Waymo recently crossed a major milestone: Over 170 million autonomous miles driven without a single serious crash or injury. For years, autonomous driving was treated as a promise that was always just out of reach — too complex, too risky and not ready for the real world. That argument is no longer credible. Autonomous systems are now outperforming humans in high-speed, high-volume environments. That is not because they are perfect, but because they are faster in the moments that matter.
This is not an article about autonomous cars. Security is approaching the same transition.
The problem was never detection
For the last decade, the security industry has focused on detection. The emphasis has been on generating more alerts, improving signal quality and expanding coverage. These efforts have been meaningful, but we are approaching a saturation point. Despite continued progress in detection, defenders are still falling behind while attackers retain the advantage.
According to CrowdStrike, lateral movement can now occur in an average of just 29 minutes. Within that window, the difference between understanding and uncertainty determines whether an incident is contained or escalates. Visibility remains important, but the ability to move through the OODA loop — understand, orient, decide and act — within an increasingly compressed time window matters more.
Security teams are not constrained by a lack of alerts or data; they are constrained by a lack of answers. Each alert initiates a process that requires analysts to pivot across tools, assemble fragmented context, reconstruct events and determine impact. This process is fundamentally time-bound and in most environments, it still takes hours.
Attackers operate on a much shorter timeline, creating a structural asymmetry that human-driven investigation cannot match. The industry has not failed to improve detection; it has misidentified the primary constraint. Investigation speed is the limiting factor.
Security still runs at human speed
Despite advances in infrastructure, cloud and AI, the underlying workflow of security operations has not fundamentally changed. At its core, security still operates as a human-driven process: Alerts are generated, analysts investigate, context is assembled manually and decisions are made under pressure. This model was sufficient when environments were smaller and attacker velocity was lower, but it breaks down under modern conditions.
Today’s environments generate a volume and diversity of signals that exceed what manual investigation can process within the time window that matters. The limitation is not access to data, but the ability to assemble and interpret it fast enough to act. As a result, teams struggle to move from observation to orientation in time, delaying downstream decisions and response.
Compressing observation and orientation
In a traditional workflow, an alert indicating unusual access to a production workload initiates a sequence of actions — analysts query logs, correlate identity activity, review system changes and attempt to build a timeline. Each step introduces latency, slowing the transition from observation to orientation.
In modern systems, investigation can begin with a structured understanding of the event itself. The investigative sequence is absorbed into the system. By the time the alert is presented, the relevant context has already been assembled: The identity involved, the access path, the changes made and whether the behavior aligns with established patterns or represents risk.
The role of the analyst shifts accordingly, too. Instead of reconstructing events, the analyst evaluates a completed analysis and determines the appropriate response. This compresses the first half of the OODA loop, allowing teams to move from observation to decision with significantly less friction. It reduces latency, improves consistency and aligns the speed of decision-making with the speed of the environment.
From decision to action, without delay
Accelerating investigation addresses only part of the problem. The remaining challenge is completing the OODA loop. Even when teams reach a decision quickly, action is often delayed by manual processes. Remediation requires coordination across systems, validation of impact and careful execution. In practice, this introduces latency between decision and response.
Agent-based remediation removes this delay. Systems can act directly, with human oversight. Once a decision threshold is met, agents can isolate workloads, revoke credentials, block access paths or enforce policy in real time with the oversight of a human to ensure control. These actions are informed by the same contextual understanding generated during investigation, reducing the risk of overreaction while increasing speed.
This closes the second half of the OODA loop, where decisions are not only made faster, they are executed faster and more consistently.
AI compresses the timeline further
As organizations adopt AI, the same constraint becomes more severe. These risks do not introduce a new problem; they accelerate it. AI-driven applications operate at interaction speed, not infrastructure speed. The environment is no longer just workloads, but interactions between users, models and data.
Risks such as prompt injection, model misuse and unintended data exposure unfold quickly and across distributed surfaces. Those risks require rapid understanding and response, often within a single interaction. Managing them requires the same capability: The ability to execute the OODA loop faster than the threat.
With AI adoption, security systems must observe interactions, orient on intent and context, decide on risk and act in real time. Traditional approaches such as periodic testing or surface-level behavioral observation are insufficient. Continuous validation models are emerging, where security systems actively probe for weaknesses and verify defenses on an ongoing basis.
Speed becomes the advantage
Autonomous driving did not succeed because it achieved perfection — it succeeded because it demonstrated better outcomes in critical scenarios. Waymo did not win by seeing more data or generating better alerts; it won by collapsing the time between perception, decision and action faster than a human driver could.
Security is undergoing the same transition. In environments where attackers operate on minute-scale timelines, workflows that depend on human-speed completion of the OODA loop are structurally disadvantaged. The future of security will not be defined by better visibility or more precise detection. It will be defined by systems that can observe, orient, act and decide — end-to-end — faster than attackers can exploit the environment.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?