Over the years, I’ve had countless conversations with SOC analysts, incident responders, and security leaders. One theme comes up again and again.
Finding the alert isn’t usually the hard part anymore.
Most organizations today have no shortage of security tools. They have SIEMs generating alerts, EDRs monitoring endpoints, NDRs watching network traffic, cloud security tools tracking activity across workloads, and dashboards filled with indicators and notifications.
In fact, many teams are drowning in information.
Yet when a real incident occurs, the first challenge is rarely identifying that something happened. It’s understanding the full story behind it.
Where did it start?
Which systems were actually affected?
Was this an isolated event or part of a larger campaign?
Who was responsible?
And perhaps most importantly, does it pose a real business risk?
Those are the questions that keep analysts occupied long after the initial alert has been triggered.
The industry has spent years perfecting the collection of telemetry. We’ve become incredibly good at gathering packets, flows, logs, endpoint events, cloud activity, identity records, and more. Each source contributes something valuable.
Packet data (aka full RAW pcaps) often provides the closest thing to ground truth. It shows what was actually transmitted across the network.
Flow records reveal communication patterns and relationships that might otherwise go unnoticed.
Logs provide context around users, systems, and actions.
Endpoint telemetry helps explain what processes ran and what users were doing at the time.
The problem is that none of these sources tells the complete story on its own.
Modern attackers don’t operate within the neat boundaries that security products were designed around. They move between identities, endpoints, networks, cloud
environments, and increasingly operational technology systems. They exploit blind spots and disconnected datasets as effectively as they exploit software vulnerabilities.
As a result, many investigations still involve analysts manually stitching together evidence from multiple systems just to understand what they’re looking at.
That’s why I believe the next major advancement in threat detection won’t come from collecting even more data.
Most enterprises already have more telemetry than they can realistically analyze.
The bigger opportunity lies in connecting that data.
Connecting network activity to user identity.
Connecting endpoint behavior to cloud activity.
Connecting alerts to business context.
Connecting dozens of seemingly unrelated events into a clear narrative that explains what actually happened.
When you think about it, security teams are ultimately trying to answer a surprisingly small number of questions:
What happened?
Where did it happen?
Who did it?
The faster those questions can be answered, the faster organizations can respond, contain, and recover.
Whether the future is called SIEM, NDR, EDR, XDR, or some entirely new acronym is almost secondary. The terminology will evolve, as it always does.
What won’t change is the need for context.
Because in cybersecurity, data creates visibility.
Context creates understanding.
And understanding is what ultimately drives action.
