Home
Blog
Investigations
December 3, 2025
6
min read

The 51-Second Problem: Why SOCs Can't Keep Pace with Machine-Speed Adversaries

Adversaries achieved 51-second breakout times in 2024—faster than most SOCs can triage an alert. While top-performing teams reach Mean Time to Detect of 30 minutes to 4 hours, typical investigations take 90+ minutes before response coordination begins. By then, attackers have already moved laterally and established persistence. The bottleneck isn't analyst speed—it's investigation architecture. Analysts spend 60-70% of investigation time on mechanical tasks: translating questions into queries, context-switching between tools, manually correlating findings across systems, and maintaining investigation state. No amount of training can compress human-paced investigation processes to match machine-speed attacks. The solution requires eliminating mechanical work through investigation patterns that execute at machine speed, allowing analysts to focus on judgment and decision-making. Organizations achieving investigation velocity improvements aren't just deploying better technology—they're consolidating workflows, capturing expert methodologies in executable patterns, and redesigning SOC architecture for the threat landscape they actually face.

Security Operations
SOC of the future
Cyber
Eric Hulse
Director of Security Research
In this article
H2 Title
H3 Title

Fifty-one seconds.

That's the fastest recorded adversary breakout time in 2024, according to CrowdStrike's threat report. Not fifty-one minutes. Fifty-one seconds from initial compromise to lateral movement within the target network.

I've watched the gap between attacker and defender speed widen with each passing year I'm in this industry. But we've crossed a threshold now that fundamentally changes the math. When adversaries can achieve their initial objectives faster than most SOCs can even triage an alert, we're not dealing with an optimization problem. We're dealing with an architectural mismatch between how we built our defenses and how modern attacks actually unfold.

The uncomfortable truth is this: your analysts aren't slow. Your training isn't inadequate. Your tooling isn't necessarily outdated. The problem is that we designed Security Operations Centers for human-paced threats, and we're now facing machine-speed attacks. No amount of hiring, training, or tool purchasing will bridge that gap—because the gap isn't about capability. It's about physics.

The Adversary Timeline: Anatomy of Machine-Speed Attacks

Let's break down what 51 seconds actually means in operational terms.

The average eCrime breakout time dropped to 48 minutes in 2024, down from 62 minutes the year before. That's already aggressive—but it's the average. The fastest operators are moving orders of magnitude faster, and those fast operators are increasingly the ones you need to worry about.

Consider the typical attack progression in a modern hands-on-keyboard intrusion:

Initial Access (T+0): Attacker gains foothold through credential theft, phishing, or exploiting an unpatched vulnerability. With 79% of detections now being malware-free, this often looks like legitimate user activity—a valid login from a valid account.

Discovery (T+15-30 seconds): Automated scripts enumerate the environment. What domain am I in? What privileges does this account have? What systems can I reach? This reconnaissance that once took human operators minutes now executes in seconds.

Privilege Escalation (T+30-45 seconds): If the compromised account isn't already privileged, attackers leverage pre-staged techniques—cached credentials, Kerberoasting, exploiting misconfigurations in Active Directory—to elevate access.

Lateral Movement (T+45-60 seconds): Armed with elevated privileges and environmental awareness, the attacker pivots to high-value targets. Domain controllers. File servers. Cloud infrastructure. This is the breakout—the moment the incident transforms from contained to distributed.

Objective Achievement (T+minutes to hours): Data exfiltration, ransomware deployment, persistent access establishment. By this point, containment requires coordinated response across multiple systems.

The fastest adversaries compress that entire sequence—from initial access to lateral movement—into under a minute. And here's what makes this particularly devastating: at 51 seconds, the adversary has likely completed their breakout before your SIEM even correlates the initial alert. The attack happened. It's done. Everything from that point forward is damage control.

The Defender Timeline: How We Are Losing

Now let's examine the defender side of this equation.

