Artificial intelligence is changing both the offensive side and the defensive side of cybersecurity. Attackers use
AI to speed up vulnerability discovery and phishing campaigns, while defenders rely on AI to keep up with attacks that unfold more quickly than human security teams can respond.
In a
recent SC Media webcast, CrowdStrike Field CTO Cristian Rodriguez explained to host Mandy Logan that the future of
security operations centers (SOCs) isn't about replacing analysts with AI but augmenting them through an agentic SOC — an arrangement in which AI handles repetitive investigative work while humans remain responsible for critical decisions.
AI has changed the pace of cybersecurity
AI has altered the threat landscape by dramatically accelerating attacker operations, Rodriguez said. SOCs built over the past decade were designed to defend against "human-speed" attacks, not machine-speed campaigns that can find vulnerabilities, craft exploits, and pivot laterally within a few minutes.
"What we've seen with AI is that it's essentially invalidated this idea of using just a human or having a human throw more headcount at the problem," Rodriguez said. "AI in itself has to accelerate this new model of the defender side of the house, where things like agentic SOC start to become a reality."
He also highlighted the growing risks posed by shadow AI, the practice of using AI tools and agents without management approval. These unauthorized tools create new attack surfaces across endpoints, SaaS applications,
cloud environments, and identity systems, making comprehensive visibility essential.
Agentic SOC augments analysts rather than replacing them
CrowdStrike foresees AI agents handling tedious operational tasks such as alert enrichment, triage, evidence gathering, and incident documentation, while human analysts remain in charge of validating conclusions, approving responses, and handling complex investigations.
"You'll have AI augmenting things like triage. You'll have AI automatically enriching components of a detection," Rodriguez said. "We see humans being accelerated by AI within the SOC as this new agentic operating model."
The success of this model, he added, depends on thorough, high-quality telemetry across far-ranging environments and systems. Without accurate contextual data, Rodriguez emphasized, AI can't make trustworthy decisions. Because CrowdStrike's approach centers on collecting high-fidelity data and using AI to correlate events across multiple domains, it lets analysts understand attack paths more quickly and accurately.
Building trust through bounded autonomy
But organizations should not view agentic SOC as a fully autonomous security system, Rodriguez said. Instead, AI adoption should occur incrementally through what he called "bounded autonomy," in which organizations gradually expand AI's responsibilities as confidence grows.
"It's not overnight that we're going to unplug all our humans and plug in AI," Rodriguez said. "Let's start to incorporate AI into these workflows that we're familiar with, and we'll get more comfortable with AI doing its thing until there's an evolution of the way that these processes are going to roll out."