Four parts of methodological skepticism, one constructive. Here is my position. Not an institutional CICS statement. Not a coordinated consulting output. Narrowly bounded, with clear prerequisites, and with two uncomfortable questions that go unspoken in most pitch meetings. If you don’t agree with the conclusions, I’ll listen. With data, not vendor decks.
TL;DR: AI in the SOC may do enrichment, classification in pre-defined topics, triage along established playbooks, detection-rule refinement. It may not do one-way actions, playbook authoring, open-ended classification. The prerequisite is a functional SOC. AI on top of a dysfunctional security organization only exposes the dysfunction, faster. And whoever replaces Tier-1 with AI loses the senior pipeline of the middle future.
What AI in the SOC may do, and what it may not
There are four task classes in which I find AI usefully in production.
Enrichment, i.e. enriching IOCs against threat-intel sources, correlating hashes against VirusTotal, MalwareBazaar or Hybrid-Analysis, drawing domain pivots over known infrastructure. Routine data flows where the task is defined and the output format is fixed.
Classification in pre-defined topics: sorting phishing mails into existing categories, mapping alerts to an already established risk schema. Not open classification. The AI categorizes on a list a human wrote.
Triage along established playbooks. The AI executes the playbook, it doesn’t write it. It follows defined escalation paths, it doesn’t invent any. If the playbook says “on indicator X escalate to Tier 2,” the AI does that. And only that.
Refinement of detection-rule skeletons is the fourth task class in which I release AI. The engineer writes the scaffold of a YARA, Sigma, KQL, or Snort rule. The AI refines on concrete hint, i.e. expand strings, adjust format, propose first-draft correlations. Research, context, and precision stay with the human.
What AI in the SOC may not do without a human in the loop, in my position clearly bounded.
One-way actions are off-limits for autonomous AI. Account suspension, endpoint isolation, containment, quarantine, EDR push. Every destructive action stays human-gated. Microsoft’s phishing-triage agent does that right: it classifies, escalates, enriches, but every containment action requires human confirmation.
For playbook authoring, the same applies. Whoever writes the playbook defines the detection logic. Senior discipline. AI may speed up microtasks within that, i.e. summarize research on threat-actor TTPs, reference similar playbooks from the public corpus. But the playbook itself comes from the human.
Open-ended classification I consider not workable. Letting AI loose on “find anything anomalous” costs compute and produces alarm noise. Hypothesis, category list, and success definition come from the human.
Investigations without hypothesis are human work. AI can speed up defined subtasks within them, but the hunting design itself comes from the head of a senior analyst doing the threat-model mapping.
Short: AI executes, it doesn’t define. It enriches, it doesn’t escalate autonomously. It classifies into categories that exist, it doesn’t invent them. This separation isn’t academic for me. It’s the difference between an AI investment that works productively and one that produces the next audit question.
The prerequisite: a functional SOC
AI is a multiplier. Multipliers multiply what’s already there. Whoever puts AI on top of a dysfunctional security organization (missing playbooks, detection coverage zero, asset inventory as a historical document from the last audit, no established IR chain), at the end gets not a functional organization with AI reinforcement. He gets a dysfunctional organization that does the wrong thing faster.
Not the pitch the sales decks make. Sales decks promise that AI shortcuts structural problems. I see this repeatedly not work. Detection-engineering foundations, hunt baselines, documented playbooks, maintained asset inventory. These prerequisites aren’t replaceable by AI. They’re acceleratable by AI when they’re already in place. When they’re missing, AI accelerates a gap, not a solution.
The uncomfortable question: do you actually need AI?
Here it gets uncomfortable, and honest. If your SOC is functional, i.e. playbooks established, detection coverage documented, senior pipeline filled, what does AI actually give you?
My honest answer: a productivity gain on tightly defined tasks, on the order of the 22 percent from Part 1. Real. Not nothing. Also not “transformation”.
Whoever sells AI as a transformation path sells two different things together. The real, measurable productivity effect and a promise premium not covered by data. In functional SOCs, AI is an incremental optimization. A faster triage here, a better enrichment pipeline there. If the investment volume is calibrated accordingly, it pays off. If it’s sold as “the next generation of the SOC”, it misses its own number.
The question I consider the right one for every CISO isn’t: how much can AI do? It’s: which concrete, measurable problem in my SOC would AI solve that I couldn’t also solve with better detection-engineering hygiene? If the answer is “nothing really,” then the investment in detection-engineering hygiene is better placed than the same money in AI augmentation.
The career-pipeline question
The industry needs junior analysts who become seniors. This pipeline has a specific structure. Tier 1, Tier 2, senior detection engineer or hunt lead or threat-intel lead. On this path, skills get built that aren’t learnable in a three-day workshop. Pattern recognition in logs, hypothesis formation in hunts, context build-up across client histories. That comes from years of operational work. Not from a curriculum slide.
What doesn’t fit on this path: demoting senior analysts to AI-output reviewers. “The AI does the detection, the senior reviews” is a position that presents neatly on a hierarchy slide. And it collapses career development in practice. AI output validation is a microtask, not a profession. Whoever assigns seniors to this role loses them to the competition that gives them real detection-engineering tasks. And that would be the better case. The worse one is that the seniors stay and the engagement quota tips into negative.
What also doesn’t fit: replacing the Tier-1 path with AI. If Tier-1 analysts aren’t hired anymore because “the AI does that”, no Tier-2 analysts follow. Three to five years later the senior layer is without succession, and the detection coverage decays structurally. Not because AI failed, but because the staffing model broke. The Klarna reversal in customer service is cross-industry. In a SOC the same pattern runs, only with detection coverage instead of customer satisfaction as the loss metric. And in customer service the correction costs money; in a SOC it costs breach consequences.
This is my most important point in the entire series. Whoever doesn’t take it seriously can skip the other four parts.
What I stand for, and what I stand against
I consistently advocate three points in engagements. AI as a refinement and acceleration layer for tightly defined tasks (enrichment, classification in pre-defined topics, playbook execution, detection-rule refinement), with a human-in-the-loop gate for every destructive action and output validation as a mandatory layer. Detection-engineering foundations before every AI investment, i.e. Sigma coverage, hunt baselines, asset inventory, documented playbooks; if these prerequisites aren’t in place, the investment in their build-up is better placed than the same money in AI tooling. And keeping the junior pipeline active, because Tier-1 hiring is the prerequisite for there still being senior detection engineers in five years.
What I consistently argue against: headcount reduction on AI promises (Klarna 2024 to 2025 is the cross-industry lesson, IBM’s CEO Survey 25-percent ROI quota the macroeconomic anchor), mesh-agent architectures without replication of vendor claims (I know of no peer-reviewed evidence that documents the architecture as safely viable, and the adversarial risks between agents aren’t systematically solved; if anyone has the evidence, send it my way), and AI as a stopgap for structural weaknesses of the organization. Multipliers multiply. A gap multiplied by AI remains a gap. Just produced faster.
Closing
I’m not anti-AI. I’m against AI as a substitute for functional organization, against AI as an argument for headcount reduction, and against AI as a career end point for senior analysts. The difference decides whether a defensive team is still functional in five years. And whether an AI investment today pays off tomorrow.
The series closes here. For now. If you want to talk to me about this, without sales funnel and without marketing deck, you know where to find me.
Part 5 of 5 in this series on AI in defensive cyber, augmentation, not replacement:
- Part 1, What the data holds up
- Part 2, Where augmentation stops
- Part 3, What it means for SOC teams
- Part 4, AI vs AI
- Part 5, How it could actually work (current)