Home Artificial IntelligenceA Security Architecture Built for the AI Era: The Solution That Could Reprice Cyber Defense

A Security Architecture Built for the AI Era: The Solution That Could Reprice Cyber Defense

by Joseph Wilson
14 minutes read

Cyber risk is underwritten on questionnaires because the industry has never been able to measure the thing that actually matters. Sivadeep Katangoori, a security architect who spent a decade building the data platforms that corporate cybersecurity runs on, has built a system that produces the missing number. The consequences reach well past the security budget.

The Number Nobody Can Produce

Strip the process away and cyber underwriting comes down to a list of questions. Is multifactor authentication enforced. Does a tested response plan exist. Are patches applied on a defined cycle. The applicant attests, the underwriter prices, and the policy issues.

Notice what every one of those questions asks about. Capability. Not one of them asks about performance.

Insurers are not being careless. They are working around a measurement problem the security industry has never solved. Nowhere in a typical enterprise is there an auditable figure showing how long that enterprise takes to get from finding a flaw to proving the flaw is gone. Detection gets measured because detection happens inside one system and leaves a log entry. Closure happens across a dozen systems with people standing between them, and no single record follows it all the way through.

The result is that money flows toward the appearance of defense. Forty analysts and a slow process will always fill out an application better than six analysts and a fast one. Premiums follow the questionnaire. Budgets follow the premiums. Board confidence follows both.

Sivadeep Katangoori’s claim is that the figure is not unmeasurable. It is simply unmeasured, because nothing in the conventional security stack was ever built to emit it. Construct the loop that does, and the economics shift for everyone standing downstream of it, starting with the people who price the risk.

Why the Gap Exists

Most mature security programs pay for four kinds of tooling. Each does one job well and cannot do the job that follows it.

  • Vulnerability scanners surface what has already been catalogued somewhere.
  • Threat intelligence platforms report on the wider world. They never touch your estate.
  • Automation and orchestration platforms run playbooks against signals a person defined in advance.
  • Endpoint and extended detection platforms notice odd behavior and can quarantine a machine. Quarantine is not repair.

A person sits in every join between them. Somebody reads the alert. Somebody opens the inventory to see whether it applies. Somebody raises a ticket, chases an approval, books a change window. Add the joins together and an enterprise answers in weeks while its adversary works in hours.

The tools are not the problem. The joins are. And the joins are exactly where the number gets lost.

This is why asking a security leader what slows them down almost never produces the answer you would expect. They knew about the problem. Something else stopped them.

  • Alerts arrive faster than anyone can work them, so triage quietly becomes rationing.
  • Inventories drift out of date, so nobody can say with confidence whether the organization is even exposed.
  • Patch queues lengthen, because change control was built for predictable releases rather than emergencies.
  • Advisories from vendors land after the exploitation has already started.
  • There are not enough people who can do this work by hand, and higher salaries do not create them.

The Deadline Moved

For most of the industry’s history the pace of an attack was set by the patience of a human being. Someone had to study the target, find the weakness, write the exploit, and try it. That work took weeks, and defensive processes were designed against that clock.

The clock has been replaced.

Models now survey infrastructure, produce working exploits, and refine them without anyone at a keyboard. What used to take an adversary a month takes an afternoon. Meanwhile the defending organization still runs on ticket queues, approval chains, and change windows measured in days, because those were built around the older assumption and nobody has revisited it.

The compounding is the part that ought to reach a board. Automate the attack and each cycle runs faster than the last. Decline to automate the defense and it runs at exactly the speed it ran at yesterday. Three assumptions underpin conventional practice and all three have now failed at once: that a patch will exist when it is needed, that alert volume will stay inside human limits, and that the wait between scans will be shorter than the wait between disclosure and exploitation.

The Architect

Katangoori came to security sideways, through the infrastructure underneath it rather than through the operations center. It proved to be the more useful entrance.

His first exposure to the domain was as a platform engineer at Bank of America, where he built the Global Information Security Data Lake and then the cybersecurity operations analytics platform that ran on top of it. Four years at Wells Fargo followed, running enterprise data lake infrastructure, designing critical applications, and taking cost out of the estate. He moved into consulting for a period, delivering data platform work to state agencies. In 2025 he came back to security and finance as a Security Specialist and Solution Architect, with vulnerability remediation and threat hunt mitigation in his direct scope.

He returned, in other words, to the foundations he had helped pour. They had carried a decade of security operations and had never been designed for an opponent that does not rest.

The technical range behind that: enterprise data platforms on Azure, Google Cloud, and AWS, and the long modernization from Hadoop distributions to cloud native open lakehouse architectures. Data centric security, meaning classification, encryption at rest, role management, and secured communication. Multi tenancy built for institutions where isolating one tenant from another is a regulatory obligation rather than a design preference.

