By Rich Perkins, Principal Sales Engineer, Prophet Security

Your security spend has roughly doubled in six years. Your time-to-investigate and respond hasn’t moved. Your CFO is asking why the security headcount keeps growing while the metrics that matter to the business don’t.

The architecture under your SOC is the reason. Not your team. Not your tooling investment. Not your hiring funnel. The operating model your program inherited assumed human-driven alert triage at the volume the business was producing five years ago, and the business stopped producing alerts at that volume a long time ago.

This is a piece about why hiring more analysts won’t close the gap, what changes when you fix the model instead, and the specific limitations and questions that should shape any AI SOC evaluation. It includes a four-question diagnostic you can run on your own program in the time it takes to finish a coffee.

The math the industry doesn’t want to admit

Google Mandiant’s recent M-Trends reporting puts global median dwell time at 14 days. The same report found that in 2025 the “hand-off” window between initial access and subsequent transfer to secondary threat group collapsed to just 22 seconds, a 95% drop from the 8 hours from 2022. Crowdstrike’s 2026 Global Threat report uncovered similar trends, with the average breakout time falling to 29 minutes, from initial access to exfiltration. 

IBM’s most recent Cost of a Data Breach research puts the average time to identify and contain a breach in 2025 at 241 days, with an average cost of $4.88 million. That’s a drop of 16% from 2020, when the time to identify and contain a breach stood at 281 days. Those numbers have not improved at the pace security spending would suggest, despite that spending having roughly doubled in five years, nor have they kept up with the shorter “breakout” or “hand-off” window

This isn’t framed to scare defenders into chasing the next hype. It’s the operating reality. Money in, complexity in, but the curve from detection to investigation and containment barely moves.

SOC teams have already done the obvious efficiency moves. They tier severity. They auto-close known-benign alert classes. They suppress noisy detection rules. They tune. They route. That’s not the problem.

The problem is that even after all of that work, the volume that lands on humans for actual investigation still exceeds what humans can investigate at the depth required. We’ve written an entire ebook on how the SOC queue is the breach, which you can download here.

In the deployments I’ve worked across, the post-tiering volume that hits human triage typically lands in the 120 to 150 alerts per day range. At 20 minutes per investigation including documentation, that’s 40 to 50 analyst-hours daily. SOC teams of 5 to 10 analysts can cover the top of that range during business hours, leaving the rest of the queue for the next shift, the next day, or never.

That’s the gap that doesn’t close with more headcount. You can’t hire enough analysts to investigate 100% of post-tiering volume at the depth the work requires. You can hire your way to better coverage at the margins. You cannot hire your way to the model change.

A diagnostic you can run on your own SOC

Before going further, run these four questions on your program. Honestly. The answers map your SOC capacity blind spots more reliably than any vendor pitch will.

1. What percentage of alerts above your defined investigation threshold did your team actually investigate last quarter? If less than 90%, you have a coverage gap that’s hiding real risk. The gap exists because of how the work flows, not because anyone is dropping the ball. More headcount won’t close it.

2. How many detection rules has your team suppressed in the last 12 months without an engineering ticket to replace the coverage? Suppressing noisy rules is healthy tuning. Suppressing them without follow-up engineering to replace what they were watching is debt. Each undocumented suppression is an attack surface you’ve stopped watching, and the threats those rules were designed to catch don’t go away because you disabled them.

3. What was your senior analyst turnover last year, and how long did each replacement take to reach productive contribution? If turnover exceeds 15% or ramp exceeds 6 months, your bench is fragile. You’re one resignation away from operational impact. Tribal knowledge walking out the door is a single point of failure most programs don’t have a remediation plan for.

4. If alert volume doubled tomorrow, what’s the first thing your team would stop doing? The honest answer is the part of your program that’s already underwater. Whatever you’d cut first is what’s currently holding on by a thread. That’s where to focus the operating model conversation.

If three or more of these answers concern you, the productive conversation moves past hiring and into a different question: whether the architecture under your team can carry the program you actually want to run.

What changes when the model fixes

The teams making real progress aren’t the ones hiring more analysts. They’re the ones changing what work humans are required to do at all.

JB Poindexter & Co, an 8,500-employee diversified manufacturer, deployed Prophet AI in 2025. In the first 60 days, they ran 4,407 investigations through the platform with a mean time to investigate under 4 minutes.

