<img src="https://ws.zoominfo.com/pixel/csEHmvjEA1iScHExXGZE" width="1" height="1" style="display: none;">

The Future of Threat Detection & Response: Automation, AI, and the Shift Toward Proactive Security

Security teams aren’t just reacting to threats anymore, they’re working to stay ahead of them. The 2025 SANS Detection & Response Survey makes it clear that organizations are accelerating their adoption of automation, AI, and proactive detection and response techniques in an effort to reduce analyst workload and improve response times.

But while automation and AI adoption are rising, confidence, maturity, and operational readiness still vary widely. Here’s what the data from the report reveals about where the industry is headed and what security teams need to do to prepare.

1.  AI and ML adoption is accelerating quickly.

The SANS survey shows that 76% of organizations plan to expand their use of AI and machine learning for detection and response, up from 67% last year. Automated threat hunting (73%), predictive analytics (68%), and correlation engines (65%) experienced some of the largest year-over-year increases. These trends indicate that AI is moving beyond experimentation and into day-to-day security operations, with teams shifting away from purely reactive alert handling toward more predictive and behavior-driven approaches.

2.  Confidence in AI remains mixed.
Despite growing adoption, only 16% of respondents rated AI/ML-based detection tools as extremely effective, while 13% considered them ineffective. The survey highlights ongoing concerns around transparency and explainability, underscoring that organizations are not simply looking for more automation, but for detection capabilities they can understand and trust.

3.  Automation is becoming foundational to modern detection and response.      Ninety percent of organizations now use automated tools for threat detection, and 66% have at least partially automated response workflows. Nearly half expect automation to play a significantly larger role in the near future, while only a small fraction anticipate no change. These findings suggest that manual-only workflows are no longer sustainable as environments grow more complex and alert volumes continue to rise.

4.  Slowing response times are increasing the urgency for automation.
One of the more concerning trends in the survey is the decline in rapid response. The percentage of organizations responding within seconds dropped from 8% to just 3%, while response times measured in hours increased noticeably. As cloud and hybrid environments introduce more variables and investigation paths, automation becomes essential for enriching context, validating threats, reducing false positives, and accelerating containment.

5.  Skill gaps make automation even more critical.
The survey reinforces that 56% of organizations struggle with skills shortages, while 78% rely heavily on training programs to compensate. With budgets constrained and hiring challenges persisting, automation increasingly serves as the most scalable way to reduce analyst workload. This places greater importance on detection platforms that lower the barrier to effective analysis by providing clarity and actionable insight rather than additional complexity.

The takeaway: Automation + AI must work together to deliver clarity

Across the SANS report, one theme is consistent: automation and AI are only effective when they amplify analyst judgment rather than replace it. As organizations increase their reliance on automated detection and response, the quality of the signals feeding those systems becomes just as important as the automation itself. Poor input leads to more noise and vague alerts; while high quality input enables faster, more confident action.

This is where Network Detection and Response (NDR) is increasingly relevant. NDR contributes to modern detection programs by improving the quality and interpretability of signals entering automated workflows. Specifically, NDR:

  • Provides high-fidelity, context-rich detections that help analysts quickly understand why an alert matters
  • Surfaces meaningful threats without increasing alert volume, reducing cognitive load
  • Uses behavioral analysis to expose activity that may be missed by log- or endpoint-centric views
  • Feeds SOAR and EDR platforms with high-confidence intelligence, improving automation outcomes
  • Helps smaller or leaner teams achieve broader visibility without expanding tool sprawl

As organizations embrace AI and automation, the SANS findings reinforce the need for detection systems that are transparent, explainable, and grounded in observable behavior. Automation succeeds not by generating more activity, but by enabling analysts to focus on the signals that truly warrant response.

Clear NDR® from Stamus Networks aligns with this direction by delivering network-based visibility and precise, behavior-aware detections that support proactive and automated response workflows without introducing additional noise or complexity.

