TL;DR: Adversaries are increasingly automating reconnaissance, exploitation, lateral movement, and phishing, compressing attack timelines to machine speed while SentinelOne says automation can save analysts about 35% manual workload even as total alerts grow 63%. Human-centered response is no longer fast enough; the control problem is orchestration, not alert volume.
NHIMG editorial — based on content published by SentinelOne: Automation and AI as allies in modern cyber defense
By the numbers:
- SentinelOne's internal data shows proper automation can save analysts approximately 35% manual workload despite 63% growth in total alerts.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: How should security teams automate containment when attacks move at machine speed?
A: Security teams should pre-authorise containment for a narrow set of high-confidence events, such as credential theft, impossible travel, suspicious token use, and automated lateral movement.
Q: Why do identity and SOC teams need to coordinate on AI-driven attacks?
A: AI-driven attacks often start with identity abuse, move through lateral access, and end in rapid execution, so the SOC cannot contain them alone.
Q: What do organisations get wrong about shadow AI risk?
A: They often treat shadow AI as a policy or procurement issue when it is also an access problem.
Practitioner guidance
- Define machine-speed response boundaries Map the execution-stage alerts that can trigger automatic isolation, credential revocation, or session termination without analyst approval.
- Separate AI governance from response automation Create distinct controls for AI tooling, model use, and autonomous response workflows.
- Link shadow AI monitoring to secrets and identity controls Use discovery tools to identify unapproved AI applications, then cross-check them against secret exposure, delegated access, and service account usage.
What's in the full article
SentinelOne's full analysis covers the operational detail this post intentionally leaves for the source:
- How SentinelOne's internal automation data was measured across alert volume and analyst workload.
- The specific agentic investigation and hyperautomation capabilities described for endpoint, cloud, and AI-native workflows.
- Examples of Prompt Security monitoring for AI coding tools, redaction, and policy enforcement.
- The report's broader threat observations on AI-assisted phishing, polymorphic malware, and automated pivoting.
👉 Read SentinelOne's analysis of automation, AI, and machine-speed execution →
Machine-speed execution: what it means for SOC and IAM teams?
Explore further
Automation has become the real control surface, not just a force multiplier. The article is right that AI without workflow automation only creates faster analysis, not faster defence. In identity-heavy environments, the same principle applies to credential issuance, access revocation, and incident containment. If those actions still depend on human queueing, the organisation is already behind the attacker.
A question worth separating out:
Q: How does automation change the way teams should think about execution-phase attacks?
A: Automation shortens the time between initial access, privilege expansion, and impact, so teams should stop assuming they will have time to investigate first and act later. The practical response is to design controls that can interrupt attack progression immediately, especially where credentials, tokens, or service accounts are involved.
👉 Read our full editorial: Automation and AI are redefining execution speed in cyber defense