easy. Shoutout also to Itai and Mitchem for the substance, and to the CISOs who didn’t hold back any punches. Cool event!
Interested in sponsoring TCP?
Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to an audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎
I was listening to a panel the other week in Palo Alto where one of the CISOs (sorry can’t remember who) was saying we should rebrand MTTR to Mean Time Till Resilience. I liked that as well!