AI Fuels Cyber Deception, Demanding Machine-Speed Data Verification for Defenders

Artificial intelligence (AI) is transforming the economics of cyber deception, allowing attackers to rapidly create thousands of convincing phishing lures, fake identities, and tailored pretexts. This accelerated pace of deception challenges traditional defense mechanisms, as verification processes have not kept pace, making deception faster and cheaper.

While AI for defense often focuses on detection models, the primary bottleneck identified is the availability and trustworthiness of evidence. This includes where data resides, its accessibility, correlation speed, retention duration, and the ability for analysts or agents to trust retrieved information. Cybersecurity in the AI era is therefore presented as a data problem before it is a detection problem.

Attackers can deploy deception at enterprise scale with minimal cost for failure. Defenders, however, rely on 'truth'—quickly knowing what transpired, where, when, who was involved, which assets were affected, and what changes occurred. This truth must be documented, governed, auditable, and defensible. As AI scales deception, impersonation, and social engineering, defenders require AI to scale verification, aiming for actions that both people and machines can trust.

Fragmented data estates hinder modern defense. For instance, investigating a suspicious login may require combining identity history, endpoint activity, cloud access logs, ticketing records, asset ownership, configuration changes, network telemetry, and business context. If these records are scattered across different tools or teams, it complicates incident investigation, turning it into a data negotiation rather than a prompt analysis. When data is partial, stale, or lacks context, AI tools can accelerate uncertainty rather than create truth.

Organizations need to evolve from treating security platforms, SIEMs, and data lakes as passive repositories. The emerging requirement is a defensive control plane—a layer that connects machine data, business context, and policy to make evidence actionable and explainable. This involves preserving evidence, ensuring data accessibility across various locations, adding business context to machine data, and governing automated actions to maintain auditability and trust.

Modern Security Operations Centers (SOCs) frequently contend with an abundance of alerts, high false positive rates, and a lack of contextual information. According to the Splunk State of Security 2025 report, 59% of SOC analysts struggle with too many alerts, 55% with false positives, and 46% with alerts lacking context. This indicates that the core issue is not data volume but the difficulty in transforming fragmented signals into trusted decisions quickly. This challenge creates a daily crisis of context, compelling teams to make critical decisions based on incomplete or untrustworthy data.

A data fabric architecture is proposed as a solution to create a unified, intelligent layer across SecOps, ITOps, and NetOps data sources. This approach aims to break down silos and deliver context-rich insights at the speed required for AI-driven operations. This architectural shift, exemplified by the Cisco Data Fabric powered by the Splunk Platform, integrates machine data, federation, business context, governance, and provenance to facilitate a transition from signals to trusted actions.

(Source: VentureBeat)