Surviving the Mythos Era: Richard Bejtlich on the Case for NDR

Despite the abundance of telemetry at analysts’ disposal, many security operations teams struggle to answer a few basic questions during incident investigation: What happened? What evidence do we have? How do we know we’re seeing it all, in context? Answering these questions requires teams to go beyond alerts, the most common basis for initial triage. But investigations (and their outcomes)

The article promotes Richard Bejtlich’s NDR-focused guide, emphasizing that alerts alone do not prove what happened and that teams must rely on rich network evidence, hypothesis-led hunting, and carefully governed use of autonomous agents for triage and incident response.[1][4] It discusses "agentic triage" where autonomous agents execute playbooks and support human analysts’ strategic decision-making, alongside recommendations like zero-baseline alerting and treating alerts as investigation starting points.[1] From a CyberSE.AI perspective, any move toward autonomous, playbook-driven agents in SOC workflows increases the risk of AI agent abuse if those agents can be misconfigured, socially engineered, or fed deceptive telemetry, leading to missed or mis-prioritized incidents. Organizations should harden design and permissions of such agents and regularly red-team them to ensure they cannot be easily steered or subverted during investigations.