That’s 73 investigations per day at depth, against a Mandiant industry median dwell time measured in days. The deployment returned roughly 1,469 hours of analyst time to their team, equivalent to 6.3 analyst-years of investigation capacity at full annualization.

Their CISO, John Barrow, framed the outcome as “faster, more focused, and able to scale without adding immediate headcount.”

The operating model shift in that sentence is what matters. Not “we hired more people.” Not “we worked our existing people harder.” The work no longer required the same number of people.

Cabinetworks ran 3,200 alerts through Prophet AI in 33 days. Six escalated to a human. The unexpected outcome was a 90% reduction in SIEM costs, primarily from no longer needing to ingest and store raw EDR and identity telemetry that had been pulled into the SIEM purely for analyst pivot queries.

When the AI handles those pivots directly against source systems, that ingest tier becomes optional. The line item that gets cut isn’t the obvious one, and most teams don’t model that secondary saving when they evaluate AI SOC tools. They should. For programs running enterprise SIEM contracts in the seven-figure range, the secondary savings often exceed the cost of the AI platform itself.

A second outcome worth noting: when the queue clears, teams stop having to ignore low and medium severity alerts. Most SOCs quietly stop investigating those classes under capacity pressure, even when their security leadership knows the coverage gap matters. A medium-severity alert isn’t risky because it’s medium.

It’s risky because that’s where real attackers hide while your team is buried in critical-severity noise. Bringing the medium and low tiers back into investigation scope is the coverage shift most teams want and very few can resource.

Every deployment requires two to four weeks of focused tuning before reaching steady state.

How CISOs are funding this

The piece a CISO is mentally writing while reading vendor content is the budget request. Where does this money come from?

Three patterns I’ve seen work, in order of CISO political difficulty.

Path one: Unapproved headcount budget. The cleanest funding path. The team has approved or pending headcount the program hasn’t filled, and the AI platform replaces the need to hire that role. Fully loaded cost for a Tier 2 analyst typically runs $180K to $300K depending on market and seniority, which sets the floor for what the AI platform needs to displace to make the math work.

The JB Poindexter pattern fits here. The “scaling without adding immediate headcount” framing is procurement language for “this is what we’re doing instead of approving the next hire.”

Path two: SIEM cost reduction. If your team is using the SIEM as an investigation pivot workspace (raw EDR telemetry, identity logs, network data), and the AI platform takes over those pivots, the SIEM ingest and storage tier becomes optional.

The Cabinetworks pattern. SIEM ingest savings depend heavily on volume but commonly run 30 to 60 percent of total SIEM spend when investigation telemetry is the main driver.

For programs running mid-six-figure or seven-figure SIEM contracts, this funding path can fully cover the AI platform with savings left over. Get your SIEM renewal cycle date before you start the evaluation, because the timing matters.

Path three: Tool displacement. The hardest political fight. Replacing an existing SOAR, an existing case management workflow, or an existing managed service. The savings vary too widely to generalize, but the displacement creates internal opposition from whoever owns the displaced tool. Plan for it as a 6-month change management project, not a procurement decision.

Most programs end up funding through a combination of paths one and two. Path three is a year-two conversation, not a year-one one.

Where humans still need to lead

I’m pro AI SOC. I work for one. So when I tell you where it isn’t the right tool, take it seriously. Three categories where I’d recommend keeping humans in the lead.

Insider threat investigations where the signal lives in human context, not logs. AI does fine on the DLP-shaped insider threat work where the signal is in telemetry: unusual file movement, exfil to personal cloud, after-hours pulls of sensitive repos. Where it struggles is the harder subset where the deciding signal isn’t in any log.

The PIP that started Monday. The conversation a manager had two weeks ago. The contractor whose contract ends Friday. AI doesn’t have that context. Your humans do.

The right design splits the work cleanly: AI handles the telemetry layer, your team handles the human-context layer. Asking one tool to do both is where these investigations break down.

Novel TTPs with no analog in training data. AI investigation is fundamentally pattern-matching over historical examples. By definition, that’s weakest on attacks that don’t look like anything you’ve seen. Your senior threat hunters earn their keep on the alerts that don’t match anything in the catalog. Don’t outsource that work.