Top-performing SOC teams—the industry's best—achieve Mean Time to Detect (MTTD) of 30 minutes to 4 hours for critical alerts. That's considered excellent. Most organizations operate well outside that range. And detection is just the first step.

Here's what the typical defender timeline looks like when that initial alert fires:

Alert Triage (T+0 to T+15 minutes): The alert lands in the queue. An analyst opens it, reads the summary, decides whether it warrants investigation. If your SOC is underwater—and 90% of SOCs report being overwhelmed by backlogs—that alert might sit for hours before anyone looks at it.

Initial Investigation (T+15 to T+45 minutes): The analyst begins gathering context. They check the SIEM for related events. They pivot to the EDR console to examine endpoint activity. They authenticate to the identity provider to review authentication logs. Each tool switch costs time—not just the seconds to change applications, but the cognitive overhead of context-switching between different mental models and query languages.

Correlation and Scope Assessment (T+45 to T+90 minutes): The analyst attempts to determine the full scope of the incident. Has the adversary moved laterally? What other systems are involved? This requires synthesizing information from multiple data sources, often manually correlating timestamps and indicators because the tools don't talk to each other natively.

Escalation and Response (T+90+ minutes): If the analyst determines the alert represents a genuine threat, they escalate to tier-2 or tier-3 for deeper investigation and response coordination. The investigation timeline extends further as more senior analysts get up to speed on what's already been discovered.

Do the math. Even in an optimistic scenario where everything works smoothly, you're looking at 90 minutes minimum from alert to response coordination. More realistically, it's several hours. For many organizations, it's days.

The adversary achieved breakout in 51 seconds. Your response began at 90 minutes. That's not a gap—it's a canyon.

Why "Faster Analysts" Isn't the Answer

The instinctive response to this problem is usually some variation of "we need to move faster." Hire more analysts. Train them better. Give them better tools. Reduce the alert volume so they have more time for investigations.

These aren't wrong exactly, but they fundamentally misunderstand the problem.

The bottleneck isn't analyst speed. It's investigation architecture.

Back when I was doing tier-3 operations, I was probably as fast as anyone at investigating incidents. I knew my tools cold. I knew where to look. I could hold the entire investigation narrative in my head. And I still couldn't have responded to a 51-second breakout in time—because the investigation process itself, no matter how skilled the analyst, takes time that doesn't compress.

Consider what an analyst actually does during an investigation:

First, they translate questions into queries. "Did this user authenticate from unusual locations?" becomes a specific query in the identity provider's log format. That translation takes cognitive effort and requires knowledge of the tool's query language.

Second, they switch contexts between systems. The authentication logs are in one system. The endpoint behavior is in another. The email activity is in a third. Each context switch resets the analyst's mental model and requires time to re-orient.

Third, they manually correlate findings. The analyst discovers that the compromised account authenticated from an unusual IP. Now they need to check whether that IP appears anywhere else in the environment. That's another query, in a different system, with different query syntax.

Fourth, they maintain investigation state. As the investigation progresses, the analyst must track what they've discovered, what they've ruled out, and what questions remain. This cognitive load compounds with each additional finding.

Fifth, they document their work. For audit trails, for handoffs, for institutional knowledge—the analyst must record what they did and why. This takes time that doesn't contribute directly to stopping the threat.

You can hire the fastest analyst in the world, and they'll still spend 60-70% of their investigation time on these mechanical tasks. The investigation itself is the bottleneck, not the investigator.

This is the insight that changes the conversation: you cannot train your way to machine-speed response when the investigation process is structurally human-paced.

The Automation Gap: What Can (and Can't) Be Automated

The AI-SOC conversation often frames automation as the solution to this speed problem. Deploy AI agents. Automate tier-1 triage. Let machine learning handle the routine work.

There's truth here, but it's partial truth that misses a critical distinction.

Not all investigation work is created equal. Some tasks are purely mechanical—translating a question into a query, correlating timestamps across systems, enriching indicators with threat intelligence. These tasks consume analyst time without requiring analyst judgment. They're automation candidates.

