Darwin Cayetano Vásquez

Attack surface management (ASM) represents a key capability in protecting today’s digital environments. Organizations are facing exponential growth in their digital footprint —cloud assets, exposed services, unauthorized technologies, and third-party relationships— which increases their exposure to cyber threats. The ASM service, enhanced with Artificial Intelligence (AI) and delivered as a managed solution integrated into Security Operations Center (SOC) operations, enables continuous external visibility, contextual risk analysis, and automated responses to detected vulnerabilities. The AI-powered ASM service provides continuous visibility, contextualizes risks, and automates responses to vulnerabilities. ASM as a managed service with advanced AI capabilities This service combines continuous discovery, cognitive risk analysis, and orchestrated automation, without requiring clients to acquire specific technology platforms. AI embedded in the service helps identify digital exposure patterns, correlate emerging threats, anticipate attack scenarios, and prioritize mitigation actions with greater accuracy and agility. Key applications Autonomous discovery of exposed digital assets (cloud, domains, APIs, IoT, shadow IT). Contextual risk assessment using intelligent scoring engines. Exposure correlation with threat intelligence (CTI) and predictive models. Activation of automated responses (alerts, containment, isolation or blocking) based on client policies. Advantages over traditional approaches Elimination of blind spots through uninterrupted external monitoring. Enriched analysis with machine learning models and behavior-based detection. Proactive reduction of attack vectors without constant manual intervention. Delivered as a managed service with specialized analysts who validate findings and support decision-making. Challenges in delivering intelligent ASM services Filtering findings to distinguish between technical exposures and actual operational risks. Seamless integration with the client’s internal SOC processes. Change management in highly dynamic cloud environments. Training client personnel to fully leverage the intelligence generated by the service. Use case: intelligent ASM service in a banking institution A banking institution implemented a managed ASM service powered by AI to gain control over its external attack surface. The service combined continuous discovery with AI-driven analysis, prioritization by criticality, and automated actions aligned with its defense plan. Critical exposures were reported and validated by expert analysts, and containment measures were carried out in coordination with the bank’s SOC team. Results achieved Detection of over 800 unregistered assets within the first 60 days. 38% reduction in critical exposed surface within a quarter. Activation of automated actions (DNS blocking, targeted alerts, remediation alerts) in over 70% of critical findings without manual intervention. Recommendations Adopt AI-powered managed ASM services as a core element of your SOC strategy. Establish collaborative processes between the service provider and internal analysts. Incorporate ASM intelligence into risk assessment models and cyber security architecture decisions. Measure the value of the service not only by the volume of findings, but by its impact on reducing exposed surface and preventing incidents. Conclusion The AI-powered managed ASM service transforms external digital visibility into a strategic advantage. Through continuous discovery, contextual analysis and intelligent automation, organizations can stay ahead of attackers, close gaps in real time, and strengthen their security posture without adding operational complexity. The AI-powered managed ASM service transforms external digital visibility into a strategic advantage. ASM as a service is not just about external monitoring, but a proactive, precise, and agile capability within the modern cyber defense ecosystem.

Automation has become a cornerstone of Cyber Security Operations Centers (CyberSOCs). SOAR (Security Orchestration, Automation and Response) platforms have evolved from simple playbook execution tools into intelligent systems. In their new generation, SOAR platforms integrate Large Language Models (LLMs), enabling more contextual, autonomous orchestration with continuous learning capabilities. This transformation is redefining how cyber analysts engage with threats, data, and systems. ■ SOAR (Security Orchestration, Automation and Response) streamlines Cyber Security by integrating data and tools into a unified system that accelerates incident response and enhances collaboration across SOCs. This allows organizations to defend against cyber threats more quickly and effectively, consolidating multiple data sources and tools into a cohesive environment. Next-generation SOAR: conversational AI for contextual automation LLM-powered SOAR platforms allow analysts to interact with systems using natural language, generate and modify playbooks, interpret alerts, draft reports, and even propose responses to complex threats. Key applications Automated playbook generation based on natural language descriptions. Incident summarization and automatic creation of technical reports. Threat prioritization based on operational and critical context. Adaptive response suggestions grounded in frameworks like MITRE ATT&CK and detected TTPs. SOAR has evolved from a mere execution tool into an intelligent system capable of learning and adapting. Advantages over traditional SOAR Reduced reliance on manual coding. Improved interpretability of events and decision-making. Continuous learning through human feedback. Challenges in integrating LLMs into SOAR Validation of automated actions: Prevent LLMs from making unsupervised, undesirable decisions. Hallucinated findings: Risk of inaccurate interpretations or fabricated responses. Prompt privacy and security: Sensitive query data must be rigorously protected. Cultural adaptation and training: Analysts must develop new skills to interact effectively with generative AI. LLM language models offer more contextual and autonomous orchestration, redefining operations in CyberSOCs. Use case: Implementing LLM-powered SOAR in an MSSP A Managed Security Services Provider (MSSP) integrated a next-gen SOAR platform with LLMs to automate incident handling and client communications. Analysts could query the system using natural language to get threat summaries, validate automated steps, and adjust playbooks in real time. Outcomes achieved 48% reduction in Mean Time to Investigate (MTTI) Improved quality and speed of incident reports. 60% increase in automated resolution of low-severity incidents. Recommendations Set up validation controls for actions suggested by LLMs. Incorporate algorithmic governance frameworks and decision auditing. Foster co-creation between analysts and AI through effective prompt design. Ensure data privacy and security in interactions with LLMs. Conversational AI integration enables the drafting of reports, interpretation of alerts, and proposal of responses to complex threats. Conclusion The integration of LLMs into SOAR platforms marks a new era in Cyber Security automation—more intelligent, contextual, and collaborative. This technology not only boosts efficiency but empowers analysts with conversational capabilities that transform their operational approach. The goal is not to replace humans, but to build a powerful synergy between expert knowledge and generative artificial intelligence.