Highly regulated environments where data residency rules dictate where alert telemetry can live. If your compliance posture won’t let metadata leave a specific cloud or country, most AI SOC platforms (Prophet AI included) require real architecture work to fit. Some can’t fit at all. Don’t let any vendor wave that concern away with a slide.

If you’re evaluating an AI SOC tool, ask the vendor exactly where their tool fails. If they don’t have an answer ready, that’s the answer.

Three questions buyers always ask

Three questions come up in almost every evaluation, and they deserve direct answers.

What happens when the AI gets it wrong? Prophet AI documents every step of every investigation. Every question asked, every query run, every piece of evidence pulled, the reasoning that led to the verdict. When a verdict is wrong, the chain of reasoning shows exactly where it went wrong, and your team can encode the correction back into Guidance so the same mistake doesn’t repeat.

That’s a different audit trail than the three-sentence case notes most analysts write under queue pressure today, and it matters more than vendor content typically acknowledges.

Regulators are starting to ask about AI-driven security decisions. Boards are asking about defensible documentation of what the SOC investigated and why. Post-incident reviews are easier to run when the evidence chain is complete by default. The audit trail isn’t a feature. It’s how you keep your seat at the table when the auditor or the board comes asking.

What happens to detection engineering? This is the question senior practitioners ask first, and it’s the right question. You might worry that if AI handles investigation, your team loses the natural feedback loop where analysts catch and tune noisy detections. The honest answer: that work moves explicitly upstream.

Instead of relying on manual triage to spot noise, detecting engineering now use the AI’s comprehensive investigation data as a massive feedback loop, shifting the focus from suppressing alerts to equipping the AI with better context.. 

To make that upstream work happen, detection engineering shifts from an emergent activity squeezed between alerts to a scheduled discipline owned by the senior analysts whose triage time the AI has freed up. Teams that fail to operationalize that shift see detection quality drift over time. Teams that operationalize it well see detection quality improve, because the engineering happens with intention and dedicated focus.

What does the buying committee look like? AI SOC platforms touch security operations, but the procurement conversation often pulls in IT (for integrations and identity), compliance (for data handling and audit posture), legal (for the data processing agreement and AI-specific contractual terms), and procurement (for vendor risk review).

Plan for that early. Programs that try to push AI SOC through as a security-team decision often hit a six-week delay when compliance discovers the data flow questions in week four. Programs that bring compliance and legal in at the start of the evaluation typically close in half the time.

The vendor-risk question worth asking

One question vendor content almost never addresses directly, and CISOs care about it more than vendors realize: what happens to your program if the AI SOC vendor gets acquired, pivots, or fails? Three-year procurement cycles outlast a lot of vendor strategies.

Three things worth confirming with any AI SOC vendor before signing.

First, data portability: can you export your investigation history, Guidance configurations, and detection logic in a format that survives a vendor change?

Second, runbook independence: are the human-readable Guidance rules you encoded specific to this vendor, or do they document SOC logic your team could rebuild elsewhere?

Third, contractual continuity: what happens to service obligations, data handling, and support during an acquisition or wind-down event?

The third tends to separate the serious vendors from the rest. Most can answer the first two. Few have a clean answer to the third without significant pre-work, which is itself a signal worth noting during evaluation.

Closing thought

Prophet Security’s agentic AI SOC platform operationalizes expert analyst techniques at machine speed across all alert volumes, regardless of severity, to ensure a consistently clear triage queue and preemptively neutralize threats.

If your honest answers to the four diagnostic questions earlier in this piece concerned you, the next conversation isn’t whether AI SOC is the answer. It’s what your senior analysts would actually do with their Tuesday mornings if the triage queue weren’t running them.

That’s the operating model question. Whether you solve it with Prophet Security or someone else, the architecture is what needs to change. Hiring more analysts to triage at machine-generated volume is a strategy that worked in 2018. The math hasn’t worked since 2022. 

The teams that change the architecture will get a different conversation with their board next year. The teams that don’t will get the same one they had last year, with a slightly higher number on the spend line and the same number on the time-to-detect line.

Pick the conversation you want to be having.

If your SOC is dealing with alert overload or long investigation times, we’d be happy to show you what Prophet AI looks like in practice. Request a demo or reach out directly to learn more.

