COMMENTARY: Agentic AI, which is being touted as a magic elixir for a lot of IT challenges these days, is also being heralded as the next big advancement in cybersecurity. Its proponents say it will revolutionize defensive operations, eliminate repetitive work for security teams, provide the ability to scale threat detection and response, and in some cases even outmaneuver cyberattackers in real time.But before trusting agentic AI systems with the security operations center (SOC) functions, CISOs may want to pause for a reality check. Because for all of its power and promise, agentic AI still faces legitimate questions over its reliability and the role of human oversight.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts.Read more Perspectives here.]Agentic AI is seen by many organizations as the next step in AI’s evolution. Large language models (LLMs) in the last couple of years quickly caught on with enterprises and employees with its ability to create content, including software code. But where copilots and chatbots are reactive, working from user prompts, agentic AI is proactive, performing specific tasks end-to-end on its own, often while making use of LLMs at each step. Its speed and autonomy promise to greatly increase the efficiency of threat detection and response, vulnerability management and other time-consuming elements of cybersecurity.
It's important, especially at this stage, for CISOs and security teams not to get carried away, however. The excitement over agentic AI mirrors the hubbub over a long list of other disruptive technology innovations: Hype abounds before reality creeps in, and organizations eventually adopt a slower and more nuanced path to implementation. To truly understand agentic AI’s place in cybersecurity’s future, organizations must cut through inflated expectations and evaluate both what these systems can do today and where they are likely to fall short.
The limits of AI systems
The most obvious clash between hype and reality is the assumption that agentic AI’s automation automatically makes it accurate, reliable or self-correcting. In practice, that is not always the case. Like any complex system, AI agents require ongoing evaluation, feedback and quality assurance to ensure their outputs remain trustworthy over time.Agentic AI systems can process massive volumes of alerts and data far faster than humans, but that does not guarantee correctness. Without structured validation processes, errors can lead to incorrect conclusions on the part of the AI. This is especially true in security operations, where a flawed assumption or incomplete context can lead to missed threats or unnecessary escalations. Organizations adopting agentic AI need clear mechanisms for monitoring accuracy and reviewing decisions.
Another common misconception is that AI agents work optimally best out of the box with little or no customization. In reality, AI agents need coaching like new human SOC analysts do. While agentic AI platforms may come with strong baseline capabilities, their effectiveness depends heavily on how well they are adapted to an organization’s environment, policies and risk tolerance. Treating AI agents as generic tools rather than systems that can be coached and refined limits their potential value.Customization is not a weakness of agentic AI, but a requirement for success. AI agents improve when they are trained on organization-specific workflows, exposed to feedback from analysts and guided by clearly defined expectations. This coachability allows agents to better understand context, reduce false positives and align their actions with how a given SOC actually operates. Without that ongoing guidance, AI agents may perform adequately, but they are unlikely to perform optimally.
What agentic AI can do for the SOC
Perhaps the best way to separate the hype from the reality of agentic AI is to focus on what agentic AI can do for organizations. When properly integrating with existing systems and guided by human oversight, agentic AI can have the effect of multiplying your SOC workforce tenfold. When implemented at a steady, thoughtful pace, what practical functions can CISOs really expect from AI agents?Automated efficiency. To start with, you can delegate manual, repetitive tasks such as initial alerts and triage, vulnerability management, reading threat actor reports, reviewing code and handling governance, risk and compliance (GRC) projects, all of which are ripe for automation. In these cases, you can have AI agents working directly for analysts and engineers, who can provide oversight.Reducing alert fatigue. A big advantage of automation is reducing the alert fatigue that regularly overwhelms SOC teams and leads to analyst burnout. On a related note, agentic AI can make it feasible for more organizations to staff a 24/7 SOC as fewer human analysts would be needed round-the-clock.Catching up with phishing. Traditional phishing detection hasn’t kept up with phishing tactics, where attackers are in many cases using GenAI to increase the level of personalization in their phishing lures. An AI agent can scan every email for signs of phishing.Faster response. A key metric is mean time to respond (MTTR). By enabling SOCs to handle hundreds of investigations in parallel, agentic AI can reduce MTTR by 90%, cutting the time to respond from hours to just minutes.Increased alert coverage. Historically, teams have alert areas they needed to ignore (perhaps classifying them as too noisy) because they had to reduce the volume of alerts to match the capacity of the team. Prioritizing risks has always been a necessary part of the job. But when you effectively have 10 times the workforce, you can investigate all those alerts — and catch more attacks.True teammates that learn. AI agents learn as they go. The real value of agentic AI in the SOC is not autonomous discovery of novel threats, but its ability to improve performance through feedback, context and coaching. As AI agents work alongside analysts, agents can become more effective at understanding organizational workflows, escalation preferences and investigative patterns. Analysts can guide agents by correcting mistakes, refining priorities and creating the strategies for the AI agents to execute.
The fusion of hype and reality
Cybersecurity is a unique domain where you have a rare win-win scenario involving a human workforce and AI augmentation. AI doesn’t threaten anyone’s job because there is always so much more to do. If agentic AI takes over repetitive tasks or more demanding analysis jobs, SOC teams can move on to other projects. And there will always be a need for human oversight and coaching.Agentic AI isn’t a magic bullet that can take the place of a well-managed SOC. But when carefully implemented and overseen, it can make SOC teams better at their jobs. The hype and reality of agentic AI in cybersecurity can align if organizations stay grounded in what the technology can truly deliver and adopt it with the oversight required.
Sophos Fusion is presented as an evolution of the Sophos Central platform, rebuilt on an open architecture and incorporating the Taegis analytics engine.