Vectra AI recently released its 2026 State of Threat Detection and Response report, which follows the theme “Resilience in the AI Era.” The initial question I had when we decided to run with that theme for the report was, what specific findings in this year’s report reveal insights about resilience in 2026?
To answer that, first I think we need to determine what we mean by “resilience” or in this case, cyber resilience. It’s a term that gets thrown around a lot and I think the way it gets talked about is generally within similar context and meaning, however, it always seems like “resilience” this thing we strive for or hope to achieve some day. And in cybersecurity, I don’t think we’re ever done trying to achieve cyber resilience. We can certainly take steps to help our networks become more resilient, like gaining an understanding of our risk exposure or speeding up processes so we can react faster to threats — but then a new threat or vulnerability comes along and we’re no longer resilient until we’ve addressed it.
It’s the same in life. You can take all the rights steps to make sure you are healthy or your house is protected, and then you adopt a new pet. All of a sudden your curtains are shredded and your baseboards are missing and you had no idea that your home wouldn’t be resilient to such an innocent creature.
To me, resilience is our ability to recover, rebound, or just get back on our feet and stay running or functional when incidents happen. Our networks are no different. And today’s networks just happen to include risks that move at AI speed, in fact cyberattacks are 65% faster because of AI according to a report from CrowdStrike.
What is the State of Threat Detection and Response in the AI era?
Free download: 2026 State of Threat Detection and Response: Cyber Resilience in the AI Era
Since we’re in the AI era, shouldn’t we just ask ChatGPT?
It would come back with something like, “the state of threat detection and response in the AI era is a race between AI-powered attackers and AI-augmented defenders, where success depends on detecting behavioral attack signals across identity, cloud, and network before attackers can move laterally.”
However, we should ask the defenders who live it every day for the real details about what’s actually going on inside their networks. Which is exactly why we continue to publish the State of Threat Detection and Response report. This year, 1,450 practitioners provided responses on everything from how often important security tasks get put aside, whether tools are effective, AI usage and its impact, visibility into hybrid and multi-cloud environments as well as other areas. Let’s take a look at what defenders are saying about some of the areas that directly impact their ability to be resilient.
Risk exposure: who and what is on the network?
One of the questions we’ve asked defenders in each of the three years that Vectra AI has published this report, is: how would you rate your visibility into various hybrid environments?
It’s not just that defenders lack full visibility into their environments, when you also look at the number of tools they use for threat detection and response to cover these environments, 39% of them are juggling over 20 tools. Cyber resilience requires visibility into networks and we’re not seeing much improvement, if any, from year to year, which signals that not all defenders know who and what is on their network. In fact, 37% believe an attacker may have already compromised their organization without them knowing. Is this in part because of how many tools are being used, that noise remains an issue, or that visibility appears fragmented across too many telemetry streams?
Do defenders know what behaviors indicate risk?
Across the surveyed audience of defenders, 44% admit they are losing the battle when it comes to prioritizing real threats.
When looking across the data, you start to see some reasons why, and perhaps the biggest reason has to do with detection latency?
In addition to the 2.5 hours defenders spend on alert triage each day, 71% said they put aside important security tasks at least two days per week, and they can only deal with just over a third of the alerts they receive each day. It’s hard to imagine that the latency in this scenario is helpful in knowing what risky behaviors exist on a network.
Where to improve network security posture?
We asked defenders what matters when evaluating solutions. 72% named risk reduction, compliance alignment, and measurable operational effectiveness. Compliance is the obvious one being that cybersecurity teams often play a central role in how controls meet regulatory requirements, and although the report doesn’t go too deep into any of these areas, there are some related takeaways.
We’re continuing to see defender sentiment toward security vendors show little improvement.
Can we tie “measurable operational effectiveness” to vendor sentiment? Maybe not directly, but defenders are showing that they want to be able to prove effectiveness of their solutions, while they don’t necessarily believe vendors are holding up their side of the bargain.
However, 67% agree that the implementation of AI-powered tools are making a positive impact on the ability to identify and deal with threats. The same thing here; this doesn’t necessarily tie to “risk reduction,” but defenders are expressing where they believe positive improvements are happening.
Is cyber resilience lagging?
Defenders report an increase in confidence. For example, 37% believe an attacker may have already compromised their organization without them knowing — a percentage that is down from 51% just last year. And defenders are reporting an overall positive experience using AI in the SOC, in fact 87% expect to use more AI tools next year to replace legacy threat detection and response tools. Defenders also want AI to handle tasks such as alert triage and investigation duties, which could lead to improvements in detection latency challenges, but AI alone won’t magically make organizations more resilient, defenders will.
Based on what the report is telling us, yes, cyber resilience is “lagging” in certain areas, especially considering risk exposure exists and threat prioritization remains a challenge. Too many alerts still go unaddressed, too many visibility gaps, too many tools and vendors that aren’t up to the task, but we aren’t telling defenders anything they don’t know — they’re the ones already working to address the never-ending exposure, risks, and posture challenges.
Download the 2026 State of Threat Detection and Response report, today.