Spectra Assure Free Trial
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free Trial5 ways AI will transform the SOC
AI is poised to reshape SecOps by tackling alert fatigue and streamlining workflows, for starters. Here’s what to expect.
Artificial intelligence is poised to transform how security operations centers (SOCs) detect, investigate, and respond to threats. And organizations expect that AI will help accelerate incident response times and automate repetitive triage tasks — thus helping human analysts stay ahead of increasingly complex attacks.
A recent survey of 300 CISOs, SOC leaders, and SecOps practitioners shows that AI has become a top priority for technology decision makers, with 33% describing it as critical to modern cybersecurity. Although they have concerns about data privacy, regulations, and technical complexity, cybersecurity leaders who responded to the survey said they expect that AI will handle 60% of their SOC workloads within the next three years, Prophet Security writes in its report on the survey results.
The survey found that large enterprises face an average of 3,181 alerts per day — of which 40% are left uninvestigated because of resource constraints. On average, dwell time is approaching one hour: Organizations take 56 minutes to review a detection tool’s alert and 70 more minutes to fully investigate it, which is far too slow to stop attacks. And the bigger the organization, the longer the dwell time, which exceeds an hour and a half at the largest enterprises.
But help is on the way. As the report notes:
“The transition to an AI-driven SOC is no longer a distant vision. It is a rapidly accelerating reality.”
What does the AI shift in the SOC look like in practice? Here are five ways security experts think AI will redefine security operations over the next five years.
Join webinar: How to Build High-Fidelity Threat Intel Feeds for Agentic AI
1. AI use cases get clear: Triage, detection, and threat hunting
Alert volume has become a huge problem for enterprises. While Prophet’s study shows that large enterprises have to deal with close to 3,200 security alerts every day, some vendors have pegged the number at more than 3,800 per day. For resource-strapped SOC teams, triaging all of those alerts has become impossible, and respondents to Prophet’s study said they don’t even look at 40% of the alerts they receive.
Suresh Batchu, COO and co-founder of Seraphic Security, said AI gives analysts space to think. “At thousands of alerts a day, no team can separate noise from signal fast enough,” he said.
Suresh BatchuAI will take over the repetitive, pattern-driven work first: triage, enrichment, false-positive suppression, correlation. Human judgment is for what’s left: deciding intent, determining impact, and connecting individual alerts to a broader campaign, AI tells you what happened, and humans decide why it matters.
Batchu estimates that AI will be able to handle 80% of the grunt work that now burdens SOC analysts when managing alerts.
Dov Yoran, co-founder and CEO of Command Zero, said AI is already reducing operational strain at many SOCs by helping to manage alert volume and doing the repetitive work of dealing with false positives.
Dov YoranTier 1 triage is already transforming — it’s repetitive and pattern-based, perfect for autonomous agents.
About two-thirds of the respondents to the survey identified detection engineering and threat hunting as top use cases for AI in their SOCs. Many expect that AI will help them refine detection rules, reduce false positives, fine-tune security controls, and analyze vast datasets for patterns and anomalies associated with potential threats.
2. AI will need guardrails to be effective
Yoran said SOCs should embed AI within structured, validated, and auditable processes and workflows rather than letting fully autonomous AI loose. They will need guardrails, prevalidated questions, and encoded knowledge bases to ensure consistent, predictable analysis, he said.
Dov YoranAI needs effective guardrails to prevent new blind spots. Uncontrolled AI can create hallucinations, drift, and unpredictable outputs — none of [which] are acceptable for the SOC.
Yoran advises against headlong AI immersion; instead, he said, organizations should combine AI with curated, codified analytic methods that both humans and AI can follow and trust. “This approach enables human and AI collaboration, unlocking predictable and accurate results. The overall operational strain of the SOC gets reduced because you’re scaling expertise, not just automation,” he said.
3. Trust will become critical for security control effectiveness
The biggest challenge of AI in the SOC isn;t technical, Yoran said; it’s being able to trust its output while staying in control. Shifting from doing every investigation manually to orchestrating AI agents and validating their work “requires understanding what AI can reliably do versus where it needs human oversight,” he said.
Teams need to get comfortable encoding their deep knowledge into systems that both AI and junior analysts can leverage.
Dov YoranThe skill isn’t writing playbooks anymore; it’s building scalable, repeatable investigation frameworks [that leverage AI].
Seraphic Security’s Batchu said he expects that analysts will have to shift from doing all the work to verifying it. Analysts will need to understand how the model reaches its conclusions, know when to trust those conclusions, and realize when something doesn’t feel right. That requires more comfort with data quality, model behavior, and automation pipelines than most teams have today, Batchu said.
He said the model’s decisions will have to be explainable, testable, and grounded in trustworthy data. Integrity is key, and that means paying attention to file provenance, tampering signals, and supply chain lineage.
Suresh BatchuIf the underlying telemetry is weak or incomplete, all you’ve done is automate the blind spots. If you can trust the inputs, you can trust the automation layered on top.
4. Adversaries will adopt and adapt
Expect adversaries to adapt their attacks as SOCs begin to lean more heavily on AI, subject-matter experts said. AI might make defenders faster, but it also gives attackers a new vector to study and manipulate, Batchu said.
Adversaries that now target systems will shift their focus to target AI models. Threats will include malware crafted to evade AI classifiers, poisoning attempts against data sources, adversarial files designed to trigger or suppress alerts, noise-generation attacks meant to overload automated responders, and supply chain manipulation that exploits AI’s assumptions of trust. “That’s why provenance, integrity, and continuous validation matter,” Batchu said.
The risk is that AI without proper controls will be predictable and exploitable, Yoran said. If the SOC’s defense relies on opaque AI making autonomous decisions, attackers will probe for and find patterns and blind spots.
Dov YoranThat’s why we emphasize transparency and human oversight. Every investigation should be auditable, every AI decision explainable. That’s harder to game.
Casey Ellis, founder of Bugcrowd, said that besides the proliferation of AI-powered vulnerability discovery, the growth of AI coding will present SOC teams with new attack challenges.
Casey EllisIf you do the math, then it’s reasonable to assume that these two things will net to an increase in SOC alerts and the need for a shift in strategy to deal with it.
5. SOC analyst roles will change — but not become obsolete
Nicole Carignan, senior vice president of security and AI strategy at Darktrace, said she expects that AI will automate or prioritize routine SOC work, allowing organizations to run smaller Tier 1 and Tier 2 teams. But this won’t make analysts obsolete or redundant. Instead, junior analysts will shift toward testing, evaluation, validation, and verification of AI outputs.
Carignan said their role will be to check AI recommendations, tune thresholds, improve models and to optimize workflows.
Nicole CarignanWhile providing a critical function, junior analysts can also learn the full detect, triage, investigate, remediate lifecycle, helping to protect against skills decay.
Leaner Tiers 1 and 2 will allow organizations to hire or upskill more people in their SOC teams to higher-value, proactive roles such as threat hunting, vulnerability prioritization, incident response, resilience, and hardening, she added.
Similarly, Bugcrowd’s Ellis said he expects that AI will transform the SOC workforce, not deskill it. While SOC analysts will not turn into data scientists, they will acquire the ability to work alongside AI effectively, meaning knowing when to trust it, when to question it, and how to leverage it to reduce noise, Ellis said.
Casey EllisThe role of SOC analysts will shift toward managing AI systems, interpreting their outputs, and addressing the nuanced, creative challenges that machines can’t handle. Jobs won’t disappear; they’ll adapt. The key is ensuring that SOC professionals are prepared for this shift through ongoing education, training, and tooling.