In some cases, research does relate to identifying Security Threats. This mostly relates to layer 7, which is much more complex than ports and protocol based detection. The idea is; if you don't know what you're looking for (presumably a 0-day or unknown threat), then how would one find it? The answer is, research (aka analyze) the data. This ranges from Flow Data (which can date back months/years) to Packet Captures, to even Real Time Deep Packet Inspection (all relating to SIEM Solutions). In these scenarios, you would be looking for the needle in the haystack, but the needle is not clearly defined. You would have to work to identify and define it. So research does relate to identifying illegal/commercial/malware activity. Organizations that understand this are working towards implementing (or have already implemented) real time adaptive security models to mitigate these threats. This will allow them to not only identify and attempt to stop unknown Security Incidents, but also effectively investigate Incidents (forensics).
That's not the same thing as "monitoring for illegal/commercial/malware activity".