Tietoturvaloukkaus?
Valitse kieli
Pyydä demoa
Kielet
Pyydä demoa
Takaisin etusivulle

Partners

KumppanitarjontaPalvelut menestykseen
Takaisin etusivulle

Resources

Resurssikeskus Resurssit
Takaisin kohtaan Resources

Resurssikeskus

Näytä kaikki
Ota yhteyttä
Takaisin kohtaan Resources

Resurssit

ReferenssitarinatWebinaaritTapahtumatPodcastitMedialleBlogiW/Labs
Ota yhteyttä
Takaisin etusivulle

About

Tietoa WithSecurestaJohtoYhteystiedot ja toimipisteetUra WithSecurellaMuseum of Malware ArtSaavutukset ja sertifikaatitVastuullisuusVertaa meitäHaavoittuvuuksien-palkkio-ohjelma
Ota yhteyttä
Takaisin etusivulle

Platform

Elements Cloud Elements capabilities
Takaisin kohtaan Platform

Elements Cloud

Näytä yleiskatsaus
Takaisin kohtaan Platform

Elements capabilities

Exposure ManagementExtended Detection & ResponseCo-Security Services
Takaisin etusivulle

Solutions

Industry Use case
Takaisin kohtaan Solutions

Industry

Solution industry page linkSolution industry page linkSolution industry page link
Takaisin kohtaan Solutions

Use case

ComplianceSolution use case page linkAI threatsSolution use case page linkSOC transformationSolution use case page link
Takaisin etusivulle

Kirjaudu

Takaisin etusivulle

Kielet

Englanti Suomi Ranska Saksa Japani

The Defender’s Dilemma: Why neither AI nor headcount alone can win the security scale war

AI MSP 11.05.2026

AI has industrialised cybercrime. The cost of running a sophisticated, multi-language phishing campaign has dropped from a month of work and significant budget to cheaper than a lunch. The problem for defenders isn’t detection anymore – it’s scale. And the answer isn’t what most people expect.

Key Takeaways:

  • AI has made every tier of attacker more dangerous – script kiddies can now run campaigns that once required serious expertise
  • The core challenge has shifted from detection to scalability: you cannot solve a machine scaling problem with a human scaling solution
  • Neither pure AI nor more headcount is the right answer – the right model is purpose-built AI working alongside human analysts
  • When done correctly, AI-driven investigation reduces average incident investigation time from 3 hours to 3 minutes

Cybercrime has been industrialised

Three years ago, a targeted multi-language phishing campaign required real technical skill. You needed to build the infrastructure, write convincing content in multiple languages, manage the operation day to day, and pay for the tools and the people to run it. Setup alone took roughly a month.

Today, the same campaign costs 16 tokens on a cloud coding tool. That’s cheaper than lunch. And the skills needed have been so thoroughly reduced that amateur attackers can set the whole thing up solo.

That’s the entry-level problem. It gets more serious from there.

The mid-tier attackers – the competent-but-not-elite criminals who have always formed the bulk of the threat landscape – are now genuinely dangerous in ways they weren’t before. AI mentors them, fills the gaps in their skill sets, and lets them execute attacks they couldn’t have mounted independently. And the elite attackers, the ones who were already capable and well-resourced? AI doesn’t make them smarter, but it makes them 10 to 20 times more efficient by removing the grind from their operations. Effectively, there are now 10 to 20 times more of them.

The numbers from European national security agencies reflect this. Cyber attacks nearly doubled in Italy, with three quarters targeting SMEs and SMBs. Significant cyber incidents more than doubled year over year in the UK. Serious cybersecurity incidents more than doubled in Finland. These aren’t isolated data points – they’re a consistent pattern across the continent, and they carry a statistical weight of inevitability: as these numbers rise, more customers will get breached.

The problem isn’t detection – it’s scale

This is the shift that changes everything for defenders.

The core challenge in cybersecurity is no longer whether you can detect something. It’s whether you can match the scale at which attacks are being generated and executed. And that’s a fundamentally different problem.

You cannot solve a machine scaling problem with a human scaling solution. The maths don’t work. Even if you could keep analysts working without rest, the volume of AI-generated threats would outpace them. And the talent pool doesn’t exist to try: Europe currently has a shortfall of 300,000 cybersecurity specialists. You cannot hire people who don’t exist.

This is the Defender’s Dilemma – a structural asymmetry that has always favoured attackers, and that AI has now made significantly sharper. Attackers need to find one exploit. Defenders need to close all of them. Attackers can fail as many times as they like with no consequences. Defenders cannot afford to fail once.

Two wrong answers

Given that framing, the obvious conclusion is: use more AI. And that conclusion is wrong – or at least, incomplete.

Throwing AI at a broken or chaotic security operation doesn’t fix the operation. It produces chaos with an AI layer on top. Replacing a broken workflow with an AI-augmented broken workflow doesn’t improve outcomes – it just adds a confused model and frustrated customers to an existing problem.