But other tasks require human cognition that we can't (and shouldn't) automate away. Pattern recognition across novel attack techniques. Contextual judgment about what "normal" looks like in this specific environment. Strategic decisions about containment actions that might impact business operations. Risk assessment that balances security outcomes against organizational constraints.

The mistake most SOC automation initiatives make is trying to automate the wrong things. They build systems that generate more alerts, prioritize more alerts, even "investigate" alerts in the narrow sense of running predetermined queries. But they don't fundamentally change the investigation architecture.

What we actually need is automation that eliminates the mechanical work—the query translation, the context-switching, the manual correlation—so that human analysts can focus on the cognitive work that actually requires human judgment.

This is the distinction between automation that replaces analysts and augmentation that amplifies analysts. The former tries to make machines think like humans. The latter recognizes that humans and machines have complementary strengths and designs systems accordingly.

Executing Investigation Patterns at Machine Speed

At Command Zero, we've approached this problem from the perspective of investigation workflow, not tool automation.

The insight is straightforward: skilled analysts don't just query systems randomly. They execute investigation patterns—repeatable sequences of questions that span multiple data sources and build on each other's findings. "Did this compromised account access sensitive files?" isn't a single query. It's a pattern: identify the account, enumerate the files it accessed, determine which of those files are classified as sensitive, correlate the access times with the compromise timeline.

When a tier-3 analyst develops an effective investigation approach—the sequence of questions, the data sources to check, the correlations that matter—that approach becomes a reusable investigation pattern that executes at machine speed.

The mechanical work—query translation, cross-system correlation, context maintenance—happens automatically. The analyst focuses on interpreting results, making judgments, and deciding next steps. They're not faster because they're typing queries more quickly. They're faster because they're not spending cognitive cycles on work that machines can do.

Consider the speed differential: An analyst manually investigating lateral movement across a complex environment might spend 90 minutes gathering and correlating data from EDR, SIEM, identity provider, and cloud access logs. The same investigation pattern executed through a consolidated platform takes minutes—not because the platform is smarter, but because it eliminates the context-switching and manual correlation that consume most of the investigation time.

This doesn't make the 51-second response achievable. But it compresses defender timelines from hours to minutes—enough to catch adversaries during their persistence establishment phase rather than after they've achieved their objectives.

The Organizational Architecture Problem

Here's the uncomfortable truth that most vendors won't tell you: the speed asymmetry problem can't be solved by purchasing another tool.

The organizations achieving real investigation velocity improvements aren't just deploying better technology. They're rearchitecting how investigations flow through their SOC. They're eliminating the tool sprawl that forces analysts to context-switch between systems. They're consolidating investigation workflows so that context persists across data sources. They're capturing institutional knowledge in executable patterns rather than tribal knowledge and documentation that nobody reads.

This is why the speed problem is fundamentally an architectural problem, not a technology problem. You can deploy the most sophisticated AI in the world, and it will fail if it has to operate within an architecture designed for human-paced investigation across fragmented tool sets.

The SOCs that will compete with machine-speed adversaries are the ones that recognize this architectural reality and rebuild accordingly. They're consolidating investigation workflows. They're creating unified investigation interfaces that maintain context across data sources. They're capturing their best analysts' investigation methodologies in patterns that execute at machine scale.

Closing the Gap

The 51-second problem isn't going away. Adversary speed will continue to improve as automation, AI, and attack tooling mature. The asymmetry between machine-speed offense and human-paced defense will widen unless we fundamentally change how we approach investigation.

The solution isn't faster analysts or more alerts or better threat intelligence—though all of those help at the margins. The solution is investigation architecture designed for the threat landscape we actually face: one where adversaries achieve breakout before your first analyst opens the alert, and where the only viable defense is investigation velocity that matches offensive tempo.

This requires consolidating investigations rather than fragmenting them across tools. It requires capturing investigation methodologies in executable patterns rather than documentation. It requires automation that amplifies human judgment rather than replacing it.

