Shifting Detection Left In the Kill Chain. How AI Can Reduce False Negatives ft. Shane Shook @Forgepoint Capital Artwork

SuperSOC: Conversations with the People Shaping the Future of Security Operations

SuperSOC is the monthly podcast where Qevlar AI's CEO Ahmed Achchak interviews top cybersecurity experts to explore the future of the SOC.

From real-world AI applications to rethinking SecOps workflows, each episode delivers bold insights and practical strategies for modern security teams.

Recent guests include Google’s Anton Chuvakin and cybersecurity automation expert Filip Stojkovski.

Want to know more about Qevlar AI and how it can help you automate alert investigation? Head to www.qevlar.com

All Episodes

SuperSOC: Conversations with the People Shaping the Future of Security Operations

Shifting Detection Left In the Kill Chain. How AI Can Reduce False Negatives ft. Shane Shook @Forgepoint Capital

September 10, 2025 • Qevlar AI • Season 1 • Episode 4

In this episode, Ahmed Achchak (CEO & co-founder of Qevlar AI) invited Shane Shook, Venture Partner at Forgepoint Capital and longtime advisor to top security startups, to explore why false negatives (not false positives) are still the SOC’s most dangerous blind spot.

Shane shares insights from 30+ years in incident response and threat detection on where organizations miss early signals, why overtuning rules makes things worse, and how AI can finally shift detection left without overwhelming analysts.

You’ll discover:

→ Why most SOCs miss early-stage delivery attacks, and why “trust” is still the Achilles’ heel.

→ How fear of false positives actually creates false negatives.

→ Where context (user, privilege, resource history) can make or break early detection.

→ How agentic AI and reinforcement learning can spot weak signals at scale.

→ What practical steps CISOs should take to shift detection left in 2025–2026.

Check out Shane’s book Cybercrime Investigation Body of Knowledge

https://www.cibok.org/en/#section-download

And latest articles:

https://forgepointcap.com/tag/tips/

Agenda:

00:00 – Intro: Why false negatives, not false positives, cause the real damage

01:14 – How overtuning rules leads to blind spots

05:21 – The kill chain phase where most detections fail today

07:13 – Why trust relationships defeat zero trust defenses

09:02 – How AI can reduce false negatives without drowning in noise

12:18 – Why full organizational context is the missing piece

14:18 – The single most practical step to shift detection left

16:52 – Why focusing on breach indicators matters more than attack indicators

17:32 – Fire Round: The most underestimated kill chain stage

19:19 – False negatives happen when…

19:33 – The biggest risk CISOs still underestimate

Learn more about Qevlar for your SOC: https://www.qevlar.com/

Follow Ahmed on LinkedIn: https://www.linkedin.com/in/ahmed-achchak-872554109/

Follow Shane on LinkedIn: https://www.linkedin.com/in/shanedshook/