Rich Perkins is a Principal Sales Engineer at Prophet Security. Reach him at rich.perkins@prophetsecurity.ai or connect on LinkedIn.

Sponsored and written by Prophet Security.

If your iPhone 14 won’t turn on, the most likely cause is one of three things: the battery is completely drained, the device is frozen on a black screen due to a software glitch, or a charger or charging port issue is preventing it from powering up at all. As long as there is no physical drop damage or liquid exposure involved, you can almost certainly fix this yourself — no tools required.

These steps apply to iPhone 14, iPhone 14 Plus, iPhone 14 Pro, and iPhone 14 Pro Max. The hardware buttons and fix sequence are identical across all four models.

Quick Take: Start by charging for at least 30 minutes with a known-good cable before assuming something is wrong. If it still won’t respond, do a force restart — this fixes the majority of black screen and software freeze cases with no data loss. If neither works, move to Recovery Mode via a computer. Physical or liquid damage is the only scenario that requires a technician.

Before You Begin

Two things to check before touching any buttons. First, make sure you are not looking at a failed screen on a phone that is actually powered on — some iPhone 14 units show a completely black screen due to display failure while the phone itself is running normally. If you can hear a ring tone or vibration when someone calls, the phone is on and the screen is the issue, not the power. Second, if your iPhone was recently dropped in water or exposed to liquid, Apple’s official handling guidance is clear: do not attempt to charge or connect any accessory until the device is completely dry — wait at least 5 hours. Plugging in a wet iPhone can cause additional internal damage.

Step 1: Charge It for at Least 30 Minutes

Use the cable that came with your iPhone, or an Apple-certified (MFi) cable and wall adapter — not a computer USB port, which often delivers inconsistent power. Plug it in and wait.

If the battery is deeply drained, the screen may stay completely black for the first 5–15 minutes. That is normal. After a few minutes, you should see either a red battery icon (very low charge) or the charging icon (battery outline with a lightning bolt). If you see the red icon, leave it charging for a full 30 minutes before attempting anything else. Do not interrupt the charge cycle by pressing buttons during this window.

If the screen shows nothing at all after 30 minutes — no charging icon, no response — move to Step 2.

Step 2: Force Restart Your iPhone 14

A force restart clears a software freeze or a stuck boot process without deleting any of your data. This is the most effective single fix for an iPhone 14 that shows a black screen or won’t respond. Apple’s official force restart instructions for all current iPhones are as follows:

• Quickly press and release the Volume Up button.
• Quickly press and release the Volume Down button.
• Press and hold the Side button (the button on the right edge of the phone) until the Apple logo appears — then release.

The most common mistake here is releasing the Side button too early. When you press and hold it, you will first see a “slide to power off” prompt on screen. Do not release the button. Keep holding through the prompt. The screen will go black, and then the Apple logo will appear. This can take up to 20 seconds. Once the Apple logo shows, release the Side button and wait for the phone to finish booting.

If the first attempt does not work, try the sequence again two or three times before concluding it won’t work. The timing needs to be precise — the Volume Up and Volume Down presses need to be quick, not held.

Step 3: Inspect the Charger and Charging Port

If the phone responded to neither charging nor the force restart, the charger or port may be the problem. Check the cable for visible fraying or damage, and try a different wall adapter if you have one available.

For the charging port itself, shine a flashlight into it and look for compacted lint or debris — this is a surprisingly common cause of charging failure, especially in phones carried in pockets or bags. To clean it safely: use a dry soft-bristled toothbrush or a can of compressed air. iFixit’s port cleaning guide and Apple’s own guidance both specify the same caution: do not use metal tools, toothpicks, or pins inside the port. The pins inside the Lightning connector are fragile, and bending them means a port replacement. A few careful passes with a dry brush is all that is needed in most cases.

After cleaning, plug in again and wait 5 minutes before moving on.

Step 4: Use Recovery Mode to Fix a Software Problem

If the phone still won’t respond after charging and multiple force restart attempts, the next step is Recovery Mode — a built-in iOS diagnostic state that lets you reinstall iOS software from a computer without losing your data (if you choose “Update” rather than “Restore”). This is the correct escalation path for a device stuck in a boot loop, frozen on the Apple logo, or completely unresponsive after a software update.

