2018 Black Hat Superpower Survey: It's About Time and Talent

August 22, 2018
Vectra AI Security Research team
2018 Black Hat Superpower Survey: It's About Time and Talent

We love Black Hat. It’s the best place to learn what information security practitioners really care about and what is the truth of our industry. Because we want to always be relevant to customers, we figured Black Hat is an ideal event to ask what matters.

We conducted a survey

To better understand what matters, we conducted a simple survey of four questions at Black Hat. Two questions were geared to understand what people find tedious and time consuming, and how they’d prefer to spend their time at work. The second two questions were to gain insight into their personality, so we also asked which Avenger they would most like to be and what superpowers they’d like to possess.

Who took the survey?

Black Hat is filled with people who spend their day threat hunting and managing or building security operations centers (SOCs) tasked with responding to everything from security alerts to a full on cyberattack.

It’s the perfect audience. The 879 people surveyed included a cross section of chief information security officers, security architects, security researchers, and security operations center and data center operations staff.

What did we learn?

Time is the most important factor in detecting cybersecurity breaches. To protect key assets from being stolen or damaged, threats must be detected, confirmed, remediated, and verified in near-real-time. To build the fastest and most efficient processes, it makes sense to combine man and machine, enabling each to focus on what they do best.

Which Avenger would you like to be?

Most people surveyed at Black Hat want to be a highly intelligent tech billionaire in charge of a global corporation.

This billionaire thrives on his ability to design and build cool gadgets with assistance from a sophisticated AI assistant—a billionaire with cool cars and space-flight capability.

No, not Elon Musk. People want to be Iron Man (a.k.a. Tony Stark). Captain America, Ant Man and Dr. Strange took second, third and fourth positions.

What superpowers would be most useful to your job?

The most-desired superpower turns out to be consistent with the Marvel’s Avengers—supernatural intelligence. We get it. Incident investigations require a broad and specialized set of skills, including malware analysis, forensic packet and log analysis, as well as the correlation of massive amounts of data from a wide range of sources.

Finding enough talented people to effectively perform incident investigation is difficult, and those that already exist are overworked. The good news is that some level of supernatural intelligence is achievable today. How? By augmenting the best abilities of human intelligence with the strength of AI.

There is a measurable trend within organizations that have implemented AI to automate tedious incident response tasks to augment SOC manpower. This enables security analysts to focus on their keen analytical skills and empower critical decision making. Teams that use AI to augment the work of security analysts achieve greater levels efficiency and efficacy than those who do not.

If you had the power to eliminate the most time-consuming and unsatisfying aspect of your work as a security professional, what would it be?

Reviewing security alerts to find suspicious activity is the answer most respondents indicated as time-consuming and unsatisfying work. There is nothing fun about manually working through what could be hundreds to thousands of events with little to no context that end up being to benign or low risk behaviors.

Security event investigations can last hours, and a full analysis of an advanced threat can take days, weeks or even months. Even large SOC teams with skilled analysts find it difficult to detect, confirm, remediate, and verify security incidents fast enough. It’s mentally exhausting and sucks all the hours out of your day. This isn’t why we joined information security. Iron Man wouldn’t spend his time manually investigating anything.

This is the kind of tedious work is better suited for an AI assistant—a machine that can process large volumes of information in real time and prioritize the highest risk threats. The AI assistant enables security analysts to focus on what matters most—responding to cyberattacker behaviors that can cause real damage. That is why Iron Man has Jarvis.

What part of your job would you like to spend more time doing?

Threat hunting is the top answer to this question. Threat hunting is the fun part of the job—the thrill of the chase—and most wished they had more time to do it. But threat hunting can be a manual process. A security analyst must sift through large volumes of information, using their own knowledge and familiarity with the network, to create hypotheses about potential threat vectors, such as lateral movement and misuse of accounts.

Finding the time to hunt on regular basis is nearly impossible. The hardest part of threat hunting isn’t even the hunting itself. It is knowing where to hunt so that a security analyst doesn’t spend time pursuing threats that lead to a dead end.

The good news is AI can give back the time needed for effective threat hunting. Vectra is committed to empowering security analysts with superb threat-hunting capabilities. We do that with Cognito, our cyberattack-detection and threat-hunting platform. AI-powered threat detection automatically surfaces the stealthiest attackers. Cognito’s focus on attacker behaviors—the methods that attackers must use—provides a high-fidelity, actionable signal.

Threat hunters are empowered to launch deeper and broader investigations of incidents detected by Cognito and other security controls, while enabling retrospective hunting for undetected threats.


At Vectra, our mission is to enable talented cybersecurity professionals to do more of what they like—threat hunting—and less of what they dislike—triaging security alerts. This optimizes time and talent, the most strategic objective in preventing cybersecurity breaches.