Simon Howe, Area Vice President, ANZ, ExtraHop 
AI is being embedded into every facet of the modern Security Operations Center (SOC), with the intention of reducing defensive loops and speeding up clearance of alert backlogs.
However, speed does not necessarily equal accuracy against highly sophisticated threats that understand how to evade detection.
Without a backbone of relevant data, AI investments in the SOC will end up automating mistakes too fast for human analysts to intervene, rather than fulfilling the promise of machine-speed security. As a result, security and IT leaders must understand how to actually measure AI performance to build a resilient security posture.
The flaw in contemporary benchmarks
The current landscape of AI evaluation is held back by a significant gap: most frameworks measure what a system can do in a vacuum rather than how it actually performs under the pressure of a live breach. To bridge this divide, the industry relies on a few core metrics that translate raw processing power into operational value.
At the forefront is the Mean Time to Detect (MTTD). Because AI can parse patterns across massive datasets far more efficiently than a human analyst, it fundamentally shrinks the window between an initial compromise and its discovery.
Once a threat is identified, the focus shifts to the Mean Time to Respond (MTTR), where the speed at which AI automates the initial triage and suggests specific remediation steps is measured. AI workflows are also measured in the reduction of alerts, filtering out false positives, and prioritising the most critical threats.
While useful, these metrics possess two major flaws. They track volume and velocity but ignore whether the AI made the correct choice. Additionally, these figures are typically derived from a controlled laboratory setting rather than the high-pressure reality of a real-world attack.
AI security metrics that security leaders are missing
While MTTD and MTTR show that AI is working faster, they fail to reveal if the AI is fulfilling the promise of working smarter against sophisticated adversaries.
The adaptability gap: AI is typically trained on known threats. When attackers switch to Living-off-the-Land (LotL) techniques or adversarial prompts, there is a "re-learning" phase. Traditional metrics don't track how long it takes for an AI to recognise a pivot in attacker tactics, leaving a dangerous window where malicious activity is undetected and labelled as safe.
Shadow AI & unchecked logic: The unknown nature of AI often leads to a pipeline of unverified automated actions. When teams use unvetted Large Language Models (LLMs) to write scripts or analyse logs, they introduce logic that has never been audited, creating hidden vulnerabilities.
The erosion of human oversight: In the pursuit of high-speed processes, the human element, still very much critical in this current stage of AI development, is often treated as a bottleneck. If analysts stop questioning AI verdicts to keep their metrics high, the system becomes a single point of failure.
Strategies for authentic AI evaluation
To truly measure success, security leaders must move away from controlled testing and toward testing founded in reality:
Stress test under adversity: Evaluate AI performance using degraded data, simultaneous high-priority alerts, and extreme time constraints. True effectiveness is measured by how well the AI prioritises threats when the system is saturated and telemetry is incomplete.
Map the Failure Points: Organisations must identify exactly where an AI's confidence begins to drop. By mapping these boundaries, teams can build a reliable hand-off process, ensuring that low-confidence AI decisions are automatically routed to human experts for validation.
Demand Transparent Evidence: Instead of trusting a binary verdict of pass or fail, use tools that expose the AI's reasoning. Teams need to see which signals were prioritised, which behavioural indicators were flagged, and most importantly, which data points the model chose to ignore.
Adopting AI based on operational reality rather than marketing hype ensures a more resilient defence.
By closing the measurement gap and using solutions based on visibility to actually observe what AI is doing within the SOC, organisations can move beyond assumptions and build a security posture that is truly accountable, defensible, and capable of withstanding the scrutiny of a real-world attack.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.