You will need a Mac running macOS Catalina or later (uses Finder) or a Windows PC with the latest version of iTunes installed, plus a Lightning cable.

1. Connect your iPhone to the computer with the Lightning cable and open Finder (Mac) or iTunes (Windows).
2. Quickly press and release Volume Up.
3. Quickly press and release Volume Down.
4. Press and hold the Side button — but this time, keep holding past the Apple logo until you see the recovery mode screen (a cable icon pointing to a laptop). Then release.
5. In Finder or iTunes, select your iPhone when it appears.
6. Choose Update first. This reinstalls iOS without erasing your data. If Update fails or is not offered, you can then choose Restore — but be aware that Restore erases everything on the device. If you have a recent iCloud or iTunes backup, your data can be recovered afterward.

If your iPhone gets stuck in recovery mode during this process, perform another force restart (Step 2) with the cable still connected to exit it.

Step 5: Check for Physical or Liquid Damage

If none of the above steps produce any response, the problem is most likely hardware rather than software. Think back: has the phone been dropped from a significant height, submerged in water, exposed to rain, or left in a hot car? Even a short drop on a hard surface can dislodge internal components without leaving visible exterior damage.

Liquid damage is a particularly difficult scenario. The iPhone 14 has an IP68 water resistance rating, which means it can handle accidental splashes and brief submersion — but it is not waterproof, and even rated devices can suffer internal damage depending on the liquid, depth, and duration of exposure. If liquid damage is suspected, book a service appointment through Apple rather than attempting to charge, power, or dry the device with external heat. Unauthorized drying methods (rice bags, blow dryers, direct sunlight) can cause additional damage and may complicate a repair assessment.

Overheating is a separate issue: if the iPhone was left in direct sunlight or a hot vehicle, move it to a cool, shaded location and wait 30 minutes before attempting to power it on. Do not put it in a freezer — rapid temperature change creates condensation inside the device.

When These Steps Won’t Help

Software fixes — force restart, recovery mode — will not resolve hardware failures. If your phone has visible screen cracks, a damaged charging port that cannot be cleaned, swollen battery symptoms (a slightly bowed back panel), or confirmed water ingress, these require physical repair. Understanding your Apple warranty and repair options before you walk into an Apple Store or authorized service center will save time and set realistic expectations on cost.

If you are outside your Apple warranty period, an independent repair shop is a legitimate alternative for issues like port replacement or screen repair, though it will void any remaining warranty coverage.

Key Takeaways

• A deeply drained battery may show no response for up to 15 minutes after plugging in — always charge for a full 30 minutes before assuming a bigger problem.
• The force restart is the most effective single fix for iPhone 14 black screen and software freeze issues. The most common reason it fails is releasing the Side button when the “slide to power off” prompt appears — keep holding past it.
• Recovery Mode (via Finder or iTunes) is the correct next step when force restart alone doesn’t work — try “Update” before “Restore” to avoid unnecessary data loss.
• Liquid-exposed iPhones must not be charged for at least 5 hours — attempting to charge a wet device can cause permanent damage.
• If none of the software steps produce any response, the issue is hardware, and a professional assessment from Apple or an authorized repair provider is the right call.

Frequently Asked Questions

Looking for the most recent Mini Crossword answer? Click here for today’s Mini Crossword hints, as well as our daily answers and hints for The New York Times Wordle, Strands, Connections and Connections: Sports Edition puzzles.

Need some help with today’s Mini Crossword? It’s a big one, and a fun, interactive one — finish it, and a little red car races around the grid. See the letters it’s driving on? They spell out CIRCLING, which is exactly what the car is doing. Read on for all the answers. And if you could use some hints and guidance for daily solving, check out our Mini Crossword tips.

If you’re looking for today’s Wordle, Connections, Connections: Sports Edition and Strands answers, you can visit CNET’s NYT puzzle hints page.

Read more: Tips and Tricks for Solving The New York Times Mini Crossword

Let’s get to those Mini Crossword clues and answers.