Cyber Threat Intelligence (CTI) is one of the cornerstones of proactive defense against digital attacks. At the tactical level, CTI focuses on equipping security teams with insights into malicious actors' tactics, techniques, and procedures (TTPs)-enabling faster, more accurate detection and real-time response. AI is reshaping the way we analyze massive data sets in this space, boosting both threat pattern identification speed and precision. Tactical yhreat intelligence and Its impact Tactical intelligence delivers actionable insights into recent attacks' tools, tactics, and techniques. Its goal is to optimize detection rules on SIEM, EDR, and XDR platforms, enabling a more effective response and strengthening real-time defense strategies. Key use cases Real-time correlation of Indicators of Compromise (IoCs). Development of SIEM/XDR detection rules based on attack patterns. Automated containment across next-generation firewalls (NGFWs) and cloud, network, and endpoint protection systems AI in threat identification and mitigation AI has significantly improved tactical CTI efficiency by automating the analysis of large data volumes, identifying emerging threats, and reducing false positives. Some of the most impactful applications include: 1. Machine learning for pattern recognition Supervised and unsupervised machine learning models analyze network traffic and security events to detect anomalous behavior patterns. 2. Natural language processing (NLP) for threat analysis NLP extracts key insights from threat intelligence reports, dark web forums, and threat feeds, automatically generating reports on new attack techniques. 3. Automated incident response AI-powered Security Orchestration, Automation, and Response (SOAR) platforms execute predefined playbooks to mitigate threats within seconds. Challenges to applying AI to CTI Despite its many advantages, using AI in tactical threat intelligence also presents significant challenges: False positives and alert fatigue: Some models generate large volumes of alerts, many of which are benign—leading to analyst fatigue and reduced effectiveness. Advanced evasion techniques: Attackers are developing methods to bypass AI-based detection, such as adversarial machine learning. AI is in attackers' hands: Generative AI is already used to craft polymorphic malware and highly personalized, realistic phishing campaigns. Resource and expertise requirements: Implementing and maintaining AI solutions requires robust infrastructure, intensive processing capabilities, and specialized teams skilled in both data science and Cyber Security. Use case: early ransomware detection with AI in a regional SOC A regional SOC implemented a hybrid model combining supervised machine learning and behavioral analysis within its XDR platform to detect ransomware-related activity. During the testing phase, the system analyzed 25 million daily events across endpoints and servers. The model was trained using both real-world and simulated attack data. It successfully identified early-stage ransomware behavior—such as unusual mass file access and suspicious processes like vssadmin.exe—with a 97.4% detection rate and a 42% reduction in false positives compared to traditional methods. Thanks to automated SOAR playbooks, containment was triggered in under 60 seconds after detection, effectively halting ransomware spread and minimizing operational impact. Recommendations To fully harness AI potential in CTI, we recommend: Adopting explainable AI models to enhance threat detection transparency. Explainable AI helps Cyber Security analysts understand how and why specific decisions are made—critical for assessing alert reliability and fine-tuning models. Integrating threat intelligence with the MITRE ATT&CK framework to improve event correlation. This standardized framework categorizes attacker TTPs, helping analysts detect suspicious behaviors and prioritize responses more effectively. By correlating these events with a standardized framework such as MITRE ATT&CK, a clearer picture of threats can be obtained and responses prioritized more effectively. Leveraging SOAR platforms to automate security responses and reduce the operational burden on SOC teams. These tools execute predefined playbooks containing incidents in seconds, allowing analysts to focus on data interpretation and the continuous improvement of detection systems. AI should be viewed as an enhancement—not a replacement—for human expertise. Conclusion AI integration into tactical threat intelligence has transformed the way organizations detect and mitigate cyberattacks. The ability to automatically identify, analyze, and respond to emerging threats enhances security postures and dramatically shortens incident response times. However, AI is not a silver bullet. The role of a Cyber Security analyst remains irreplaceable. Human experience, intuition, and critical thinking are essential to interpret alerts in context, make strategic decisions, and continually refine detection models. AI should be seen as a powerful ally—not a substitute—for human judgment. Cyber Security Cyber Security automation with AI to anticipate and neutralize threats March 17, 2025