Why cybersecurity data science is the new security frontier

Cybersecurity data science has shifted enterprise defense from a human-led response to a high-speed computational challenge. As attackers automate and compress breach timelines, organizations must analyze massive volumes of telemetry in near-real-time to keep pace.

Nowhere is this speed mismatch more visible than in the modern security operations center. As threat actors weaponize automation to breach environments in minutes, the traditional security operations center is struggling to bridge a 45-minute “alert gap” created by fragmented tools and legacy pipelines, according to Josh Salmanson (pictured, far left), vice president of the Cyber Defensive Practice at Leidos Inc.

“Adversaries are getting into an environment in under a minute now. They’re doing everything they’re going to do on the objective and getting back out,” Salmanson said. “The problem is the systems that we have in place today take a much longer time to alert the staff that there’s an issue … That could be 30 to 45 minutes. The adversary’s already gone. Without making a change in the fundamental architecture for our defenders, we’re not going to be able to keep up.”

Salmanson spoke with theCUBE’s Dave Vellante at Vast Forward 2026, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They were joined by Robert Linger (center left), vice president of the Information Advantage Practice at Leidos, and Randy Hayes (center right), vice president of Vast Federal at Vast Data Inc. They discussed the transition from pilots to scalable production in artificial intelligence as well as the current state of cybersecurity data science. (* Disclosure below.)

Cybersecurity data science narrows the alert gap

The modern threat landscape is defined by how quickly attackers can infiltrate and execute. While cybersecurity metrics once measured breaches in hours, current research from firms such as CrowdStrike Holdings Inc. suggests that attackers now move laterally across networks with a 29 minute average breakout time, compressing defenders’ response windows significantly. This reality has rendered human-centric triage obsolete, as the volume of telemetry — often reaching 120 billion events per week for a single enterprise — far exceeds manual processing capabilities, according to Salmanson.

“If you can’t use advanced data science, it’s no longer a cyber problem,” he said. “It’s a data science problem.”

But the primary obstacle for defenders trying to scale cybersecurity data science remains tool bloat. Most large organizations manage 70 to 80 disparate security products, which creates a massive lag as data is filtered, parsed and moved between silos, according to Salmanson. By the time a ticket reaches a human analyst, the adversary has already exited the network.

“Without changing the fundamental architecture for defenders, we’re not going to keep up,” Salmanson said. “CPU-based systems process events step by step. When you can parallelize analytics across GPUs and correlate telemetry in seconds instead of hours, you fundamentally change the defender’s advantage.”

But faster infrastructure alone isn’t enough; it also changes how security operations are structured. As enterprises move toward “AI factories,” the concept of agentic security — using AI agents to supervise other agents — is becoming a necessity. However, deploying autonomous agents within a federal or high-security environment requires a specialized framework to ensure every action remains within defined boundaries. To manage this, Leidos utilizes a “calibrated trust framework” designed specifically for these demands, according to Linger.

“At Leidos, we have a framework we put together — called our calibrated trust framework — that is designed specifically to address that agentic flow,” Linger explained. “Initially, we had [a framework for] Trusted AI and that was really more about building trust in the systems that you had and the type of work that they were doing. But now as we start to push that out further, and we have agents, sometimes you have agents managing agents … At the end of the day, you have to have some sort of way to ensure that you have cost controls and auditability across those consumption-based capabilities.”

The framework is intended to ensure that as AI agents handle repetitive triage, their actions remain governed and auditable. It is designed to operate within high-performance, on-premises data environments such as those built on Vast’s disaggregated storage architecture, which keeps telemetry centralized while enabling distributed analytics. Of course, autonomous threat response only works if every AI-initiated action is fully visible, controlled and auditable, according to Hayes.

“We have to be able to audit all of the actions. We can’t just let these agents do whatever they want because it’s going to end up being super problematic,” Hayes explained. “I think when you start looking at all of the governance that we’ve also built into the platform, and then all of the experience that Leidos has to bring to bear, we can … build that end-to-end threat detection and dissemination and response in a way that’s also governed and auditable so that we can show, ‘Hey, this is every single action that was taken without a human in the loop.’”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of Vast Forward:

(* Disclosure: TheCUBE is a media partner for Vast Forward. Sponsors of theCUBE’s coverage, including presenting sponsor Solidigm, do not have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE