Why the Future of Security Is Graph‑Powered, AI‑Driven, and Relentlessly Adaptive
At this year’s keynote in Experts Live Denmark 2026, Raviv Tamir, Vice President and Chief Product Strategy for SIEM & XDR at Microsoft, laid out a clear and candid vision for the future of security operations.
Not a product pitch—but a reflection on what defenders are learning the hard way as attacks become faster, more coordinated, and increasingly AI‑driven.
The message was simple and unsettling:
If attackers have a better map of your organization than you do, you’re already losing.
Security Has Changed — And Not in Subtle Ways
Raviv began with a reality check drawn directly from Microsoft’s own experience defending one of the world’s largest and most targeted environments.
Historically, detecting an attacker inside the network was considered a major turning point. Once discovered, attackers would often retreat, hide, or abandon the operation altogether. That assumption no longer holds.
In recent major incidents, attackers:
- Knew they had been detected
- Understood (or accurately guessed) what defenders knew
- Continued the attack anyway
The implication is stark: detection alone is no longer a deterrent.
At the same time, both attackers and defenders are now heavily leveraging AI. The speed at which attackers absorb information, reorganize, and act has compressed from days to hours—or less. In some cases, attackers appeared to have a more complete understanding of Microsoft’s own environment than internal defenders did.
The Wake‑Up Call: Shadow Tenants and Invisible Attack Paths
One of the most striking examples shared involved an over‑privileged application sitting in a tenant outside Microsoft’s primary network—created years earlier for demos or testing.
The attacker:
- Identified the tenant
- Compromised it
- Leveraged the app’s permissions to pivot into the core environment
When Microsoft investigated how many similar tenants existed, the answer was sobering:
Over one million satellite or “shadow” tenants, many without full security coverage.
This reinforced two painful truths:
- The edges of your environment are where you’re most exposed
- You can’t defend what you can’t see
Attackers Think in Graphs — Defenders Think in Lists
This insight, originally articulated years ago by John Lambert, sits at the heart of Microsoft’s modern defense strategy.
Attackers don’t care about domains, tools, or organizational boundaries. They care about paths—how to traverse from one asset to another until they reach their target.
Defenders, by contrast, have traditionally worked with:
- Alerts
- Tables
- Logs
- Lists of vulnerabilities
That mismatch creates a dangerous asymmetry.
The answer, Raviv argues, is a graph‑based model of the organization:
- Assets become nodes
- Relationships become edges
- Attack paths become visible
Not as an abstract concept—but as an operational foundation.
From Boiling the Ocean to Protecting What Matters
Trying to secure everything equally is an impossible task. The graph enables a shift in strategy.
Instead of asking:
“How do we fix every vulnerability?”
We ask:
“What are our critical assets, and how can attackers reach them?”
Key ideas from the keynote:
- Critical assets often represent ~1% of total assets
- Attack paths leading to them are a much smaller, manageable subset
- To break an attack path, you don’t need to fix everything—you only need to remove or control one edge
This reframing turns an overwhelming problem into a solvable one.
Real‑Time Defense Requires Automation at Scale
Another major theme was attack disruption.
Detection is not a victory. An alert is not success.
The goal is eviction—and that requires speed beyond human reaction time.
In one example, Microsoft’s systems executed hundreds of defensive actions within 90 minutes during an active attack. No human SOC—no matter how skilled—can operate at that pace.
This has led to a “fire first, ask questions later” model:
- High‑confidence threats trigger immediate automated response
- Humans investigate once the attack is paused
- The system continues reacting as the attacker pivots
This approach is now on by default for certain threat classes, including ransomware and hands‑on‑keyboard attacks.
Predictive Shielding: Getting Ahead of the Attacker
With a graph in place, defenders can move beyond reaction into prediction.
Instead of isolating everything, the system asks:
- What is this asset?
- What role does it play?
- How aggressive can we be without breaking the business?
Defensive actions can then include:
- Temporarily tightening policies
- Blocking specific connections
- Selectively isolating downstream resources
The goal is not disruption for its own sake—but precision containment.
AI, Agents, and the Human Factor
AI is not just automation. Raviv described three emerging patterns:
- Augmenting humans (copilots)
- Delegating tasks to autonomous agents
- Agents as team members, embedded into workflows
But the keynote emphasized an often‑overlooked issue: training.
AI accelerates senior analysts dramatically—but can mislead juniors if left unchecked. Without structured learning, organizations risk losing the pipeline that creates future experts.
One innovative solution shared was transcribing analyst actions inside the SOC:
- Capturing investigation steps
- Generating case notes automatically
- Identifying repetitive tasks for automation
- Comparing real behavior to SOPs
This turns AI into both a productivity engine and a training tool.
A New Blueprint for Defense
The keynote closed with a clear takeaway:
- Graphs provide the map
- AI provides the speed
- Automation provides the scale
- Humans provide judgment
Security is no longer about isolated tools or single alerts. It’s about understanding your environment as attackers do—and moving faster than they can adapt.
Or, as the keynote made clear:
The future of security isn’t just integrated.
It’s adaptive, predictive, and relentlessly aware of the full picture.