AI benefits/risks, Security Strategy, Plan, Budget

Why piling on faster AI tech alone won’t fix the SOC  

Securing the SOC

COMMENTARY: The standard diagnosis of what ails the security operations center (SOC) goes something like this: Too many alerts, too few analysts, not enough automation. The prescription follows naturally. Add tools, add AI, add headcount. Add capacity until the queue clears.

That simply doesn’t make sense. Or at least, it's incomplete in a way that makes the prescription actively harmful.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

Right now, the entire model for the SOC still depends on scarce human judgment to interpret noisy signals, pull together the right context, and decide what actually matters. We can add analysts faster than we build judgment, and we can deploy tools faster than we can create coherence. That’s where SOCs keep breaking down: the gap between raw capacity and genuine expertise.

The modern SOC was never designed, it accumulated

Today's security stack does not function as a system: it's a patchwork. Teams work across fragmented tools that don't share context, telemetry that doesn't connect, and institutional knowledge that lives in the heads of whoever has been around long enough to accumulate it. When an alert fires, an analyst has to manually stitch together logs, correlation rules, prior incident notes, and their own memory of the last time something like this happened. Nearly every investigation starts from scratch.

That’s why false positives keep recurring, and why junior analysts struggle to operate at a senior level. Not because they lack intelligence, but because the knowledge that would help them isn't encoded anywhere they can reach. It's also why the SOC feels like a treadmill. The team moves faster, but the work doesn't get easier.

Don’t layer AI on a broken workflow

AI today gives us speed. Copilots help analysts move through investigations faster, assistants summarize alerts and draft incident reports, and automation handles the mechanical steps that used to eat up hours. These tools are useful at the margins, but they are not a solution, because they accelerate the same broken process rather than changing it.

We have to think more about closing the loop. Every investigation an analyst completes contains a signal. What the alert actually was, what context resolved it, what decision they made, and why. Right now, that signal evaporates. It goes into a ticket, maybe a post-mortem, and then it disappears. The next analyst who sees something similar starts over.

The systems that will actually move the needle are the ones that turn investigation outcomes into reusable intelligence, where analyst decisions feed back into detection logic, reduce repeat noise, and make the SOC measurably smarter over the next quarter than it was in the last one.

What a modern SOC architecture actually requires

A mature SOC operating model needs to unify four features that are now scattered: Telemetry, detection logic, investigation context, and feedback loops. AI can contribute at every layer, triaging signals, surfacing relevant context, flagging patterns across cases, but only when it's paired with human review, auditable actions, and explicit mechanisms that route decisions back into detection tuning. We don’t want full autonomy. Autonomous systems that operate without human accountability are not a solution to the trust problem; they are a new version of it.

We’re aiming for operational learning, which means fewer repeated alerts, better prioritization, and expertise that compounds across the team instead of walking out the door when a senior analyst leaves.

The future SOC learns; today’s SOC just processes.

Security operations has spent a decade optimizing for throughput. Move faster through the alerts, close tickets, hit SLAs. That framing treats the SOC as a processing problem, and it produces teams that are perpetually reactive, running hard just to stay in place.

There’s a different way to frame it. We don’t want our SOCs to merely clear the queue.  We want a system that can get better over time.

That requires encoding judgment, not just accelerating labor. It means building mechanisms that capture what analysts know, feed it back into detection, and reduce the noise that junior analysts drown in and senior analysts waste their time on.

The technology to do this exists. We now understand the architecture. But for these new concepts to work, organizations have to stop adding capacity to a broken model – and start building one that continuously learns.

Jack Naglieri, founder and CEO, Panther Security

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds