How to Keep AI From Turning Against Your Defense

A few months ago, security researchers revealed that a group of attackers had trained an AI system to manage a ransomware operation on its own. The system made choices about which companies to target, what data to steal, and how to negotiate payment. It even adjusted its tone depending on how victims replied.

AI has now become a powerful tool in the attacker’s hands. This new era of artificial intelligence shows that the same type of technology that helps security teams prioritize alerts or summarize incident reports can be retrained to carry out coordinated attacks. The speed and adaptability that once helped defenders now serve both sides.

For years, organizations have been told that automation would solve the shortage of analysts, and many rushed to deploy large language models in their SOC environments. These systems now analyze logs, categorize alerts, and prepare first drafts of response tickets, touching sensitive data every day.

The difficult truth is that many of these deployments happened without clear security oversight. Few teams evaluate what would happen if an internal prompt exposed confidential information, and even fewer log how the model makes its decisions.

AI can simplify work, but it must be treated as a privileged entity. It handles information that humans used to guard behind strict access controls, and when it processes that data without supervision, a single flaw can create a new insider risk.

The next step for mature security organizations is to secure their own intelligence tools. They can do this by:

• Running internal red team exercises that test whether models can be tricked into revealing restricted content.

• Reviewing all AI outputs for data exposure, reliability, and unintentional bias.

• Keeping detailed audit records of every recommendation or action generated by automation.

The goal is to make innovation more trustworthy, because real defense depends on accountability. AI will not disappear from security operations, yet its value will come from how responsibly it is controlled. The teams that treat their models like living systems, with governance and oversight, will become the ones others learn from. That is why the PAGO MDR team invests in consistent training and AI applications built with context and supervision.

Cybersecurity has never been only about speed but also about judgment. Machines can correlate patterns, but they cannot fully understand context. They can recommend responses, but they do not feel the weight of a wrong decision.

An analyst’s intuition is built on thousands of lived moments such as the memory of a previous breach, the sound of a stressed client on the phone, the instinct that something feels off even when the logs look clean. No algorithm can reproduce that experience.

AI will expand this judgment. The ideal SOC from now on will blend automation and human reasoning in a continuous loop. Machines will handle scale, and humans will handle meaning.

The best security teams will:

• Use AI to summarize vast amounts of data, while allowing analysts to decide what matters most.

• Design AI tools that learn from human feedback, not only from statistics.

• Encourage a culture where humans challenge the model instead of following it blindly.

The strength of the future SOC will come from a partnership in which artificial intelligence acts as an amplifier of human awareness. Machines can see patterns faster, but humans still decide which ones define a threat.

Cybersecurity has always been a human story told through technology, and that will remain true even in the age of intelligent machines.