Support
language switcher
Deutsch 日本語 한국어
Login
Get started

Schedule

Book a live demo

Schedule a demo with a Sumo Logic expert.

Watch

Recorded demo

Watch a pre-recorded demo at your own pace.

Click

Interactive product tours

Explore our clickable demos.

Talk

Contact sales

Discuss how Sumo Logic fits your needs.

Try

30-day free trial

Trial the platform and access pre-built dashboards.
Pricing Login Free trial Support
Dojo AI New Multi-agent AI platform
The Platform

Monitor, troubleshoot, automate, and defend
Powered by AI/ML

Proprietary algorithms, machine learning, and generative AI
What’s new

See our latest releases
Dojo AI Dojo AI
New
Multi-agent AI platform
Intelligent Security Operations
Cloud SIEM

Discover threats faster and respond smarter
Logs for Security

Unlock cloud security with powerful log visibility
Intelligent Cloud Operations
Monitoring and Troubleshooting

Log analytics to detect and resolve issues fast
Powerful integrations
opentelemetry page Amazon Web Services – App Catalog Google Cloud Platform – App Catalog Microsoft Azure – App Catalog
Trusted and certified
All an engineer has to do is click a link, and they have everything they need in one place. That level of integration and simplicity helps us respond faster and more effectively.
Sajeeb Lohani
Global Technical Information Security Officer (TISO), Bugcrowd
Read case study

BY SECURITY USE CASE

SecOps Threat detection PCI compliance Security data lake Cloud SOAR

BY OBSERVABILITY USE CASE

Log Management Infrastructure Monitoring Application Observability AWS Monitoring Kubernetes Monitoring

BY INDUSTRY

Education Finance Gaming Manufacturing Public sector Retail Tech/SaaS

BY COMPETITION

vs Splunk vs Google SecOps vs Datadog vs Elastic vs Microsoft Sentinel vs Qradar
APIs Community Documentation Getting started GitHub Integrations Release notes Security response
Gartner Critical Capabilities report
Download report
Secure your Slack environment
Read article
Top five Sumo Logic shortcuts
Read article
How log management protects your security stack
Read article

LEARN

Blog Briefs Competitors Customer stories Glossary Guides

ENGAGE

Interactive Demos Events Partners Videos Webinars Podcast

TRAIN

Support Services Training Certifications

COMMUNITY

Docs Integrations GitHub Open Source OpenTelemetry Collector
About Us Careers Leadership Newsroom Partners Contact us

Schedule

Book a live demo

Schedule a demo with a Sumo Logic expert.

Watch

Recorded demo

Watch a pre-recorded demo at your own pace.

Click

Interactive product tours

Explore our clickable demos.

Talk

Contact sales

Discuss how Sumo Logic fits your needs.

Try

30-day free trial

Trial the platform and access pre-built dashboards.
All blogs

The coefficient of security friction is slowing teams down. How can you fix it?

Christopher Beier
4 min read
Table of contents
    security friction header

    Like the sands through the hourglass, so are the days of our SOC lives….

    An alert surfaces, and while it doesn’t immediately signal a critical incident, it carries just enough ambiguity to require attention. An analyst opens the investigation, begins pulling in context, reviews authentication activity, pivots into endpoint data, and checks for any corresponding changes in the cloud environment. Something appears slightly off, but not enough to justify immediate containment, so the investigation continues. A teammate comes to validate the interpretation, another log is queried to confirm scope, and the team works methodically toward a conclusion.

    Nothing about this process is incorrect. In fact, it reflects exactly how security teams are trained to operate. And yet, while the investigation progresses, time continues to move forward.

    What appears to be diligence at the individual step level often becomes a delay when viewed across the full lifecycle of an incident.

    The problem is no longer visibility

    For years, security operations lacked visibility. Teams struggled to understand what was happening across increasingly complex environments, and the industry responded by investing heavily in telemetry, detection logic, and centralized visibility platforms.

    That investment has paid off.

    Modern security teams are not operating in the dark. Logs capture authentication events, configuration changes, API activity, and user behavior across nearly every layer of the environment. Detection rules surface signals quickly, and alerts are generated in near real time.

