AI‑Driven Threat Detection and Automated Incident Response for Securing Cloud Workloads

The increasing adoption of cloud computing has expanded organizational attack surfaces and increased exposure to credential compromise, ransomware, and cloud misconfiguration. Conventional security information and event management (SIEM) systems, based primarily on static correlation rules and signature-based detection, often struggle to process heterogeneous cloud telemetry and prioritize high-severity incidents in real time. This study evaluates the operational impact of an artificial intelligence (AI)-augmented SIEM and Extended Detection and Response (XDR) architecture for cloud threat detection and automated incident response. A mixed-methods comparative case study was conducted across two enterprise-style security environments: an AI-augmented cloud-native SIEM/XDR architecture and a conventional baseline environment based on manual triage and signature-based controls. Three attack scenarios were analyzed: phishing-led account takeover, multi-stage ransomware, and shadow-IT data exfiltration. The AI-augmented environment reduced mean time to triage from 17.4 hours in the conventional baseline to 10.7 minutes and enabled ransomware containment in under five minutes through automated response playbooks. The results also showed improved prioritization of high-severity incidents, reduced analyst workload, and a high automated closure rate. However, limitations were observed in the calibration of behavioral models, vendor dependency, and detection gaps involving legitimate third-party services and password-protected content. The findings should be interpreted as operational evidence at an architectural level, not as an isolated evaluation of individual AI models.