Proactive Security Requires a Foundation Built on Clear, Comprehensive Insight

The 2025 SANS Detection & Response Survey makes one thing clear: the future of cybersecurity will be shaped by technologies that help teams move faster, identify threats earlier, and operate with greater confidence. Automation and AI are no longer experimental; they are becoming core components of modern detection strategies. Their effectiveness, however, depends heavily on the quality, depth, and clarity of the data that supports them.

The survey highlights a persistent challenge: many traditional detection tools generate signals that are narrow, siloed, or incomplete. While these tools provide valuable insight, they often lack the context required for automated systems and AI-driven analysis to reliably interpret complex behaviors or multi-stage attacks. As a result, organizations struggle to fully realize the promised benefits of automation, including reduced false positives, faster response, and more proactive detection.

These findings help explain why Network Detection and Response (NDR) is playing an increasingly important role in modern security programs. NDR adds a network-based, behavior-aware perspective that complements endpoint and log-based telemetry. By observing activity between systems, across environments, and within cloud and hybrid infrastructure, NDR helps close visibility gaps that limit the effectiveness of automation and advanced analytics.

Clear NDR builds on this approach by providing transparent, explainable detections that show analysts how and why activity is identified as suspicious. This level of interpretability becomes especially important as organizations expand automated workflows. When teams understand the reasoning behind detections, they are better positioned to trust outcomes and confidently accelerate response.

Taken together, the SANS findings point to a clear direction. AI and automation are most effective when supported by detection strategies that emphasize clarity, context, and signal quality. Network-centric visibility strengthens that foundation, helping organizations reduce uncertainty, improve decision-making, and move toward a more proactive security posture.

The future of detection will be defined by clarity, context, and confidence - supported by technologies that enhance analyst capability rather than overwhelm it.

If you're interested in reading the full 2025 SANS Detection and Response Survey, you can download it here. For more information on our Clear NDR solution, visit our product page or click the demo link, listed below the author bio.
D. Mark Durrett

D. Mark Durrett

Mark is the chief marketing officer (CMO) at Stamus Networks, where he has responsibility for go-to-market strategy and execution. Mark started his career as an electrical engineer and worked in digital circuit design of networking and telecom hardware for over a decade. He has over 25 years of experience leading marketing, product management and engineering for technology companies. Mark has served as the senior product and marketing executive at Netsertive, Emerging Threats, Overture Networks, Bell and Howell, Covelight Systems and Hatteras Networks. Mark resides in North Carolina, USA.

Schedule a Demo of Clear NDR

REQUEST A DEMO

Related posts

Doing More With Less: What the 2025 SANS Detection & Response Survey Says About Budget Pressure

Budgets may not be shrinking, but they certainly aren’t keeping up with the complexity and scale of...

Cloud Complexity & Skills Gaps Are Colliding - Insights from the 2025 SANS Detection & Response Survey

Cloud adoption continues to grow, but so do the challenges security teams face in detecting and...

Graphic - CISA’s New Cybersecurity Performance Goals | NDR’s Indispensable Role in Securing Critical Infrastructure

CISA's Updated Cybersecurity Performance Goals:  NDR’s Indispensable Role in Securing Critical Infrastructure

When CISA released version 2.0 of its Cross-Sector Cybersecurity Performance Goals last week, the...

ABOUT STAMUS® NETWORKS

Stamus Networks is the global leader in Suricata-based network security and the creator of the innovative Clear NDR® system. Designed to close visibility gaps and reduce alert fatigue, Clear NDR transforms raw network traffic into actionable security insights with unmatched transparency, customization, and effectiveness. Trusted by leading financial institutions, government agencies, and battle-tested over 9 years in NATO’s largest cybersecurity exercises, Stamus Networks delivers proven, high-performance network detection and response solutions. Stamus empowers security teams – delivering clarity amidst complexity – with greater control, fewer false positives, faster response times, and a more responsive, open approach than legacy vendors.

Indianapolis, USA Paris, France

Privacy

© 2014-2025 Stamus Networks, Inc. All rights Reserved.