PARADEWARRIOR

Insight · Issue 5 · 29 June 2026

NAB rebuilds SecOps as a data and software problem. Most of the market hasn't noticed yet.

One of Australia's four major banks just said the quiet part out loud: the traditional SOC is no longer fast enough to survive. Here's what NAB actually said, why it's the right call, and what the mid-market should do about it.

Book an Agentic Readiness Review →All insights →
By Kelvin Zhou·Founder, Parade Warrior · Sydney·29 June 2026·~5 min read

TL;DR

NAB is rebuilding SecOps around developers and data specialists, not traditional security analysts. The reasoning: attackers operate at machine speed using AI agents and LLMs, software ships faster than ever, and detection-and-response windows are collapsing from minutes toward seconds.

CTO/COO Patrick Wright argues the old model — specialised tools generate alerts, humans investigate manually — is becoming ineffective. Security must run at "machine speed." NAB is co-designing a new SIEM with Databricks to correlate signals across server performance, account takeover, fraud, financial-crime data and availability metrics, on the premise that compromise often surfaces first in business and operational data, not security logs.

The strategic read: this is the defender-side mirror of the Mythos moment. When offence runs at machine speed, defence has to be re-architected as engineering. NAB can hire its way there. The mid-market can't — and that's the problem worth talking about.

1. What NAB actually said

Strip the press gloss and there are three claims, each load-bearing.

1. The operating model is broken, not the tooling
Wright is not saying NAB bought the wrong SIEM. He is saying the shape of SecOps — tools raise alerts, humans triage — assumes a human-speed adversary. When the window to detect and contain shrinks from minutes to seconds, a human in the investigation loop is the bottleneck.
2. Security is a data problem
The new SIEM, co-designed with Databricks, correlates across domains most SOCs never see: server performance anomalies, network faults, account-takeover patterns, fraud and financial-crime indicators, operational availability. The thesis: the first sign of compromise often shows up in business telemetry before it ever reaches a security log.
3. So the people change
If security is data and the response is automation, you don't staff it with alert-triagers. You staff it with data engineers, analysts, developers, and AI/automation engineers — then teach them security. NAB is hiring the org chart its thesis requires.

2. Why this is the right call

We've written before — see The Zero Day Clock — that the only durable response to machine-speed offence is an operating model that runs at machine speed too. NAB has just put that into a hiring plan and a platform budget. Three things make this directionally correct.

The defender's bottleneck moved. For a decade the constraint was visibility — get more logs into the SIEM. NAB is betting the new constraint is correlation and response velocity. That's a data-engineering and automation problem, not a log-collection one.

The signal really does live in business data. Account takeover, fraud, and financial-crime patterns are security events wearing an operational costume. Treating them as separate datasets is how breaches hide in the gaps between teams.

"Machine speed" is the correct frame. When exploitation compresses to seconds, the question isn't "how fast can the analyst investigate" — it's "what is pre-authorised to happen with no analyst at all." That forces the governed-autonomy conversation every board has been avoiding.

The traditional model — tools raise alerts, humans investigate — was designed for a human-speed adversary. That adversary is gone.

3. The uncomfortable part

Here's what the coverage glides past: NAB can buy its way out of this. Almost no one else in Australia can.

The NAB approach assumes you can:

  • hire scarce, expensive data engineers and AI-automation talent into a security function,
  • fund a co-design partnership with Databricks, and
  • run your own platform-engineering capability inside SecOps.

That is a big-four-bank balance sheet talking. The 50-to-1,000-staff firms — the ones in legal, financial services, health, professional services — face the same machine-speed threat with none of that capacity. They have a couple of analysts, an MSSP contract, a SIEM they half-use, and a patch backlog.

This is the two-tier reality again, in a new costume. Tier 1 gets to re-engineer SecOps as a software discipline. Tier 2 gets attacked at the same speed with a fraction of the means. The NAB story isn't "look what's possible." For most readers it's "look at the gap that just opened above you."

4. What this means for the Australian mid-market

You will not out-hire NAB. So the job is to capture the principles of the NAB rethink without the NAB budget. Four moves.