He holds a Master of Science in Software Engineering from East Carolina University and executive education in Artificial Intelligence from the Haas School of Business at the University of California Berkeley. He is a Certified Data Management Professional, a Google Cloud Professional Cloud Architect and Professional Data Engineer, a Project Management Professional, and a Senior Member of IEEE. He wrote Mastering Data Lakes and Cloud Platforms. He is named on a patent application for adaptive intrusion detection and prevention using behavioral analytics and AI models, sits on the editorial board of the International Journal of Emerging Trends in Computer Science and Information Technology, and has spoken and chaired sessions at conferences including the Global Artificial Intelligence Conference and ICMRTA.

A title from his own catalog captures the thinking better than any summary would: AI strategy is not about models, it is about platforms. A model has a shelf life of roughly eighteen months. Whether an organization ever extracts value from one depends on what sits beneath it. Data contracts. Governance. Orchestration. A record of what happened.

The gap he works on is the gap between knowing and doing. Enterprises are not short of detection. They are drowning in it. What they lack is the machinery to convert a detection into a defensible action quickly enough for it to count.

What the System Does

Put plainly, and continuously, the platform does seven things in order. It watches. It looks into whatever it finds. It establishes how much that finding matters to this particular estate rather than to the world at large. It informs the people who need to know. It puts forward a fix. It carries the fix out. It confirms the fix worked and closes the file.

The choice that makes this possible is a dull one, and Katangoori would say that is the point. He declined to treat vulnerability response as a security incident and treated it as a supply chain instead, with one language enforced at every join. Systems hand structured information to each other rather than parking it until a person retypes it into the next tool.

That shared language, not any individual component, is the asset. It is also what brings the number into existence. Once every step from first signal to confirmed closure writes into one continuous record, the time between them stops being somebody’s estimate and becomes a measurement that can survive an audit.

Nothing on the market runs the loop from end to end. Scanners finish at detection. Intelligence finishes at notification. Orchestration finishes at the workflow. Endpoint tools finish at containment. Closing the circuit is what turns a set of individually good products into a figure a board can govern by and an underwriter can price against.

The Decision That Belongs to the Board

A measurable closure time counts for nothing if the actions producing it cannot be held to account. This is the point at which most automation conversations lose their footing, and the point at which this design makes its sharpest choice.

There are two operating modes. Which one an institution runs is a question about its appetite for risk, not about how advanced its engineering is.

Human in Command. The system observes, investigates, assesses, and reports, and stops there. Production is untouched. People lead and the machine assists. Most regulated institutions will begin here, and the majority of the time saving arrives in this mode alone.

Human in the Loop. The system additionally proposes, executes, and confirms the remediation, pausing at a named approval gate before every consequential step. The machine leads and people authorize. Nothing irreversible happens without a person putting their name to it.

It reads like a procedural footnote. It is the governance architecture. Speed that does not cost control. Automation that does not cost oversight. Intelligence that does not cost accountability. An organization can switch the first mode on immediately, replay it against incidents it has already lived through, and build its own evidence base before granting the system any authority at all. Nothing here asks anyone to take it on trust.

No serious person is suggesting that machines should patch production unsupervised. The proposition is narrower than that, and harder to argue with. Anywhere a person currently waits for context, a machine can gather that context first. The decision stays with the human. It simply arrives in seconds, with the evidence already assembled.

What Repricing Would Change

The figures below are modeled rather than measured. They describe what the architecture implies against published industry baselines, not results observed from a production deployment. Where independent corroboration exists, it is cited.

Speed

The traditional lifecycle, in Katangoori’s model, takes twenty one to forty five days. Under the autonomous version, assessment and reporting fall to seconds, detection and verification to minutes, and remediation is held up by nothing except patch availability and change control.

Total modeled response time falls to four to twenty four hours, a reduction of between 95 and 99.6 percent depending on where in the baseline range an organization starts.

External evidence supports the direction of travel, if not the magnitude. IBM’s 2025 Cost of a Data Breach Report found that organizations making extensive use of AI and automation in security operations shortened their breach lifecycle by roughly eighty days and saved close to 1.9 million dollars per incident against organizations that did not. The global average breach lifecycle still runs 241 days.

Cost

Three lines on the ledger move.

  • Labor. Investigation, correlation, ticketing, and verification stop eating analyst hours. The analysts remain. The clerical work does not.
  • Breach exposure. Shorter dwell time lowers expected loss, and expected loss is what underwriters actually price.
  • Compliance. Audit ready documentation falls out of the workflow instead of becoming a project of its own.

Modeled cost per incident falls from a baseline of 1.8 to 4.2 million dollars down to between 150,000 and 400,000 dollars, a reduction of 78 to 96 percent across the range.

