The increasing adoption of cloud computing has expanded organizational attack surfaces and created additional opportunities for identity abuse, ransomware operations, data exposure, and configuration-related security incidents. Conventional monitoring environments based primarily on static rules, fragmented telemetry, and manual triage often struggle to prioritize high-severity incidents in real time. This study evaluates the operational impact of an integrated AI-augmented cloud-native SIEM/XDR/SOAR architecture for cloud threat detection and automated incident response. A sequential mixed-methods comparative case study was conducted across two enterprise-style security environments: an AI-augmented architecture combining cloud-native SIEM, XDR telemetry unification, behavioral analytics, AI-assisted correlation, generative-AI analyst support, and SOAR automation, and a conventional baseline environment based on manual triage and signature-based controls. Three attack scenarios were analyzed: phishing-led account takeover, multi-stage ransomware, and shadow-IT data exfiltration. The AI-augmented architecture reduced mean time to triage from 17.4 h in the conventional baseline to 10.7 min and enabled ransomware containment in under five minutes through pre-configured automated response playbooks. The results also showed improved prioritization of high-severity incidents, reduced analyst review burden, and a high automated closure rate. The findings provide operational evidence for the evaluated security architecture. Limitations include single-vendor dependency, non-equivalent false-positive classification mechanisms, proprietary model internals, calibration requirements, and detection gaps involving legitimate third-party services and password-protected content.
Chagovec et al. (Mon,) studied this question.