1. Adopt the thesis, not the org chart
You don't need fifty data engineers. You need to stop treating security as a separate log silo and start correlating the business and operational signals you already collect — fraud, identity, availability, performance.
2. Buy the velocity you can't build
Where NAB builds platform engineering in-house, the mid-market gets machine-speed response through managed detection, governed automation, and well-scoped agentic remediation — not by hiring a SOC of developers.
3. Make the autonomy decision deliberately
Decide now, in writing, what a defender agent or playbook is allowed to do without a human — isolate a host, revoke a credential, block at the edge — and what it is never allowed to do. Pre-authorise before the incident, not during it.
4. Treat your own AI defence as part of the attack surface
A data-driven SIEM and automated response is itself an agentic system with tool access. The same scoped-agency, prompt-injection and identity questions apply to your defence as to anything you would assess on the offence side. Prove it, do not just deploy it.

These map directly into our service scope — the Agentic Readiness Review covers moves 1–3 and the Fractional CISO engagement governs the autonomy decision over time.

5. Questions a mid-market board should be asking this quarter

  • Where do our security signals currently live — and which business and operational datasets contain compromise indicators we never correlate?
  • What is our realistic time-to-contain today, and is a human the bottleneck?
  • What automated response is pre-authorised, and who governs it?
  • If we can't hire NAB's team, what do we buy or outsource to get machine-speed response — and is it scoped, audited, and reversible?
  • Has anyone tested our automated defence the way an attacker would, or do we just trust the green ticks?

6. What to do — this week, this quarter, this year

This week

  • Map where your detection signal actually lives. List the operational and business datasets (fraud, availability, identity, performance) that never reach your SIEM.
  • Write down your current time-to-contain for a credential-compromise scenario. Find the human bottleneck.

This quarter

  • Draft an automated-response policy: what is pre-authorised, what requires a human, what is never permitted. Do this before an incident, not during one.
  • Run a machine-speed tabletop: account takeover detected in business telemetry, not security logs. Who sees it first, and how fast can it be contained without manual triage?
  • Decide your build-vs-buy line for velocity. The mid-market answer is almost always governed managed response, not an in-house dev SOC.

This year

  • Stand up cross-domain correlation at whatever scale you can afford — the principle scales down even if the Databricks budget doesn't.
  • Pilot governed agentic remediation on a bounded, reversible use case, with proper logging and human-in-the-loop placement.
  • Prove the defender platform. Test your automated detection-and-response against realistic adversary behaviour before you rely on it.

7. The line worth repeating

NAB just reclassified cyber security as a data and software engineering discipline — and started hiring accordingly. They're right, and they can afford it. The lesson for everyone smaller isn't to copy the staffing plan. It's to absorb the principle — correlate everything, respond at machine speed, govern the autonomy — and to get there by buying the velocity you can't build, then proving it works.

The banks are re-architecting for the machine-speed era. The question is whether the businesses sitting in their supply chains do the same — or get left defending yesterday's tempo. See also our prior pieces on IT assurance in the agentic AI era and ASD's frontier AI guidance, decoded.

8. Key terms

Machine-speed defence
An operating model where detection, correlation and initial response happen without a human in the critical path. Required when median time-to-exploit collapses below the time it takes to triage an alert.
Cross-domain correlation
Joining security telemetry with operational, fraud, identity and business data so compromise indicators that surface outside the SIEM are caught early. The premise of NAB's Databricks-built platform.
Governed autonomy
Explicit, pre-authorised scopes for what an automated playbook or defender agent may do unsupervised — and what it may never do. The board-level decision underneath machine-speed response.
Agentic remediation
Automated containment actions executed by AI-driven playbooks (isolate a host, revoke a credential, block at the edge) within a defined, reversible scope.
Two-tier reality
The widening gap between large enterprises that can re-engineer SecOps as a software discipline and the mid-market firms facing the same machine-speed threat with a fraction of the means.

The Mythos Brief is written by Kelvin Zhou, founder of Parade Warrior. One short, opinionated piece on the AI threats actually hitting Australian businesses. No vendor pitches. No abstract think-pieces.

Issue date: 29 June 2026.

9. Sources

Talk to Parade Warrior about machine-speed defence →← Back to Insights