Brian Murphy on the Great Re-Architecture of Cybersecurity | EXPONENT 2026
At EXPONENT 2026, hundreds of security leaders gathered in Tampa around a single problem: the SOC model most enterprises rely on wasn't built for a world where attackers move at machine speed. The fastest intrusion-to-exfiltration we observed last year took 6 minutes. The average SIEM detection time across our customer base is 51 minutes.
The gap between attacker speed and detection speed keeps widening, and this outdated approach to detection isn’t helping. While your SIEM indexes, attackers are mapping your infrastructure with your own tools—watching you onboard employees, launch products, and expose new attack surfaces in real time.
As ReliaQuest founder and CEO Brian Murphy put it: "We are in the middle of the great rethink—the great re-architecture of cybersecurity. The adversary has gotten faster. Our environments have gotten more complicated. And speed and simplicity are the order of the day."
Brian Murphy, ReliaQuest Founder and CEO
Much of EXPONENT focused on what the agentic AI-powered SOC looks like in practice—how GreyMatter's agentic Teammates orchestrate detection, investigation, and response autonomously across enterprise environments, and what separates real agentic architecture from the marketing version. But agentic AI is only as fast as the architecture it runs on. And for most organizations, that architecture is still the bottleneck.
Flip the Detection Model or Fall Behind
The SIEM was designed for log aggregation and compliance—a system of record, not a system of action. But when the industry needed a place to run detection logic, the SIEM was the only thing with all the data. So detection got bolted on.
That decision calcified into an entire operating model. Detection rules run at storage. Analysts query storage. Response workflows start from storage. The SIEM became load-bearing not because it was the right architecture, but because it was the only one available.
The cost of that decision is now measurable. Across our install base of 1,300+ enterprise environments, 76% of detection use cases don't require a SIEM at all. Three-quarters of what security teams are paying to ingest, index, and search could be detected earlier, cheaper, and faster somewhere else.
Detection Should Follow the Threat, Not Wait for the Data
Threats originate at endpoints, in identity systems, across cloud workloads, at the network edge, but not at the SIEM. By the time that telemetry reaches storage, the attacker has already moved.
The answer isn’t a faster SIEM. It still puts detection at the end of the pipeline. Detection logic needs to run where threats actually appear—at the source and while data is in motion.
At-source detection means pushing detection rules directly to the tools generating telemetry: your EDR, your identity provider, your cloud platform. No centralization delay. No indexing overhead. The rule fires where the event happens.
In-transit detection means evaluating data as it moves through your pipeline, before it reaches any storage destination. This is what we built GreyMatter Transit to do. At EXPONENT, we showed Transit firing detections in under five seconds, closing the 51-minute gap before the data even reaches storage.
Under this model, the SIEM doesn’t disappear, it gets right-sized to one layer among three, handling compliance-driven queries while speed-critical detections fire earlier. But operating detection across three layers—each with different speeds, data formats, and response requirements—isn't a workflow humans can manage manually at scale. SOCs need an agentic AI architecture to orchestrate detection, investigation, and response across all three layers so security teams can run faster without multiplying headcount.
The Detection Architecture Your AI SOC Needs
Every major security vendor is shipping AI. But most of those AI capabilities sit on top of the same SIEM-centric architecture — which means the AI is still waiting for data to be ingested, indexed, and made searchable before it can act. If your detection fires at 51 minutes, your AI-powered investigation starts at 51 minutes. You've automated the wrong side of the problem.
The detection re-architecture changes what AI can actually do. When detection fires at source or in transit, agentic AI can begin investigation and response in seconds—not because the model is faster, but because the data arrived faster.
This isn't a rip-and-replace argument. Most enterprises can't—and shouldn't—abandon their SIEM overnight.
Start with a different question: which detection use cases require storage-based search, and which ones are paying a speed and cost penalty for no reason?
Murphy's prediction at EXPONENT was direct: "The most advanced companies, the most advanced cybersecurity teams, will not use a SIEM in the next 24 months in the way we think about it today. There's hot storage, cold storage—but they're both cheap, dumb storage. We do not have time to wait for a SIEM to re-index for hours. We just don't."
The Re-Architecture Is Already Underway
The organizations moving fastest have already started the shift to three-layer detection architecture and are now running agentic AI across all three layers to investigate and respond, giving their teams an edge in the race against attackers.
Murphy closed with a line that applies to every security team: "We can't cling to the past while working on the future at the same time."
The question for every security leader is the same: does your detection model follow the threat, or does it wait for the data?