The organizations that figure this out will be the ones that can actually respond to incidents before adversaries achieve their objectives. The ones that don't will continue fighting yesterday's war—drowning in alerts, switching between tools, and arriving at the scene hours after the adversary has already left.

Fifty-one seconds. That's the timeline your SOC is competing against. The question is whether your investigation architecture is designed to compete at all.

Eric Hulse
Director of Security Research

Continue reading

Investigations
Highlight

Anthropic's GTG-1002 disclosure: When AI Becomes a Cyber Weapon of Mass Destruction, Investigation Capabilities Must Scale

When Chinese state-sponsored group GTG-1002 weaponized AI to attack thirty organizations simultaneously—with AI handling 80-90% of tactical operations—it exposed a critical gap in cybersecurity: offensive automation has scaled dramatically while defensive investigation remains human-paced. This blog examines how AI-augmented security investigations address the fundamental mismatch between AI-driven attack scale and traditional incident response capabilities. Command Zero's approach leverages LLM advancements to transform security investigations through question-driven frameworks that execute across multiple data sources simultaneously. Rather than replacing analysts, AI augmentation eliminates mechanical query work, enabling security teams to investigate thirty incidents with the same thoroughness as one. As threat actors increasingly weaponize AI for cyberattacks, defenders need investigation tools that match offensive automation's scale and speed. Learn how AI-augmented investigation helps SOC teams respond to sophisticated threats at machine speed while maintaining human expertise where it matters most—strategic analysis and decision-making.
Eric Hulse
Nov 18, 2025
7
min read
Investigations
Highlight

Breaking the SOC Alert Fatigue Cycle: Why Speed Metrics Are Killing Quality

Security operations centers face a critical crisis: alert fatigue is overwhelming analysts and creating dangerous investigation gaps. Traditional SOC metrics like MTTR and MTTI incentivize speed over thoroughness, forcing analysts into narrow investigation scopes that miss connected threats across enterprise environments. The fundamental challenge lies in systemic operational constraints. Analysts validate alerts, implement basic containment measures, and close cases without investigating broader attack scope—leaving lateral movement and data exfiltration undetected. This assembly-line approach creates a backlog of unresolved threats that eventually culminate in headline-grabbing breaches. Modern AI technology offers a transformative solution by correlating disparate data sources across endpoint logs, identity systems, cloud platforms, and network traffic in minutes rather than hours. Command Zero's platform automatically establishes comprehensive investigation scope, checking for related activity across AWS, Azure, identity providers, and SaaS applications when alerts trigger. The strategic approach acknowledges organizational reality: rather than eliminating established performance metrics, advanced technology empowers analysts to investigate comprehensively within existing time constraints, delivering higher-quality outcomes while maintaining operational efficiency in today's complex threat landscape.
Alfred Huger
Jun 11, 2025
4
min read
Investigations
Highlight

Why SIEMs and data lakes do not deliver the optimal experience for security investigations

Centralized data systems like SIEMs and data lakes excel at detection, reporting and compliance, but fall short for complex security investigations. These tools weren’t designed for dynamic workflows, forcing analysts to write complex queries and manually retrieve data, wasting critical time during incidents. Command Zero redefines investigative workflows by combining automation with expert-driven AI capabilities. The platform automates routine tasks, summarizes complex artifacts, and proactively suggests next steps, enabling analysts to focus on high-impact activities like root cause analysis and risk mitigation. For example, a Tier 1 analyst investigating phishing campaigns can bypass hours of manual log retrieval and cross-referencing thanks to automated processes that deliver actionable insights. Unlike generic chatbots or tier-1 focused agentic AI, Command Zero’s LLM implementation supplements analysts by bridging knowledge gaps and enhancing decision-making across all experience levels. This pragmatic approach empowers security teams to work smarter, reducing noise and inefficiencies while delivering faster, clearer results for both analysts and executives.
Eric Hulse
Apr 2, 2025
4
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All