Margin of Safety #40: Next Gen Threat Detection

What does Next Gen Threat Detection Look Like?

Threat detection sits at the core of the SOC. It also sits at the intersection of some of the largest and most mature markets in security, including SIEM and EDR. And despite decades of investment, it’s increasingly clear that many organizations are unhappy with the current state of affairs. This dissatisfaction shows up in two strong market signals.

Signal #1 Unhappy customers with SIEMs

Legacy SIEMs have become expensive and complex, relying on operationally brittle configuration and rules. Not only do growing data volumes – and increasing diversity – continue to pressure the core SIEM value proposition, but they also increase maintenance burden. What happens as a growing list of long tail data formats change? For many SOCs, downstream rules break.

In response, we’ve seen a wave of innovation in security data pipelines: platforms that filter earlier, normalize in-stream, and reduce noise before data ever hits a central index. The motivation is straightforward: reduce cost and make signals more usable. And the SIEM vendors themselves are reacting to this. Pricing models are shifting from pure ingest-based pricing toward utilization-based models. AI features like natural-language queries and copilots are being layered on top to make these systems more accessible.

But these changes, while helpful, mostly address symptoms rather than the underlying structural issue: SIEMs were designed for a world where it’s economical to store and index all relevant security telemetry for real(ish)-time search and query behavior, with an eye towards enabling human workflow productivity. Not only do growing data volumes strain these economic tradeoffs, but AI SOCs may weaken their upside – fewer humans in the workflow may mean more opportunities to tolerate UI-unfriendly latencies.

Signal #2 SIEM Operations treading water

The second signal is coming from the people closest to the problem: SOC analysts, detection engineers, and all of the operators who need to make the system function on a daily basis. Most SOCs are inundated with alerts, and most alerts are noise – false positives, low-context, and/or otherwise unactionable. Operationally, companies attempt to improve this with ongoing investments in detection engineering, but many SOC analysts would report that their teams are still on their heels. On the frontlines, this translates to slower response times and higher turnover. At the leadership levels, this shows up as persistently poor latencies and an inability to maintain target staffing levels.

It’s no surprise that we’ve seen a surge (over 50 startups) of AI-powered SOC and detection startups over the last 12–18 months, alongside significant VC capital into the space.

Combined, this raises the real question… what actually defines next-generation threat detection?

What We Look For in Next-Gen Detection Solutions

1. Moving Beyond Manually Written Detection Logic

Today, a significant portion of detection still relies on manually authored rules and queries written by human analysts. These rules encode prior knowledge about known attack patterns and expected behavior, often encoded in threat intelligence feeds.

That approach made sense when threats evolved slowly. But the more we assume that AI automation makes it easier for attackers to rapidly vary shift tactics or vary their attack methods between targets, the harder it will be for traditional detection engineering to keep pace.

We believe next-gen detection platforms should use AI not just to query data, but to engineer detection logic itself: identifying anomalies, outliers, and behavioral deviations that humans would never explicitly encode. Detection needs to shift from static rules to adaptive models powered by AI. And rather than trying to look for simple fingerprints that persist across diverse customers, we think detections will need to move to a combination of per-environment abnormality detection or complex fingerprints that are robust in the fact of attacker variation.

2. Detection Is Not Just About SIEM Elimination

There’s a subtle but important distinction between distributing queries and re-architecting detection. Some vendors frame their value proposition as “breaking up the SIEM” by pushing queries upstream into data sources. Cost savings often follow (which is real value), but the deeper opportunity emerges once those integrations exist. When a platform has access to upstream data sources directly, it can begin to train and execute native anomaly detection models at the source. At that point, it hasn’t just displaced the SIEM, it has assumed the detection function itself. This is a meaningful architectural shift.

3. The Edge Is Becoming a First-Class Detection Surface

As more compute is processed at the edge, so does the opportunity for earlier, cheaper, and faster analysis. By enabling in-stream and at-source detection, next-gen platforms can significantly reduce Mean Time to Detect (MTTD). They avoid storage bottlenecks, indexing delays, and centralized processing constraints that slow traditional pipelines.

At the same time, modern platforms increasingly pair this with built-in data lakes and cold storage, providing more cost-efficient options for long-term retention without forcing every byte through expensive hot paths. The result is a system that’s both faster and cheaper (Yay!)

Conclusion

Taken together, next-generation threat detection is not about a single product category. It’s about combining best-of-breed analytics with best-of-breed data management, in a way that aligns with how modern environments actually operate. The newer players in this space aren’t just bolting LLMs onto legacy workflows. They are rethinking where detection happens, how logic is generated, and which data deserves human attention in the first place.

If you’re building something in this space, feel free to reach out to jpark@forgepointcap.com and kshih@forgepointcap.com.

This blog is also published on Margin of Safety, Jimmy and Kathryn’s Substack, as they research the practical sides of security + AI so you don’t have to.