Harnessing AI and Automation to Strengthen Human-Led Cyber Defense
Three Points to Remember
- AI-powered tools are designed to reduce false positives, helping cyber defenders focus on critical threats and strategic tasks for resilience.
- By teaming with humans, automation and AI enhance cyber defense by detecting anomalies, isolating threats and adapting to evolving adversarial tactics in near-real time.
- Human expertise, augmented by AI, supports precision in high-stakes missions, helping defenders outthink and disrupt adversaries effectively.
Picture a security operations center (SOC) at 2 a.m. An analyst is glued to a screen, sifting through thousands of alerts pouring in from security platforms. The analyst knows that recent studies show most alerts are low priority or false positives. But hidden in that noise could be a ransomware attack poised to cripple mission critical systems. The pressure is on. The clock’s ticking, and the team is already stretched thin.
For today’s cyber defenders, this is daily life. Staying sharp in the fog of war is a constant challenge as cyber threats evolve by the hour and adversaries grow faster and more adaptive. From safeguarding small businesses to securing national defense networks, staying ahead of evolving cyber threats demands a smarter approach to cyber defense.
The relentless reality of cyber defense
As a retired U.S. Army Cyber Warrant Officer who served in the Cyber Protection Brigade, I’ve lived these struggles. From chasing false positives to protecting critical networks under pressure, cyber defenders have a tough job. They monitor networks using tools like security information and event management (SIEM) and endpoint detection and response (EDR), respond to incidents, hunt for advanced persistent threats and keep systems compliant with standards like National Institute of Standards and Technology’s Special Publication 800-53 (NIST 800-53). But they’re up against huge challenges. According to Splunk’s State of Security 2025, SOCs are overwhelmed by alerts, only getting to half of them each day. Worse, defenders spend about one third of their typical workday investigating incidents that are not real threats. ISC²’s 2024 report, Global Cybersecurity Workforce Prepares for an AI-Driven World, detailed how a global shortage of over 4.7 million cybersecurity professionals leads to burnout.
Defenders increasingly grapple with complex IT environments, from multi-hybrid clouds, air-gapped and disrupted, degraded, intermittent and low-bandwidth (DDIL) environments, global on-premises systems and IoT networks. This complicated landscape makes it hard to see, control and defend everything. For Department of War (DoW) teams, the stakes are even higher, as a single breach could compromise weapon systems or national security data, as highlighted in U.S. Cyber Command’s Challenge Problem Set. With the average cost of a breach at $4.4 million, per IBM’s 2025 Cost of a Data Breach Report, smaller organizations are fighting an uphill battle. Tight budgets, compliance pressures and false positives are leading to missed threats and slow responses.
The necessity of AI for proactive cyber defense and resilience
Today’s cyber threats move at blazing-fast speeds. AI-powered phishing and exploit development help adversaries uncover zero-day vulnerabilities, rapidly exploit disclosed vulnerabilities and target critical DoW systems like weapon systems or enterprise data centers in addition to our nation’s critical infrastructure. Defending sprawling, high-stakes environments demands more than human effort. Operationalized, field-ready AI is essential for proactive cyber defense and resilience. By crunching billions of data points, AI can spot threats humans miss, using automation to identify events before they become an incident. For the DoW, where a single breach could cripple national security, trusted AI is now a must-have for cyber defense.
AI transforms cyber defense across critical areas. For operating system defense, AI tools catch anomalies like unusual processes, signaling fileless malware. In network defense, machine learning analyzes traffic to detect and stop intrusions by correlations. SIEM systems, swamped with alerts, use AI to prioritize high-risk events, slashing false positives. Cloud security benefits from AI monitoring hybrid setups, spotting misconfigurations before they’re exploited. Incident response gets a boost from automation, with security orchestration, automation and response (SOAR) platforms isolating compromised endpoints in seconds. Application security leverages AI to scan code for flaws before deployment. Data security uses machine learning to flag unauthorized access. Identity and access management relies on AI-driven behavioral analytics to detect and block suspicious logins. For defensive cyberspace operations and continuous monitoring, AI tracks threats across air-gapped systems, while cyber threat hunting uses predictive models to uncover hidden advanced persistent threats, cutting the amount of time an attacker remains undetected, also known as “dwell time”, from weeks to hours. Automation playbooks, like SOAR’s auto-quarantine for ransomware or IAC for rapid system resets, free defenders for strategic tasks, boosting resilience.
