Intelligent threat detection for defence SOCs

The Ministry of Defence (MOD)’s own assessments describe an unacceptable cyber risk position amid an escalating wave of malicious cyber activity¹ — a sobering reality for defence security operations centre (SOC) managers With the risk of cyber attack among the highest managed by the Defence Board,² the pressure on security teams is growing. SOC teams must detect sophisticated cyber threats before they cause damage. Yet, globally in many organisations, SOCs still struggle with detection times measured in days or weeks — far too slow against adversaries targeting defence infrastructure. 

This is why the MOD’s Digital Strategy for Defence includes, as a priority, the ability to ‘rapidly detect and respond [with] integrated cyber defences [that] cover critical functions providing the ability to detect and respond to cyber-attacks.’This will take a different approach from simply adding more tools. Defence SOCs need unified capabilities that dramatically reduce mean time to detect (MTTD) and mean time to respond (MTTR) — metrics that matter when protecting critical defence assets.

Elastic Security’s support for defence customers is focused on combining AI-powered analytics with workflows designed for SOC analysts, addressing the daily operational needs of defence SOC teams. By automating processes, correlating alerts with Attack Discovery, and guiding analysts via Elastic AI Assistant, it reduces manual efforts, improves SOC visibility, provides context, and accelerates response times.

High-performing SOCs typically maintain MTTD between 30 minutes and four hours;³ low-performing ones can leave threats undetected for months and even years. But with the right approach, defence SOCs can significantly shorten detection times. Elastic customers are already seeing measurable outcomes. One Elastic customer reduced MTTD by 75%, while others recently reported mean time to investigate (MTTI) dropping from 300 minutes to 90 minutes and MTTR from 180 to 6 minutes. These improvements showcase the benefits of Elastic solutions like Attack Discovery. It analyses contextual data — host and user risk scores, asset criticality, and alert severity — to identify the most impactful threats. This contextual understanding allows SOCs to prioritise genuine threats amid the daily flood of fatigue-inducing alerts.

Attack Discovery automatically links related alerts and events, correlating them into coherent attack narratives that reveal adversary movement across the network. Analysts can see complete attack chains showing lateral movement attempts, privilege escalation, and potential data exfiltration as connected elements. The detection rules used are aligned with the MITRE ATT&CK® framework while machine learning components identify deviations from established baselines. This way, both known threats and novel attack methods are captured without overwhelming analysts with false positives, and attacks are contained during the early stages of the attack lifecycle, reducing risk to critical systems.

Elastic AI Assistant acts as a copilot for SOC analysts, automating tasks like alert summarisation and workflow recommendations while generating natural language explanations of threats and suggesting response actions. It uses custom defence knowledge sources like threat intelligence reports, asset information, and organisational playbooks that align AI-generated insights with MoD contexts and requirements.

This is expert-level work automated, reducing investigation time and addressing the concern identified in the MoD’s Digital Strategy for Defence — the extensive defensive cybersecurity gaps in people, processes, and technology.

Sources:

1. UK Ministry of Defence, “Digital Strategy for Defence,” 2021.

2. TechUK, “Ministry of Defence releases new Cyber Resilience Strategy for Defence,” 2022.

3. Under Defense, “SOC Performance Unplugged: Understanding MTTD, MTTA&A, MTTR, and more,” 2025.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.

In this blog post, we may have used or referred to third party generative AI tools, which are owned and operated by their respective owners. Elastic does not have any control over the third party tools and we have no responsibility or liability for their content, operation or use, nor for any loss or damage that may arise from your use of such tools. Please exercise caution when using AI tools with personal, sensitive or confidential information. Any data you submit may be used for AI training or other purposes. There is no guarantee that information you provide will be kept secure or confidential. You should familiarize yourself with the privacy practices and terms of use of any generative AI tools prior to use. 

Elastic, Elasticsearch, and associated marks are trademarks, logos or registered trademarks of Elasticsearch N.V. in the United States and other countries. All other company and product names are trademarks, logos or registered trademarks of their respective owners.