Most security teams already have the data they need to detect threats. What they often lack is the time and workflow efficiency to investigate them quickly. Analysts still spend hours writing queries, enriching alerts, correlating intelligence, and chasing context across multiple systems. The result is a growing gap between detection and decision.
Many SOC teams are still slowed down by the same bottleneck: the analyst workflow. The challenge is no longer simply detecting threats. It is turning signals into context and context into decisions fast enough to matter.
As Mark Hassoun, Technical Director at Anomali, explained during a recent security operations discussion:
“The big data that we built the platforms to analyze is becoming bigger. Data literally exploded.”
More data should improve visibility. But when workflows remain manual, fragmented, and complex, it often produces the opposite effect. The result is slower investigations, overwhelmed analysts, and security teams that struggle to keep pace with the threats they can already see.
How Investigation Workflows Become the Real Bottleneck
Many security conversations focus on detection technologies: new rules, better alerts, or more advanced analytics. But detection is only the beginning of the SOC process.
Every alert requires investigation. Analysts must determine whether the signal is real, what it means, and how to respond. That work often involves pulling context from multiple systems, writing complex queries, restoring historical data, and validating intelligence manually.
For many teams, this investigative process is where time is lost.
Hassoun described the challenge clearly:
“We have a lot of false positives in the SOC. Analysts are struggling to focus on what matters… that brings the productivity of the analyst down.”
Alert fatigue has been discussed for years, but the underlying issue is not just alert volume. It's the operational friction required to process those alerts. Even when detections are accurate, analysts often lack the immediate context needed to determine urgency. That forces them into repetitive tasks like enrichment, correlation, and validation. These steps are necessary, but they consume the time analysts need for higher-value work.
Why Query-Driven Threat Hunting Slows Teams Down
Threat hunting is another area where workflow friction appears.
In many SOC environments, hunting requires deep familiarity with complex query languages and platform-specific syntax. Analysts must translate investigative questions into structured queries before they can begin exploring the data. That requirement limits who can hunt effectively and slows the overall process.
Hassoun noted that analysts often spend a large portion of their time on these tasks:
“Threat hunting is where analysts are spending their time doing this all day.”
When investigations rely on specialized query expertise, security teams become dependent on a small number of experts. That creates operational bottlenecks and makes it harder to scale security operations. It also increases the time between suspicion and insight.
If an analyst has to construct complex queries before asking a simple investigative question, the workflow is already working against them.
Making Threat Hunting Accessible to More Analysts
One of the most meaningful improvements in modern SOC environments is simplifying how analysts interact with data. Instead of requiring every investigation to begin with query construction, analysts can start with natural questions about what they are trying to understand.
Hassoun described the goal this way:
“We made the analysts speak to the system in their natural language instead of learning complex queries.”
This shift changes the speed and accessibility of threat hunting. Instead of translating investigative ideas into syntax, analysts can ask questions directly:
- What systems connected to this IP?
- Which users interacted with this endpoint?
- Have we seen this vulnerability across the environment?
The platform can then convert those questions into structured searches behind the scenes.
This approach lowers the technical barrier for investigations and allows more analysts to participate in hunting and response activities. It also dramatically reduces the time required to begin investigating suspicious behavior.
Reducing Investigation Time From Days to Minutes
Another major source of workflow friction is the time required to correlate external intelligence with internal data.
When a threat advisory or security report arrives, analysts often need to manually extract indicators such as IP addresses, domains, file hashes, or vulnerabilities. They then compare those indicators against internal logs to determine whether the organization has been affected. That process can take hours or even days.
According to Hassoun, the goal is to eliminate much of that manual work:
“Everything that usually takes weeks from the analyst… can be done within a couple of minutes.”
Automating entity extraction, enrichment, and correlation allows security teams to move from intelligence to investigation much faster. Instead of manually copying indicators and writing searches, analysts can immediately see whether suspicious infrastructure has interacted with their environment.
This acceleration is critical because attackers are still moving forward while defenders complete long investigative cycles.
AI is Supporting Analysts, Not Replacing Them
AI often enters the conversation at this stage, but the role of AI in security operations is frequently misunderstood. The goal is not to replace human analysts. The goal is to support them by removing repetitive, time-consuming tasks that slow down investigation.
Hassoun emphasized this point clearly:
“We want to make the life of the analyst easier.”
AI can assist with tasks like:
- Extracting indicators from reports
- Enriching alerts with threat intelligence
- Filtering likely false positives
- Summarizing investigation results
- Automating parts of triage
This allows analysts to focus on interpretation, decision-making, and response. In other words, the human expertise remains essential. AI simply removes the friction that prevents analysts from applying that expertise quickly.
Why Workflow Design Is the Future of SOC Performance
Security leaders often look for improvements in new tools or additional detections. But the most impactful changes may come from redesigning the analyst workflow itself.
When investigations become easier to initiate, alerts arrive with better context, and intelligence can be operationalized quickly, security teams move faster. They also make better use of their existing talent. Analysts spend less time on repetitive tasks and more time on meaningful security decisions.
In an environment where threats are becoming more automated and data volumes continue to grow, workflow efficiency may ultimately matter more than any single detection rule. The SOC teams that improve how analysts work, not just what they detect, will be the ones best positioned to keep up with the modern threat landscape.
For more insights, watch the full video here.
FEATURED RESOURCES