Rising to the challenge
The U.S. Cyber Command publishes Challenge Problem Sets to highlight critical issues that require innovative solutions to address capability gaps. The most recent Challenge Problem Set makes AI’s contributions to resilient systems clear, demanding AI to overhaul cyber operations. Challenge 3.1 calls for AI-assisted threat hunting to reduce false positives and pinpoint sophisticated attacks on critical infrastructure. Challenge 3.2 pushes AI for defensive cyberspace operations, automating vulnerability detection and quarantine in real time. Challenge 5.3 seeks SOAR platforms to streamline incident response playbooks, aligning with the “defend forward” strategy to disrupt adversaries proactively, as Lt. Gen. Paul Stanton, Commander of the DoW Cyber Defense Command, has urged when calling for defenders to outthink enemies.
The DoW’s budget backs this urgency. Cyberspace funding grows steadily: $13.5 billion in FY 2024, $14.5 billion in FY 2025, and $15.1 billion in FY 2026, per DoW budget requests. These funds drive zero trust, next-gen encryption, and Cyber Mission Force growth, all powered by AI and automation. The Research, Development, Test, and Evaluation budget, at $145 billion in FY 2024, $143 billion in FY 2025, and $142 billion in FY 2026, includes $1.8 billion annually for AI and machine learning, fueling tools like predictive analytics and automated response systems. These investments show AI’s critical role in building a combat-ready cyber force. The message here is not “sprinkle some AI on it and hope for the best.” Instead, the industry needs mission-centric, AI-powered solutions that are aligned with the U.S. Cyber Command’s Challenge Problem Sets to keep defenders one step ahead in an era where agility wins.
You win with people
The Special Operations Forces (SOF) Truths nail it: humans are more important than hardware. AI is a force multiplier, but it’s no replacement for a cyber defender’s instincts. AI-enabled cyber defense systems suggest actions, like blocking a suspicious login, but humans make the call in high-stakes missions, ensuring no critical system goes offline by mistake. By automating grunt work, like sifting logs or patching vulnerabilities, AI frees defenders to focus on strategy. Jensen Huang, CEO of NVIDIA, underscored that “software is a tool for AI to use, rather than replace; AI will use the tools software offers rather than reinventing its own.” This view reinforces that AI augments human expertise through existing software ecosystems rather than supplanting either. Lt. Gen. Paul Stanton, Department of War (DoW) Cyber Defense Command Commander, urged at the Military Cyber Professionals Association’s HammerCon 2025, “think about what the enemy is attempting to accomplish” and impose “pain and cost” on them. With $1.8 billion yearly designated for AI research, the DoW is empowering industry to build these cyber capabilities to enhance their defenses. AI and automation give defenders a serious edge, making them faster and sharper.
Let’s go back to the analyst who was buried in alerts at 2 a.m. Now, the same analyst has AI-powered tools on their cybersecurity weapons system and in their environment to help triage alerts, rapidly assessing and sorting them by severity and signature. These tools reduce the chaos, spotting patterns in network traffic to catch sneaky intrusions or flagging odd behaviors before they escalate. Automation kicks in to isolate a hacked device in seconds or update firewall rules on the fly, saving precious time. Unlike rigid playbooks that follow cookie-cutter steps, AI learns from each incident, adapting to prioritize real threats. AI is designed to cut false alarms, helping the analyst focus on big-picture strategies, like countering a nation-state hacker targeting critical systems. In defense, where readiness depends on speed, foresight and precision, AI is not a luxury. It is the difference between reacting too late and staying one step ahead.
