Incident detection and response (DR) is the ultimate operational test for any security program. In today’s high-velocity environments, success in DR hinges less on individual technical prowess and more on psychological safety, empathy, and cross-team collaboration. The rise of Generative AI is rapidly shifting the operational landscape, promising to eliminate repetitive tasks and amplify the productivity of security engineers.
We spoke with Pablo Vidal, Head of Security Operations at Rippling, about his approach to building a world-class DR program from the ground up, the critical mistakes organizations make, and how AI is transforming the future of threat response.
You can read the complete transcript of the epiosde here >
What is the Core Concept of Detection and Response (DR)?
Detection and Response (DR) focuses on addressing security events after they have occurred, serving as the operational pillar of a security program.
- Detection: Focusing on detection coverage to better identify nefarious activity within systems.
- Response: Focusing on a containment strategy and leveraging automation to respond quickly and effectively to events that are inevitably going to happen.
In contrast, Cloud Security and Product Security teams focus primarily on preventative controls—stopping something from happening in the first place.
What Excites Pablo About Leading a DR Team?
Pablo, who transitioned to DR from a background in Cloud Security, is motivated by the opportunity to give the function a new spin and overcome the common pitfalls of isolation.
- Changing the Black Box: Detection and Response teams can often operate as an isolated black box. Pablo enjoys leading a team that focuses heavily on cross-team collaboration and working out loud, which has led to positive outcomes.
- Creative Problem Solving: He values weeks where the team is put to the test and must be creative in figuring out how to contain and mitigate new threats and incidents where a process may not yet exist.
- Learning and Strategy: Tactical work directly feeds into strategy; handling incidents provides lessons that inform how to design better security programs and fill gaps. This emphasis is institutionalized through post-mortem exercises, where team members make notes during the incident for follow-up.
Where Do Organizations Typically Make Mistakes in Implementing DR Programs?
The biggest mistakes revolve around isolation and failing to treat the DR team as a business enabler.
- Isolation: Organizations fail to build a DR team that has impact across the entire organization. The DR team should be leveraged on project work, not only during active incidents.
- Failing to Democratize Efforts: DR efforts should focus on solving business needs and having work that can be leveraged by other teams. Rippling, for example, is democratizing their in-house SIEM so that the rest of the organization can leverage it.
How Does Automation Improve the Incident Response Process?
Incident response (IR) is often stressful, and manual tasks add unnecessary burden to the Incident Commander (IC), who is already dealing with high-stakes decisions.
- The Problem of Manual Work: Without automation, the IC must manually create a Slack channel, define roles, create a Google Drive folder, copy a template, and perform other repetitive tasks. These tasks offer no real return on investment.
- The Automation Solution: Automating these manual, repetitive processes is critical. Automation allows the IC and investigation team to focus on the things that add value—analyzing the incident, containment, and mitigation—rather than administrative overhead.
The Typical IR Flow
The IR process typically starts when anyone in the organization detects suspicious behavior and creates a security case.
- Investigation: The DR team reviews the case to determine if it is a security incident.
- Prioritization: Once an incident is started, the focus shifts to prioritization based on the severity.
- Containment/Execution: Following a defined flow chart and containment plan, the team determines necessary steps, which external accounts to involve, and how to communicate the executive summary.
How Do DR Teams Balance Rapid Response and Accuracy?
When dealing with high-severity issues, balancing the need for speed (rapid response) with accuracy (thorough investigation to minimize false positives) is vital.
- The Rubric: Having a documented rubric helps a lot. It ensures that regardless of the time zone or the individual handling the incident, the same steps and process are followed.
- Unbiased Decisions: The rubric guides the team to make unbiased decisions on the criticality and corresponding SLA (Service Level Agreement) for the incident.
- Informed Decisions: The rubric, associated with SLAs and contextual information, enables security professionals to make good, informed decisions on a day-to-day basis regarding the best return on investment for their time. Without a rubric, addressing an incident is difficult and stressful.
How is Generative AI Impacting the Future of Detection and Response?
Generative AI is already impacting DR and is seen as a way to evolve the team and remove low-value, repetitive tasks.
- Eliminating Repetitive Tasks: No security engineer likes dealing with repetitive operational load (e.g., seeing the same alert constantly). AI can be used to remove these tasks, allowing engineers to focus on items that are the highest value.
- Context and Enrichment: AI can enrich tickets with data from across the organization. This provides the DR engineer with context (e.g., based on previous alerts) to easily determine if an alert is a false positive or a genuine threat.
- Automated Assistance: Teams are already using AI to:
- Junior InfraSec Bot: Create a bot that gathers information from internal data sources (like Confluence) to automatically answer common questions (e.g., “how can I manage secrets?”), lowering the operational load on the InfraSec team.
- Log Schema Inference: Leverage GenAI to examine sample logs and infer the appropriate schema (like the OCSF schema) for data ingestion.
Will AI Replace Security Engineers?
Pablo believes AI will not replace security engineers, but rather will be a part of evolving the job. AI will make existing engineers more productive by removing tasks that don’t add value, ensuring their time is focused on tasks that bring the best value.
What is the Best Way for an Enthusiast to Enter the DR Field?
The advice for enthusiasts is to get their hands dirty and focus on building to gain the necessary experience.
- Home Lab Practicality: Enthusiasts can build a home lab (e.g., using Raspberry Pi devices) to pull telemetry, aggregate data in a security data lake, and practice writing detections. This comes with a lot of lessons learned that translate to a bigger scale.
- Focus on Building: Start playing around and building your own logging ingestion pipeline or data lake using free cloud opportunities.
- Non-Technical Skills: A growth mindset is critical because the field is constantly evolving. Professionals must be flexible and willing to learn new things rather than getting defensive about past practices.
What Key Qualities Are Needed for Hiring and Team Culture?
When hiring, Pablo looks for both technical skills relevant to the environment (e.g., AWS expertise at Rippling) and non-technical qualities that foster a highly effective, collaborative team.
- Cross-Team Mindset: Engineers must be willing to think beyond their area and focus on how security can help the rest of the organization.
- Strong Drive: Especially at a startup, drive is critical—they look for someone who is willing to make an impact and is flexible enough to thrive in chaotic environments.
- Mutual Fit (Hiring Do): The hiring process must establish a mutual fit. Candidates must be shown the program and what they are needed for. Leaders should be willing to heavily lean on the candidate to define their own place in the team.
- Defensiveness (Hiring Red Flag): The biggest red flag is when candidates become defensive about their past work or display a “know-it-all” mindset. Security practices evolve constantly, and a candidate must be humble and flexible to adapt.
- Psychological Safety: Fostering psychological safety, empathy, and unique enthusiasm for problem-solving results in a team with better output that is focused on the long term for both the company and their own personal growth.
Conclusion: The Path to a Resilient Security Posture
Pablo Vidal’s strategy for continuous security is defined by pragmatism and automation. Success hinges on reconciling the conflicting agendas of developers, compliance teams, and management through a centralized Center of Excellence (CoE) that prioritizes risk triage and custom-tailored communication.
In practice, this means establishing security not through compliance checklists, but by embedding it in the application manifest, ensuring developers define the security requirements, and automating validation in QA environments. As the threat landscape is increasingly dominated by AI, security teams must treat GenAI as a powerful but untrustworthy assistant, leveraging its power to automate remediation and analysis, but always adhering to the core principle: validate everything before execution. The ultimate goal is to remove friction and automate the fix, putting security on equal footing with the speed of the attacker.