    The question of “what happened” is, in most cases, answerable.

    And yet, outcomes have not improved at the same pace as visibility.

    According to IBM Security, organizations still take an average of 277 days to identify and contain a breach, while research from Mandiant continues to show that attackers often operate undetected for days or weeks after initial compromise. This gap is because it takes teams time to turn all that data into a decision.

    Friction is what turns motion into delay

    If you examine where time is actually lost during an investigation, it does not typically disappear in a single breakdown or missed signal. Instead, it accumulates across a series of small, rational decisions that introduce just enough pause to slow overall progress.

    A response is debated because the cost of disruption must be weighed against the likelihood of compromise. Execution is delayed slightly to ensure alignment across teams.

    Each of these moments demonstrates good judgment.

    However, when these moments are chained together, they create what can be described as the coefficient of security friction; the accumulated delay that builds as work moves from signal to understanding to action.

    Friction is the natural byproduct of complexity, fragmentation, and the need for certainty under pressure. But in security operations, that accumulated delay is what defines risk.

    The industry didn’t eliminate friction. It redistributed it.

    Over time, the industry attempted to address these challenges by increasing its capability. More tools were introduced to improve detection coverage, enrich context, automate analysis, and orchestrate response. Each addition was designed to solve a specific problem, and in isolation, many of them did.

    However, at the system level, a different pattern emerged.

    As capability increased, so did tool fragmentation.

    Data is often stored in one platform, while context is assembled in another. Decisions are made across a combination of tools and human collaboration, and actions frequently require transitioning into separate systems or workflows. Even in well-architected environments, this separation introduces handoffs, each of which adds latency.

    Gartner has consistently identified integration gaps as a driver of operational overhead, while Splunk and others have highlighted the growing number of tools security teams must navigate during investigations.

    With all this sprawl, there’s a lack of continuity during investigations. 

    So is AI the solution?

    This brings us to the question that is currently shaping much of the conversation in security operations.

    If friction is the problem, is AI the solution?

    When applied without regard for workflow, AI can increase friction rather than reduce it. Adding another layer of output—whether in the form of summaries, correlations, or recommendations—does not inherently accelerate decision-making. In many cases, it introduces additional interpretation steps, which can extend the time required to reach a confident conclusion, becoming another point of pause.

    If it can assemble relevant context without requiring analysts to pivot across systems, it reduces friction. If it helps teams reach a clear, defensible conclusion more quickly, it reduces friction. If it supports the transition from decision to action without breaking the flow of the investigation, it reduces friction.

    Just applying AI won’t solve anything. It’s only valuable to the extent it contributes to reducing friction.

    What changes when friction is reduced

    When friction is systematically reduced across the data, decision, and action layers, teams move faster and reach decisions sooner, with greater clarity and less hesitation.

     Investigations require fewer pivots. Escalation cycles become shorter and more purposeful. The distance between identifying a signal and acting on it begins to compress.

    This is where the idea of speeding to decision becomes real.

    Security teams are not moving recklessly or optimizing for speed alone. What they need is the ability to arrive at a confident verdict earlier in the lifecycle of an incident, when the opportunity to contain impact is still within reach.

    Because in practice, risk does not increase simply because an event has occurred.

    It increases during the time it takes to decide what to do about it.

    Final perspective

    A lack of intelligence or visibility does not constrain security operations.

    Friction is what creates that delay, and it exists in every investigation, every escalation, and every response.

    AI may play a role in addressing it, but only when it is applied with precision and intent.

    Because in the end, the defining advantage does not belong to the organization that sees the most. It belongs to the one who can decide—and act—before that delay becomes a consequence.

    See how Sumo Logic helps solve this. Request a demo.

    Christopher Beier
    Principal Product Marketing Manager
    Christopher has spent the past 25 years dedicated to work in cybersecurity. He’s a US Navy veteran who did IT work in submarines. From his home in Forest Grove, OR, he enjoys flying stunt kites, college football (Go Ducks!), and watching his kids’ swim meets.
    Previous blog
    The AI SOC explained: Intelligent security for modern threats