Why the SOC needs its “Moneyball” moment
In the classic book and later Brad Pitt movie Moneyball, the Oakland A’s didn’t beat baseball’s giants by spending more – they won by thinking differently, scouting players not through gut instinct and received wisdom, but by utilizing relevant data and pattern recognition. While the rest of the league fixated on batting averages, they focused on what really mattered: getting on base.
Security operations centers (SOCs) are at the same crossroads, and only those who rethink their approach will stay in the game.
The SOC is stuck in reactive mode
The SOC model wasn’t initially built to stop or contain breaches, but to monitor logs and react to incidents. Today, that legacy still lingers: Too many teams are operating like high-volume alerting factories, drowning in data without the ability to prioritize or act.
It’s dangerous when alerts are treated as the end goal rather than the starting point. Analysts are often asked to make high-stakes decisions with limited context. Do they escalate, investigate, or shut the system down?
We’ve seen some decisive responses in recent months, such as Co-op and Harrods essentially pulling up the drawbridge to halt an attack. It’s a bold move that pays off in the right circumstances, but the pressure to avoid breaking business-critical systems can be paralyzing.
There’s a deep fear of getting it wrong and shutting a server down unnecessarily because of a false positive can cause more damage and carry a greater stigma than failing to stop a breach.
This paralysis isn’t due to lack of data – it’s due to a lack of decision-making frameworks. The system gives analysts signals, but not direction. Like medics in a chaotic emergency room, SOC analysts face split-second triage, often with no visibility into the bigger picture.
These are the factors contributing to the recent breaches we’ve seen with alarmingly long dwell times. In one case, malware lurked in SK Telecom’s systems for nearly two years before being discovered. A similar story played out at the U.S. Office of the Comptroller of the Currency (OCC), where hackers had access to hundreds of email accounts and more than 150,000 sensitive messages for over a year.
Persistent breaches like these don’t happen in the dark. There are plenty of clues there, but they are routinely missed by conventional SOC tooling. Reliably stopping attacks and containing the impact of a breach doesn’t require more data, but better structure.
Attackers think in graphs, defenders must too
Attacks don’t spread in straight lines – they move laterally, quietly exploiting relationships between systems, users, and services. Yet most SOC tooling still looks at infrastructure in isolation: a network alert here, an identity signal there, a misconfiguration flagged somewhere else.
This isn’t how attackers see the environment. They think in graphs. They study how assets are connected, where the trust boundaries break down, and which paths offer the least resistance. Defenders need to think the same way.
A graph model reflects the true nature of an organization’s environment. It shows how a compromised service account in one corner of the cloud could leap into a critical workload in the data center. It reveals what’s vulnerable because of how it connects – not just where it lives.
There is a prevailing movement in the security industry towards a threat-informed, risk-based approach, and the graph model is well-placed to meet this need.
Most tools stop at surface-level insight. They tell you what happened, but a graph shows you why it happened – and what might happen next. It provides a living map of risk: layered, contextual, and adversary-aware.
Understanding attacker logic shouldn’t be a bonus or an advanced strategy but needs to become the baseline. The graph model is essential to taking SOCs from reacting to threats to proactively reducing risk.
AI-powered graphs turn noise into insight
Static data can only take you so far. To move beyond detection into true decision support, defenders need systems that can quickly understand, prioritize and advise. Graphing this information requires the speed and accuracy that only AI can deliver.
When applied to a security graph, AI doesn’t just analyze individual signals – it enhances the structure itself. It decorates each node with context: which identities are involved, what workloads they’re touching, what behaviors are anomalous, and which paths pose the greatest risk. Suddenly, the SOC has a dynamic map highlighting the connections that matter most.
This context is everything. It’s how a minor access pattern at 3am turns from a low-level alert into an early warning signal. It’s how SOC teams can stop wasting time on noisy deviations and focus on the outliers that signal real intent.
This isn’t about automating humans out of the loop. It’s about amplifying their judgment. AI-enabled graphs give analysts the clarity to act with speed and precision. They don’t just point to a risk – they explain why it’s a risk, and what to do next.
It’s also important to think beyond the immediate response to an incoming threat and see how we can improve over time. Focusing exclusively on the short term means teams will be stuck on a loop reacting and fighting the same battles again. The contextual data of a graph-led approach means the SOC can proactively identify long-term strategic improvements as well as winning short-term tactical battles.
Making the shift from collection to correlation
Every new feed and additional signal adds to the noise unless it can be correlated with context. Yet many SOCs are still stuck chasing visibility as if it’s an end in itself.
Observability is about seeing the right relationships. It’s about understanding how a misconfigured workload in one cloud account could be exposed by a vulnerable identity in another.
The defenders who successfully contain breaches won’t be those who collect the most data. They’ll be the ones who understand how it all connects.