Workforce

Modeled analyst time per incident falls from 120 to 250 hours down to 10 to 25 hours, reclaiming between 95 and 240 hours each time. Audit preparation falls from 40 to 80 hours down to 2 to 5.

None of this removes the security workforce. It redeploys it. Triage is the least valuable work a skilled analyst does and the most draining, and it does more than anything else to drive people out of a profession that cannot spare them. Move those people onto threat hunting, architecture review, and adversary modeling and every practitioner already on the payroll becomes more productive. Where the shortage of security professionals is structural rather than cyclical, output per practitioner is the only lever anyone actually controls.

The Market That Opens

Round the clock defense has always been priced for organizations that can staff round the clock. As an orchestrated platform, the same posture reaches mid market firms, regional banks, hospital systems, and municipal utilities. That is the economically consequential part. Defense stops scaling with headcount budget.

The benefit does not stay with those firms either. Smaller enterprises that cannot fund a round-the-clock operations center currently opt out of real defense, and in doing so become the soft entrance into the supply chain of every larger firm that can. Cyber risk concentrated at the weak end of a supply chain is systemic risk. It behaves the way credit risk behaved in the years before anyone thought to model the correlations.

Make closure time measurable and several markets reorganize around the measurement.

  • Insurers can underwrite on demonstrated posture instead of a signed questionnaire.
  • Managed security providers can sell time to closure rather than tickets processed.
  • Software vendors can ingest standardized disclosure packages and shorten their own advisory cycles.
  • Operators of critical infrastructure can share one response model across sectors.

The Macroeconomic Case

Productivity first, then competitiveness, then stability. Productivity, because scarce, highly skilled workers stop doing work a machine does better. Competitiveness, because an economy whose critical infrastructure absorbs machine speed attacks without interruption keeps the investment that drains away from economies that cannot. Stability, because risk travels through supply chains, and a defense that scales down to the smallest supplier pulls the correlation out of the network.

The sustainability argument is real rather than ornamental. Unplanned outages across power grids, transport networks, and production lines waste enormous quantities of physical resource. Avoiding them conserves it.

Should autonomous defense become ordinary infrastructure rather than premium tooling, the marginal cost of adequate security converges on the cost of the computing it consumes. Entire categories of firm priced out of real protection come inside the perimeter. The reduction in national cyber risk is not the sum of those individual gains. It exceeds them, because attacks travel through the weakest connected node, and that node is what has just improved.

What Senior Leadership Should Take from This

  • Ask for mean time to verified closure rather than mean time to detect. An unremediated detection is a liability you have written down and filed.
  • Treat assisted versus autonomous remediation as a governance decision carrying a stated risk appetite, not a procurement decision handed to the security team.
  • Begin in assisted mode and demand an evidence base before granting the system authority to act. The productivity arrives well ahead of the autonomy.

The Standard, and What Is Not Solved Yet

The shared language between systems is the piece most likely to be underestimated. If the industry converges on a common contract for how a vulnerability signal travels between intelligence, orchestration, ticketing, patching, and verification, then interoperability stops being something you negotiate with a vendor. Standards make markets, and this one would make a market in autonomous defense components that compose. It generalizes across sectors because the language does. Each industry brings its own inventory, its own weighting of what is critical, its own approval policy. The circuit itself does not change.

Katangoori calls the category Autonomous Zero-Day Defense. Whether that name lasts hardly matters. CrowdStrike, Wiz, and Palo Alto all grew by naming a category before it existed, and each drew the same fair objection at the time: this is a feature, not a category. Features become categories when the constraint underneath them changes. This constraint has changed.

Two problems are unsolved, and he raises both himself rather than leaving them for someone else to find.

The first is proof. Autonomous remediation deserves trust only to the extent it can show what it altered and demonstrate the alteration worked. Today verification means a rescan. The next stage of the work belongs to formal assurance, and to governance frameworks under which a regulator can audit an autonomous decision after the fact. No insurer will price against a number until the number can withstand that scrutiny.

The second is independence. Any system fed by public vulnerability feeds and vendor advisories inherits their latency and stays blind to a flaw the world has not published yet. A system reading anomalies in an organization’s own code and telemetry carries no such limit. This platform already reaches into both. Closing that loop, so that an internally discovered flaw carrying no public identifier and no advisory can still be assessed, contained, and verified on internal exposure alone, is the work that would make the platform’s name literally true.

Building the autonomy was the engineering problem. Earning the authority to use it is the institutional one.

You may also like

A News Publication Company
CBHerald.com is your one-stop platform for breaking news and information. We are an online news company committed to providing accurate, dependable, and timely coverage of the events and issues that are most important to our readers.