But the human-only answer fails just as clearly. The scale problem is mathematical. No amount of analyst hiring closes the gap when attackers are operating at machine speed and the talent pool is already running dry.

The right answer is both – but in the right way. Purpose-built AI models, designed for specific tasks, with the right data and context to do those tasks well, working alongside human analysts who handle what AI genuinely can’t: novel situations, edge cases, accountability, and judgment.

AI is probabilistic. It’s exceptionally good at pattern-heavy, repeatable, well-scoped work. It is genuinely poor at new, unusual, or ambiguous situations. That’s not a flaw to work around – it’s a design constraint to build with. The human in the loop isn’t a liability. It’s a feature. The EU AI Act reflects exactly this: important operational decisions made by AI must be traceable to an accountable human. Customers, procurement teams, and legal departments will ask the same question. ”AI did it” is not an answer that renews contracts.

What this looks like in practice

The proof is in the numbers from WithSecure’s own SOC.

Two cases illustrate the model in action.

In the first, a piece of malware was bypassing standard anti-malware capabilities – a common outcome when AI-generated malware is specifically engineered to evade basic detection. But the artefacts it left behind told a different story. Process injection, credential testing in the payload, hooks into multiple system components, and a connection to a known command-and-control node. AI surfaced these findings clearly, visualised the relationships between them, and allowed the analyst to verify the verdict quickly before acting.

In the second, a similar detection turned out to be a false positive – a recurring pattern the system had seen before. Rather than sending an analyst down a multi-hour investigation path, the AI recognised it immediately: it knew the customer environment, the anomalies, and the historical behaviour. What would have taken hours to verify was resolved in minutes.

The result of applying this model consistently: average investigation time has dropped from 3 hours to 3 minutes. Analysts agree with the AI’s verdict 92% of the time. That’s a 60-fold increase in investigative throughput – not from hiring more analysts, but from giving the analysts working today tools that handle the grind so they can focus on what genuinely requires human judgment.

What this means for MSPs

The trust gap between MSPs and their customers is real and measurable. Around 70% of customers say they don’t feel confident their MSP could defend them if targeted. Around 50% say they’d consider switching providers if their MSP can’t offer the necessary skills, guidance, and round-the-clock security support.

These numbers aren’t just a warning. They’re a map to where the growth opportunity is. The MSP that closes this trust gap becomes very difficult to replace – and starts replacing others.

Closing it requires genuine capability. That means either building your own SOC (expensive, slow, and operationally demanding), acquiring one (expensive, with its own complications), or partnering with a provider who delivers the security operations behind the scenes while you retain the customer relationship, the communication, and the commercial value.

That co-delivery model is how most MSPs can realistically get to 24/7 expert-backed MDR without the overhead of building it themselves. WithSecure’s MDR is fully developed, managed, and delivered from within the EU – meaning NIS2, GDPR, and the AI Act compliance questions your customers are starting to ask are answered by default, not as an afterthought.

Frequently asked questions

Q: If AI can’t solve the scale problem alone, what’s it actually useful for in a SOC context?
A: AI excels at high-volume, pattern-heavy, repeatable work – triage, correlation, investigation of known threat patterns, false positive identification. It frees analysts to focus on the genuinely novel and complex cases that require human judgment.

Q: What’s the risk of relying too heavily on AI in security operations?
A: AI models are probabilistic and bounded by their training data and context. They can be wrong on novel threats, and they cannot carry accountability for decisions. Deploying AI without meaningful human oversight creates both operational risk and compliance exposure.

Q: How does the co-delivery model work for MSPs in practice?
A: The MSP owns the customer relationship, communication, and commercial value. The security operations – monitoring, investigation, response at 2 a.m. – are handled by the partner’s SOC team. The customer sees their MSP as the capable, always-on security partner they need. The MSP delivers that without building the SOC infrastructure themselves.

Q: Is EU-based MDR relevant for compliance purposes?
A: Increasingly, yes. As NIS2, DORA, GDPR, and the AI Act sharpen regulatory scrutiny around where data is processed and who is accountable for security decisions, the jurisdiction of your MDR provider becomes a genuine procurement consideration – particularly for customers in regulated sectors.

The choice ahead

The shape of the threat has changed. The scale at which attacks are launched, the ease with which they’re constructed, and the efficiency of the attackers running them have all shifted in a direction that makes standing still an increasingly costly position.

The security operations model that wins in this environment combines purpose-built AI – doing the work it’s genuinely suited to, quickly and accurately – with human analysts who provide oversight, handle the genuinely hard cases, and carry the accountability that customers and regulators require.

That model already exists and is already delivering a 60x improvement in investigative throughput in production environments. The question for MSPs isn’t whether this is the direction things are heading. It’s whether you help shape it or spend the next few years catching up.

This blog is based on Teemu Myllykangas’ keynote at SPHERE2YOU Helsinki in April 2026. Watch the full session at https://youtu.be/Sg818_mJ9-M.

Share this story