Stop hiring like it's 2025: AI-augmented cybersecurity performance data every CISO needs

In cybersecurity, “faster” used to mean better tooling, better alerting, better coverage. Now “faster” is a hard constraint on the business. 

CrowdStrike’s 2026 Global Threat Report notes the average eCrime breakout time has fallen to 29 minutes, with the fastest observed breakout occurring in just 27 seconds. At the same time, AI is expanding what is possible on defense. Anthropic recently announced Claude Code Security, and reporting around its latest model’s testing described more than 500 high-severity vulnerabilities surfaced in open-source libraries and production codebases. 

Cisco’s Splunk CISO Report: From Risk to Resilience in the AI Era (650 CISOs surveyed) reads like a reality check for 2026. CISOs aren’t debating whether AI belongs in the SOC anymore. Nearly all CISOs now report responsibility for AI governance and risk management.

This is the context for which HTB’s benchmark was built. If AI lets teams review more events, the limiting factor becomes decision quality and operational tempo. The economic upside is real, but only if you build AI-fluent workflows, reduce noise, and keep humans trained and in the loop.

Why this is an economic story, not just a technology story

Security leaders don’t get budget for “interesting.” They get budget for risk reduction, operational continuity, and measurable return.

IBM’s Cost of a Data Breach Report 2025 puts the global average breach cost at $4.44 million, with the United States average at $10.22 million. The report also quantifies how execution and governance affect outcomes:

• AI and automation are associated with materially lower breach costs: organizations using AI/automation extensively averaged $3.62 million versus $5.52 million for those that did not, a difference of $1.9 million.

• Shadow AI and weak governance increase costs: IBM reports an added $670,000 for organizations with high levels of shadow AI versus those with low or none.

• The cybersecurity skill shortage remains a factor, even as teams try to move faster with AI and automation.

The point for business leaders is straightforward: speed and oversight are now board-level levers. AI can reduce cost and increase resilience, but only when it is governed and paired with trained humans.

How AI impacts performance by experience level   

Hack The Box ran the benchmark to answer the question CISOs are actually asking: how does AI-augmented capability compare to the human teams I employ?

The AI-Augmented vs Human-Only Cybersecurity Performance Benchmark Report, which includes data from its NeuroGrid Capture The Flag (CTF) competition, measured two things that map directly to operational economics:

1) output under time pressure (solve rate), and
2) speed to outcome (time-to-solve).

Across the active population, AI-augmented teams completed tasks in significantly less time, enabling 1.4x more output across all teams within the set period of time. The strongest gains concentrated at the elite tier, where AI-augmented teams enabled up to 4.1x more output and response times can matter most.

Key insights:

• Early career productivity illusion: AI can function as a competency bridge, helping lower-ranked teams solve meaningfully more challenges, but it can also create a productivity illusion. Lower-performing AI-augmented teams were 12.5% slower, often getting stuck in unproductive loops without strong oversight and fluency. 

• Mid-career strongest gain: Mid-level operations saw the strongest lift on medium-difficulty tasks, where AI advantage peaked (3.89x), indicating a practical sweet spot where pattern recognition boosts productivity. 

• Elite speed advantage: The solve-rate advantage narrowed sharply at the top (3.2x overall to 1.7x in the top 5%), confirming elite teams already have the competency to close most of the gap. At the same time, AI-augmented elite teams saw a speed boost, completing challenges 312% faster. AI increased speed, not skills.

• Capability ceilings: AI advantage peaked at medium difficulty (3.89x) and declined at hard difficulty (2.97x). Three challenges remained unsolved by all AI-augmented teams, reinforcing that the hardest and most novel problems still demand human judgment and verification.

This is the critical nuance for executives and CISOs: AI can lift output and compress time, but only when the workforce knows how to use it with intent, verification, and governance. Otherwise, you risk an increase in noise and a slowdown in decision-making.

Core takeaways from the CISO Briefing: A three-tier operating model

The CISO Briefing translates the benchmark into a workforce plan. The key idea is not one-size-fits-all adoption. AI changes the tiers of the organization in different ways:

Early career: The productivity illusion and automation risk

AI can act as a “competency bridge,” but L1 analyst roles often lack the depth to verify outputs and the orchestration skill to direct agents. Entry-level tasks are already trending toward automation, so leaders must redesign entry-level roles around AI-augmented workflows and deliberate learning paths.

