FREE GRC Workshop

LEARN MORE

Recommended Event: Convene: Boston | Cybersecurity & Human Risk Conference Aug 13 - 14, 2026

AI-Powered Detection and Response in the Cloud

Solution Category Operations
Type Webinar
Organization Network Intelligence

Webinar Description

Key Takeaways

  • Seventh session in a 26-part series on AI-powered cloud security, marking the start of Phase 2 focused on detection and response
  • Covers cloud-native SIEM architecture and telemetry collection across AWS, Azure, and GCP
  • Explores machine learning approaches to anomaly detection and behavioural baselining
  • Addresses detection strategy development using the MITRE ATT&CK Cloud Matrix
  • Designed for cloud security professionals, SOC analysts, and detection engineers
  • Co-produced by Network Intelligence and Transilience

Introduction

As organisations accelerate their migration to multi-cloud environments, security teams face an increasingly complex challenge: detecting sophisticated attacks across distributed infrastructure where traditional security tools often fall short. This session examines how artificial intelligence and machine learning are reshaping cloud threat detection, offering security professionals practical guidance on building detection capabilities that can identify modern attack techniques across AWS, Azure, and GCP.

The webinar forms part of an ongoing educational series exploring the intersection of artificial intelligence and cloud security. Having spent previous sessions examining offensive techniques—how AI-powered attackers compromise cloud environments, move laterally, escalate privileges, and exfiltrate data—the series now pivots to defensive strategies. This shift reflects a broader industry recognition that understanding attacker methodologies is essential for building effective detection capabilities.

About This Event

Session 7 represents the beginning of Phase 2 in a comprehensive 26-part series on AI-powered cloud security, co-produced by Network Intelligence and Transilience. While the session is designed to be accessible to newcomers, participants who attended the earlier offensive-focused sessions will benefit from the contextual foundation those sessions provided. The transition from offensive to defensive content mirrors the approach many security programmes take: understanding how attacks unfold before designing controls to detect and respond to them.

Rethinking SIEM Architecture for Cloud Environments

A central theme of this session is the architectural challenge of security information and event management in cloud-native environments. Many organisations have attempted to extend their existing on-premises SIEM deployments to ingest cloud telemetry, an approach that frequently creates more visibility gaps than it resolves. The fundamental differences between traditional data centre logging and cloud-native telemetry—including volume, velocity, and the ephemeral nature of cloud resources—demand purpose-built approaches rather than retrofitted solutions.

The session examines what constitutes effective cloud-native SIEM architecture, addressing both the technical requirements and the operational considerations that determine success or failure. This includes an honest assessment of common pitfalls, helping security teams avoid investments in approaches that are unlikely to deliver meaningful detection capabilities.

Critical Telemetry Sources Across Major Cloud Platforms

Effective cloud threat detection depends entirely on the quality and completeness of available telemetry. The session provides detailed coverage of key logging sources across the three major cloud providers. For AWS, this includes CloudTrail for API activity and VPC Flow Logs for network visibility. Azure environments rely on Azure Activity Logs for control plane operations, while GCP offers GCP Audit Logs for similar purposes.

Beyond these foundational sources, the session addresses DNS logs and data plane signals that many security teams overlook. This gap in telemetry collection represents a significant blind spot, as sophisticated attackers increasingly operate at layers where standard logging provides insufficient visibility. Understanding which data sources to prioritise—and how to correlate signals across them—forms a critical foundation for any detection programme.

Machine Learning for Anomaly Detection

The application of machine learning to cloud security detection represents both significant opportunity and considerable complexity. The session explores how ML models can establish baselines of normal cloud behaviour, enabling the identification of deviations that may indicate adversary activity. This approach addresses one of the persistent challenges in cloud security: the difficulty of writing static detection rules for environments where legitimate activity patterns vary enormously across organisations and change frequently over time.

Critically, the session distinguishes between anomaly detection that surfaces genuine threats and systems that simply generate additional noise. Alert fatigue remains one of the most significant operational challenges facing security operations centres, and poorly implemented ML detection can exacerbate rather than alleviate this problem. The focus is on practical implementation that delivers actionable intelligence rather than theoretical capabilities that fail under operational conditions.

Building Detection Coverage Against Real Attack Techniques

The session emphasises the importance of grounding detection strategy in demonstrated attack techniques rather than theoretical threats. By mapping detection coverage to the MITRE ATT&CK Cloud Matrix, security teams can systematically identify gaps in their visibility and prioritise development efforts accordingly. This framework-driven approach ensures that detection investments address techniques that adversaries actually employ in cloud environments.

Red team exercises and penetration testing provide valuable input to this process, revealing which attack paths would succeed against current detection capabilities. The session addresses how to translate findings from offensive security assessments into prioritised detection engineering work, creating a feedback loop that continuously improves defensive posture.

From Reactive Alerting to Proactive Threat Detection

Traditional security monitoring operates on a reactive model: configure alerts, wait for them to fire, then investigate. AI-driven continuous monitoring enables a fundamentally different approach, shifting from passive alerting to active threat hunting. Rather than waiting for predefined conditions to trigger notifications, security teams can proactively search for anomalies that may indicate compromise.

This transition requires changes not only in technology but also in operational processes and team skills. The session addresses the practical implications of adopting a more proactive detection model, including the analytical capabilities required and the workflow changes that support effective threat hunting in cloud environments.

Who Should Attend

This session is designed for cloud security professionals, security operations centre analysts, detection engineers, and security architects responsible for protecting multi-cloud environments. The content assumes familiarity with cloud computing concepts and basic security operations, though no specific prior knowledge of the series is required. Practitioners working with AWS, Azure, or GCP—or managing security across multiple cloud providers—will find the cross-platform perspective particularly relevant.

Conclusion

As cloud environments grow more complex and attackers increasingly leverage AI to enhance their techniques, defenders must evolve their approaches accordingly. This session provides a foundation for building detection capabilities that match the sophistication of modern threats, combining cloud-native architecture principles with machine learning techniques and framework-driven prioritisation. For organisations seeking to strengthen their cloud security posture, the shift from reactive alerting to proactive, AI-assisted threat detection represents an essential evolution.