Understanding the AI Landscape
The first step in cutting through the noise is recognising that AI in security operations is not a single technology. Machine learning and generative AI serve fundamentally different purposes, and effective security operations leverage both.
Machine learning excels at pattern recognition and anomaly detection. It can establish behavioural baselines for users and systems, identify deviations that warrant investigation, and pre-filter alerts to reduce the volume reaching human analysts. ML models learn what normal looks like for your environment and flag when something changes. This is particularly valuable for user and entity behaviour analytics, where the sheer volume of authentication and access data would overwhelm manual review.
Generative AI brings different capabilities. It reasons over unstructured data, summarises complex investigations, and provides contextual recommendations. Where ML tells you something is anomalous, GenAI helps you understand why it matters and what to do about it. It can correlate findings across multiple data sources, generate investigation summaries, and explain its reasoning in natural language.
Where Each Technology Delivers
In practice, the most effective implementations of AI in security operations use both technologies in combination. ML handles the continuous monitoring and filtering that would be impossible at human scale. GenAI handles the reasoning and context that ML cannot provide.
Machine learning delivers value in behavioural baseline establishment, where models learn normal patterns for users, devices, and network flows. It supports pre-filtering of false positives, where historical patterns help identify alerts unlikely to be true threats. Risk scoring benefits from ML's ability to weight multiple factors and assign confidence levels. And periodicity detection helps identify legitimate scheduled tasks that might otherwise generate repeated alerts.
Generative AI delivers value in alert summarisation, where complex multi-source investigations are distilled into actionable briefings. Investigation context enrichment allows GenAI to pull relevant information from knowledge bases, threat intelligence, and historical incidents. Recommendation generation provides analysts with suggested next steps based on the evidence gathered. Report generation also automates the documentation that consumes significant analyst time.
The Hybrid Approach
The most effective approach to AI in security operations is not to apply AI to everything, but to apply the right technology at the right point in the workflow. Deterministic processes should remain deterministic. AI should be deployed at decision points where its capabilities add genuine value.
Consider an account compromise investigation. The detection might come from an ML model that identified anomalous login behaviour. The initial triage uses deterministic rules to gather standard evidence: recent authentication events, group memberships, mailbox rules, device registrations. GenAI then analyses this evidence package, correlates it with threat intelligence, and provides a structured assessment with confidence scoring. The analyst reviews the AI's work and makes the final call.
This hybrid model preserves repeatability where it matters while adding intelligence where it helps. The deterministic components ensure consistent evidence gathering. The AI components accelerate analysis and surface insights that might otherwise be missed.
Building Internal Capability
For organisations building or maturing their own security operations, the challenge is not just selecting tools but developing the frameworks, processes, and skills to use them effectively. AI in security operations requires careful consideration of data quality, model training, workflow integration, and governance.
At Bridewell, we have spent years developing and refining these capabilities across our managed security services. We have built teams, developed skills, tested frameworks, evaluated vendors, and learned what works in practice. This experience is available to organisations looking to mature their in-house capabilities through consultancy engagements. The change management challenges of introducing AI into security operations are significant, and having guidance from teams who have navigated them before can accelerate your journey while avoiding common pitfalls.
The Bottom Line
AI in security operations is not a silver bullet, but it is a genuine capability multiplier when applied correctly. The key is understanding which problems each technology solves and integrating them into workflows that preserve human judgment where it matters.
Machine learning handles scale. Generative AI handles complexity. Humans handle accountability. An effective AI strategy in security operations recognises these complementary strengths and builds workflows that leverage all three.
The goal is not to replace analysts but to amplify their effectiveness. When AI handles evidence gathering, correlation, and initial analysis, analysts can focus on the judgment calls that require human expertise. That is where AI in security operations delivers real value.
Martin Riley
Chief Technology Officer