Mini across clues and answers

1A clue: The “S” of H.S.: Abbr.
Answer: SCH

4A clue: King with a golden touch
Answer: MIDAS

6A clue: New Delhi or New York
Answer: BIGCITY

8A clue: Raggedy ___ doll
Answer: ANN

9A clue: Landmark Supreme Court case overturned by Dobbs
Answer: ROE

10A clue: Segment of a train
Answer: RAILCAR

12A clue: Pig’s nose
Answer: SNOUT

13A clue: Place for an intuitive feeling
Answer: GUT

Mini down clues and answers

1D clue: Author’s event
Answer: SIGNING

2D clue: Public health agcy.
Answer: CDC

3D clue: Barbershop offering
Answer: HAIRCUT

4D clue: ___ Tirith, capital of Gondor in the “Lord of the Rings” books
Answer: MINAS

5D clue: Short-tailed weasel
Answer: STOAT

6D clue: Place to order drinks
Answer: BAR

7D clue: “___ out!” (umpire’s shout)
Answer: YER

11D clue: Guitarist Reed
Answer: LOU

Well, it depends when you’re going to be househunting– if it’s anytime soon, Betteridge’s law applies, but if your time horizon is a ways further out, [Miana Smith] at MIT wants to make it happen. She’s got a paper out with an open-source inchworm robot designed to assemble structures from voxels– and what is a voxel but a giant, LEGO-esque brick?

There’s a demo video below, and it’s easier to understand the motion of this thing when you see it in action. The 5 degree-of-freedom MILAbot has actuators on both ends, and no traditional base– that’s the inchworm part. It grabs a brick while anchored to one part of the structure, then stays anchored to the new brick to keep building from that locale, so on and so on.

Note that we’re not talking about concrete bricks here, though conceivably you could use an inchworm-style actuator to assemble those. The ‘voxels’ in the study are engineered space-frame blocks which come together very easily, though admittedly would make for a very drafty home– you’d want to fill them with spray foam as a finishing step. So it’s more of a framing technique than a one-and-done thing. Still it is a technique that has something to recommend it compared to the 3D-printed concrete houses that get so much hype— and are already being torn down. 

For instance, the researchers find that weather the voxels are plywood, PLA, or metal, the resulting structure has less embodied energy than any concrete structure, with 3D printed concrete being worst option by that metric– though the balloon-frame stick-build we in North America consider “conventional” is still the lowest of all. On the other hand, that balloon-frame building takes a crew to put together, and labour is expensive compared to robots. At the moment, however, the study admits balloon-framing wins on price, but that doesn’t mean it always will, and it’s a fun hack regardless.

So while your next house might not be made of LEGO by a robot inchworm, we’re still grateful to [Miana] for the tip.

Most building hacks we see here are of the 3D printed variety, but don’t count out plain old dirt. For that matter, as long as someone is willing to live in it, anything can be a house– even an airliner.

Apple has seeded a second round of release candidate builds of iOS 26.5 and iPadOS 26.5, bringing the updates a step closer to public release with a smaller round of fixes and feature additions.

The RC builds arrived one week after the fourth betas. Release candidates are typically the final versions Apple ships publicly unless major bugs force additional revisions during last-minute testing.

Build number 23F77 appears on Apple’s developer portal for both iOS 26.5 and iPadOS 26.5, replacing the earlier 23F75 RC build released on May 4.

iOS 26.5 focuses on smaller platform updates

iOS 26.5 focuses on bug fixes, interoperability updates, and smaller feature additions instead of major interface changes or new Apple Intelligence features. The lighter update fits Apple’s usual pattern ahead of WWDC, where the company typically introduces its next generation of operating systems.

Support for encrypted RCS is one of the more notable additions discovered during the beta cycle. The feature depends on carriers adopting the latest GSMA Universal Profile specifications and expands encrypted messaging support beyond Apple’s existing iMessage ecosystem.

New Pride-themed wallpapers are also included in the update alongside additional changes tied to the European Union’s Digital Markets Act. Expanded support for Live Activities and notification forwarding on some third-party accessories and connected devices appeared during testing as part of those compliance efforts.

Apple is continuing work on Apple Maps ads in iOS 26.5, but the sponsored search and recommendation features don’t appear publicly active in the current builds. The company hasn’t announced a release date for iOS 26.5 or iPadOS 26.5, and RC builds usually arrive shortly before public rollout.

Most of the visible changes in iOS 26.5 focus on stability improvements and incremental feature updates rather than major platform shifts. Apple will preview iOS 27, macOS 27, and its next round of platform updates at WWDC 2026 in June.