Mid-career: Deploy AI here first

AI advantage peaks on medium-difficulty work (3.89x), where many mid-tier analysts spend their time. This is the highest-ROI tier to embed AI into playbooks and multiply throughput.

Elite: Retain talent, accelerate operations

At the top tier, the solve-rate gap narrows, but speed becomes decisive. Elite AI-augmented teams operate 3–4x faster per challenge. This is where AI becomes a speed multiplier and human judgment remains the differentiator on the hardest problems.

What this looks like in a real SOC today: DXC’s agentic operating model

Last week, Dawn-Marie Vaughan from DXC shared a concrete example of what “AI-augmented SOC” looks like in practice. Today, DXC has a live 24/7  SOC operational with more than 1,200 AI agents performing L1 work, while L1 analysts were trained up into L2 roles.

Her experience reinforces a key point: the ROI is not simply headcount reduction. The real value is what happens when you remove noise and increase signal.

“When agents remove the repetitive triage work, you don’t end up with fewer problems. You end up with more signals you can actually act on. That shifts the center of gravity toward higher-context investigations and oversight,” said Dawn-Marie Vaughan, Global Offering Lead, Cybersecurity, DXC. “The organizations that win will be the ones investing in AI fluency, governance, and escalation-ready expertise.”

Why talent pipeline risk is real

When AI absorbs foundational work, the organization can inadvertently reduce the repetitions that build human judgment. That is the source of security talent pipeline risk in the AI era.

The benchmark shows the shape of the risk: teams without AI fluency can lose time to loops and rework, while elite teams turn AI into speed. DXC’s experience adds the operational truth: you may reduce the L1 burden, but you still need humans for oversight and you will likely need more capacity at L2 and L3 to handle the volume of legitimate investigations AI surfaces.

The business implication is clear: if you adopt agents without a workforce plan and reinforcement learning, you can create a bottleneck where you need more high-skill operators but have fewer pathways to develop them.

What CISOs and business leaders should do next

Define a human-in-the-loop operating model before scaling agents

Document what agents can do, what requires human approval, escalation criteria, stop conditions for loops, and auditability. Treat agents like a new workforce: assign roles, boundaries, and controls.

Build AI fluency as a core skill, not a side project

Train teams to set intent, supervise execution, validate outputs, and act at operational tempo. Measure fluency the way you measure any capability: through habitual practice and performance, not tool access.

Start with high-ROI workflows

Use agents to deduplicate and enrich alerts, correlate context, draft investigation narratives, and pre-stage evidence for L2/L3 review. This improves throughput without turning AI into an uncontrolled actor.

Stress-test agents and policies

Run adversary-realistic simulations and red-team attempts to trick or misuse agents. Verify policy enforcement and log every action. Assume adversaries will target your AI workflows or the agents themselves may go off course.

Report value in business metrics

Track time-to-triage and time-to-contain, backlog reduction, analyst hours reclaimed, loop rates, and false-positive reductions. Tie those metrics to incident disruption and financial exposure.

Why this matters right now

The attacker’s clock is shrinking. Defensive capacity is expanding. Training and governance are becoming the differentiator.

Splunk’s data shows CISOs are already accountable for AI risk and governance. HTB’s benchmark shows what happens when teams operationalize AI with skill: more work completed under time pressure, and dramatically faster execution at the elite tier. The organizations that win will be the ones that treat AI as a workforce transformation, not a tool rollout.

Download the CISO briefing and the full AI-Augmented vs Human-Only Cybersecurity Performance Benchmark report here.

If you’re attending RSAC 2026, join Hack The Box on March 26 in the Village showcase for a deeper walk-through of the benchmark and what it means for security operating models.

Sources

• CrowdStrike 2026 Global Threat Report (press release): https://www.crowdstrike.com/en-us/press-releases/2026-crowdstrike-global-threat-report/

• Cisco Newsroom: Splunk Report: Agentic AI Takes Center Stage in CISOs’ Path to Digital Resilience: https://newsroom.cisco.com/c/r/newsroom/en/us/a/y2026/m02/splunk-report-agentic-ai-takes-center-stage-in-cisos-path-to-digital-resilience.html

• Anthropic: Claude Code Security (announcement): https://www.anthropic.com/news/claude-code-security

• IBM Cost of a Data Breach Report 2025: https://www.ibm.com/reports/data-breach