Working with agentic AI: A SecOps survival guide

Listen to the AI hype machine enough and you will believe that the security operations center of tomorrow will be staffed by a couple of button-pushers, with AI doing all the heavy lifting. Agentic workflows in everything from triage to vulnerability research will wipe out the need for many well-established roles. SOCs will be where cyber careers go to die. 

Not so fast, say many cybersecurity veterans. They believe there’s going to be more than enough work to go around — and that cyber expertise will be more relevant than ever. 

The veterans do agree that change is coming, though. CISOs and security leaders will want to build teams and fill talent pipelines with pros who are tuned to work collaboratively with agentic tools, treating them like junior employees. Org charts will be redesigned, role progression redefined, and training requirements radically adjusted, with an emphasis on AI know-how.

Here’s how your SecOps team can embrace agentic AI — and survive.

[ See webinar: How to Build High-Fidelity Threat Intel Feeds for Agentic AI ]

AI will reshape in-demand skills

AI fluency will be a core cybersecurity professional skill, said Diana Kelley, CISO at Noma Security. 

“The best way to future-proof a cybersecurity career right now is to actively learn these systems, understand how they fail, and develop the skills to safely and effectively use and govern them.”
—Diana Kelley

Jimmy Astle knows firsthand what agentic AI is going to mean for SecOps in the coming years. Now at the AI agent startup Onebee, Astle was until recently the head of machine learning at Red Canary, where he championed adopting AI agents. Red Canary had no agents in three years ago and today runs 75% of the SOC with agents. “I would say it’ll be two years, tops, before all of investigation and response is just completely automated,” he said.

While this is going to eliminate the need for Tier 1 triage and response roles, Astle thinks it won’t precipitate security job collapse. 

“I don’t care how smart these models are, you need human ingenuity and critical thinking at both the beginning and the end of whatever an agent is doing.”
—Jimmy Astle

Greg Notch, CTO of Expel Security, said capable security pros will still be needed, though the day-to-day job is going to change, shifting from what he called “bespoke nerdy disassembly” to the herding of agents. 

“If you’re focused on the outcome and understanding that AI is going to make you better at your job, you’re going to be okay."
—Greg Notch

CISOs and SOC leaders are going to be looking for security pros with a systems engineering mindset, Astle said. It will be essential to understand how systems interact and to be able to break it all down into the distinct steps that are the building blocks of a workflow. Those steps directly translate into effective instructions for agents to follow.

Astle explained that chained processes usually are loaded with burdensome work in the middle that eats up a lot of time but requires little expertise or ingenuity. SOC analysts should be automating those parts of a process, doing what is called “middle-to-middle automation.”

“You want to figure out … what is the busy work that doesn’t take human creativity, critical thinking, judgment, and just hand that off to the agent. That way you’re not sitting in front of a screen clicking the same things over and over and over again.”
—Jimmy Astle

Shimon Tolts, co-founder and CEO of Copperhelm, said the core work of SecOps will shift from execution to verification, adding that analysts who continue to spend their days manually triaging alerts will be automated out of relevance because agents are stuff faster and cheaper. 

“The durable skill is supervising a fleet of agents and knowing when their conclusions are wrong. That is a judgment skill, not a tooling skill, and most current training still teaches button clicking.”
—Shimon Tolts

A shallow talent pool

Building a team’s judgment skills should be a top priority for forward-looking CISOs, but don’t count on hiring AI-security rockstars; there still aren’t very many of them, the SANS Institute’'s Rob T. Lee wrote in a recent blog post.

“You cannot hire your way out of this because the talent pool does not exist yet. All of us are figuring it out at the same time.”
—Rob T. Lee

Lee noted that the people already on your team know the business and how real-world incidents look within its environs. 

Onebee’s Astle said that while most Tier 1 roles will be redundant, those employees whose daily work is being automated are still of value. “Take those Tier 1 and Tier 2 people and … get them AI-pilled so that they’re your champions,” he said.

He said that those employees’ tribal knowledge will make agent training more effective, and they could also be the resources needed to finally whittle down technical debt that’s been lingering for years. 

All-new roles are coming

Phil Steffora, CSO and CIO at Arkose Labs, said he expects the use of agentic AI to usher in “purpose-built roles that have no clear analogs today.” 

One example, from Astle, is security automation engineer. He also suggested that SecOps pros could move into other security subspecialties such as governance.

John Gallagher, vice president at Viakoo, has other ideas about how SOC roles will evolve. 

“The future workforce will be smaller in some areas, far more specialized in others, and much more focused on resilience outcomes rather than simply generating detections.”
—John Gallagher

Steffora said organizations that start building competency around things such as AI fluency and experimentation will be ahead of the game. 

He added that org charts need to be rethought from the ground up, accommodating things such as a new apprenticeship path now that Tier 1 analyst is about to go extinct.

Next steps

With big changes in store and uncertainty mounting, CISOs might think they have to wait for a clearer picture. But they can take some team-building actions right away to uplevel agentic skills across their teams. The SANS Institute’s Lee has a suggestion.

“Pick two people who know your environment cold. Give them protected time this month to put AI tools against your own findings backlog and report back on where the tools broke. That is the rewrite starting, in miniature, on your team.”
—Rob T. Lee

Copperham’s Tolts has similar advice.

“The CISOs who win will treat agent output as a hypothesis to be disproven and build teams that get rewarded for disproving it. Stand an agent up against a real test environment and watch where it is confidently wrong. You’ll learn more in a week than in any course.”
—Shimon Tolts

Calibrating future agentic-aided SecOps workflows will depend on doing that again and again, for hundreds of cycles, which will help teams build up the judgment skills that the next generation of the security workforce will desperately need. 

Don't miss RL board member Doug Levin and co-founder and chief software architect Tomislav Peričin's discussion about developing a playbook for AI-driven software risk.