Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Data Centre Solutions is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Data Centre Solutions Video magazine contains the latest Zoom interviews with experts in the industry.
The security industry has been scaling detection infrastructure for a decade whilst attack volume grows faster. Automation buys time, but it doesn’t change the fundamental problem: if every attack reaches your detection layer, you’re in a volume race you cannot win. This is not a staffing problem or a tooling problem. It is a structural problem with how the industry has framed defence.
Detection-first architecture made sense when attack volume was manageable. It no longer is. MSPs managing security across dozens or hundreds of SMB customers face the compounding effects: every tenant adds alert volume, every new threat campaign adds investigation overhead, and your analysts spend their time validating false positives instead of investigating genuine incidents. The adversary’s cost to generate attacks is lower than your cost to investigate them. The economics favour the attacker.
The Volume Problem Is Adversarial by Design
APT36, a persistent threat actor tracked for phishing and credential theft campaigns, recently demonstrated why automation alone won’t close the gap. Bitdefender research on APT36 documents AI-assisted attack generation producing credential-harvesting campaigns at a scale that outpaces manual triage. The adversary is not just using AI to write better phishing emails; they are using it to generate attack variants using multiple obscure coding languages faster than defenders can build detection rules. Each variant forces your SOC to investigate, validate, and respond. The load compounds.
Sophisticated adversaries understand that detection systems have a carrying capacity. Flood the layer with enough volume, and even automated triage produces a backlog. Your analysts spend their time validating false positives and triaging low-confidence alerts instead of investigating genuine incidents. Customers see alerts firing but incidents still succeeding. The detection layer becomes the bottleneck, not the solution.
Supply Chain Attacks Bypass Filters MSPs Rely On
Supply chain compromises compound the volume problem in a way that pure phishing or malware campaigns do not. When a threat arrives through a trusted channel such as a signed software update, a legitimate open-source dependency, signature-based and reputation-based defences fail. The delivery mechanism passes every pre-execution check. By the time the payload executes, it is already inside the perimeter.
Mythos, Anthropic’s next-generation AI model, demonstrates this structural vulnerability. What was underreported in the Mythos preview is that the model requires access to source code to rapidly discover vulnerabilities, making open-source projects ideal targets. When adversaries leverage AI models that can analyse and exploit open-source dependencies at scale, organisations relying on package-signing verification and reputation scoring have no alert until malicious code executes. Mythos is a known case. The delivery mechanism (trusted repositories) suggests other campaigns may be operating undetected.
Supply chain threats do not just add to the alert queue; they bypass the filters MSPs use to manage incoming volume. When everything looks legitimate until runtime, your detection layer receives the full flood with no upstream filtering. Scaling detection is the wrong answer when the problem is that too much reaches detection in the first place.
Scaling Detection Is the Wrong Race
The industry reflex is to fight AI-assisted volume with AI-augmented detection. Automate alert triage. Use machine learning to prioritise incidents. Deploy autonomous investigation tools. These are useful capabilities, but they solve the wrong problem. If every attack still reaches the detection layer, you are racing to scale a reactive process whilst adversaries scale proactive generation.
Behavioural prevention changes the economics. Instead of detecting and responding to every attack, you stop threats at execution time based on what they actually do—not what they look like, not where they came from. Behavioural analysis watches runtime actions: process behaviour, memory manipulation, system-level interactions. It is format-agnostic. A novel AI-generated payload and a supply chain backdoor both execute observable actions. If the behaviour is malicious, the prevention layer blocks it before damage occurs.
This is not an argument that detection and response are obsolete. They remain critical for the threats that evade prevention, for investigating incidents after they occur, and for hunting persistent adversaries. The argument is that reactive architecture is structurally unsustainable when attack volume grows faster than your ability to scale detection layers. Prevention reduces the load reaching detection to a manageable, high-fidelity signal instead of a flood.
Prevention as a Strategic Advantage for MSPs
The time has come to flip the script: continue scaling headcount to chase an ever-expanding volume of detections, or adopt a prevention-first approach that proactively blocks threats before they reach the customer. The former is a race with no ceiling; the latter changes the economics entirely.
For MSPs managing security across dozens or hundreds of business customers, prevention-heavy architecture is not just a technical improvement, it is a business advantage. Every incident that reaches your SOC is time your team spends on non-billable firefighting. High alert volume burns out analysts and creates unpredictable service delivery costs. Customers see alerts firing and assume the service is noisy, not effective.
Prevention-heavy stacks produce fewer high-touch incidents, more predictable operational costs, and a measurable differentiator: “we stop more before it starts” versus competitors selling detection-only platforms. When a customer asks why they are paying for security that still generates incidents, the answer is stronger when you can demonstrate that the majority of threats never reached the detection layer in the first place.
This is also a scalability argument. Detection and response do not scale linearly across customer tenants. Adding customers adds alert volume. Adding analysts adds cost. Prevention scales more efficiently: policies and behavioural controls apply across tenants without increasing per-customer overhead. The MSPs who rebalance toward prevention now will have lower operational costs, higher margins, and more defensible customer retention than competitors who keep racing to scale detection.
What This Means for Your Stack
The practical implication: evaluate your security architecture by how much reaches your detection layer, not how sophisticated your detection tools are. If your SOC sees every attempted attack, your prevention layer is too thin. If alerts are growing faster than your ability to hire analysts, automation will not save you. It will just triage a larger backlog.
Start by asking what percentage of attempted attacks reach your SOC? If the answer is “most of them,” your architecture is inverted. The MSPs who will dominate the next five years are the ones investing in behavioural prevention now. Not because it eliminates detection, but because it makes detection sustainable.
