Dalarna University's logo and link to the university's website

Cloud computing currently powers a substantial portion of corporate IT. Because cloud services are distributed across multiple locations, attackers have additional opportunities to break in. As a result, several businesses are experimenting with AI-powered security monitoring, in which machine leaming leams normal activity and alerts to anything unusual. This thesis investigates the research question: How do cloud Security experts view the use of AI for spotting unusual behavior in reducing false alarms and improving reaction times, compared to signature-based methods. 

To respond, we used two ways. First, we analyzed previous research to determine what is already known and where gaps exist. Second, we conducted three semi-structured video interviews with Swedish cloud security professionals who have six, ten, and fifteen years of expertise. We classified their answers and compared them to literature. Firewalls, intrusion detection systems, and traditional SIEM all prevent known assaults, but they fail to identify zero-day vulnerabilities and overwhelm analysts with low-value wamings. AI analytics can quickly detect and respond to sluggish, quiet threats by combining logs from multiple sources. However, models must explain their cautions, avoid data poisoning, and remain under human supervision. We conclude that the most secure strategy is hybrid architecture. Maintain traditional controls for common hazards and incorporate explainable AI for anomalous behavior, with frequent retraining and professional monitoring. While the technical capabilities of AI are central, their real value ultimately depends on how security analysts, administrators and end-users interpret and act on the system's output. Understanding this human perspective is therefore as critical as measuring raw detection accuracy.