By Kiersten Putnam | Trace3 Innovation Researcher
The modern SOC is overworked, under-resourced, and facing an ever-growing volume of alerts and threats. Legacy processes and even “next-gen” platforms aren’t enough to keep up. What if the solution isn’t another dashboard, but a digital teammate?
A new generation of startups is building AI-powered coworkers for the SOC: agents that don’t just automate tasks, but operate as junior analysts—triaging alerts, conducting investigations, and surfacing insights around the clock. These aren’t traditional SOAR bots or glorified playbooks. They’re adaptive, task-completing agents built to augment human analysts and, in some cases, replace the need for an L1 entirely and even start to solve for L2 and potentially L3.
AI analysts in the SOC bring a new realm of possibility – opening the door to new use cases augmenting existing teams. While the potential is endless, the AI SOC market today is narrowing in on a few key benefits. When thinking about your own organization, an AI SOC Analyst may be a good fit if you are interested in solving:
-
24/7 continuous monitoring: Cyber threats don’t adhere to business hours and alerts are incoming round-the-clock
-
Efficient triaging: SOC teams often drown in a flood of alerts, many of which are false positive
-
Scalability: Increasing alerts and threats require SOC organizations to scale beyond human capacity
-
Consistency: Delivering reliable execution of processes and procedures is essential
-
Reallocating human analysts: Allocate analysts to more proactive projects, in place of triaging and investigation
While we are early days, initial capabilities are impressive. As part of this ongoing evolution of AI analysts in the SOC, we anticipate solutions to continue evolving. If this sounds enticing, let’s dive deeper into this new wave of solutions.
Building the Foundation: Core Elements of AI SOC Analyst
AI analysts as digital coworkers bring the promise to augment the efficiency and effectiveness of a SOC, while working alongside human analysts. To be considered an AI SOC Analyst, solutions are providing the following table stakes capabilities that are essential processes throughout the SOC.
Triage
By connecting to the SIEM and security sources, the AI SOC Analyst’s job starts by deciding which alerts to begin analysis on. Here, solutions are differentiating in their approach to implementation. Some solutions offer a fleet of specialized agents, allowing you to select the agent suited for your alert types and customize the procedures for doing so. Others, focus on providing vast consistent support without requiring customized setup across key threat areas, such as phishing, identity, network, and endpoint.
Investigation:
For the alerts that have been triaged, the AI SOC Analyst will assign a severity level, identify whether it was a false or true positive, and produce a report of findings for the human analyst to digest. It does this by asking investigative questions how a human would. Human analysts are encouraged to review the findings of the AI analyst and provide feedback that can be used for further training. While this is standard across all AI SOC Analysts, they start to differentiate with nuanced architecture design and features. From an architecture perspective, some solutions create a semantic layer to establish an understanding of the security environment, whereas others pull the information on a query-basis, or choose not to pre-train the LLM for specific use cases. From a feature perspective, there are also a variety of differentiators. For example, the AI analyst can only go so far as it has permission to – if stuck in its investigation, some solutions will report inconclusive findings, and others will provide recommended next steps. A final differentiator comes in the ability to customize the agent’s knowledge – some solutions are building workflows to request certain steps or questions to be asked. Others allow you to create your own agentic flows with specific areas of investigation.
Response:
At the conclusion of the investigation report, solutions transfer responsibility to the human analyst. Response capabilities can vary from recommendation of next steps to kicking off existing workflow to ticket creation.
Raising the Bar: The Next Frontier of AI in the SOC
While triage, investigation, and basic response are table stakes for AI SOC Analysts, many solutions are expanding their capabilities into other areas important for SOC analysts.
Detection
Many solutions are not directly tuning or monitoring for detections; however, some are beginning to connect directly to data sources and provide detection engineering. For organizations with a SIEM, this can be viewed as an augmentation to existing processes. For organizations without a SIEM presence, this could be leveraged in place of one.
Example: Exaforce
Advanced Response
With response, solutions initially recommended next steps and integrated with ticketing systems. However, as customer confidence in agentic abilities grows, some solutions are beginning to automate response. They are building more autonomous remediation, with one-click remediations, seamless workflows, or by automatically performing actions, like blocking a user or isolating a device.
Examples: Prophet Security, Simbian, Radiant Security, Intezer, Dropzone AI
Beyond Investigation and Response
Beyond investigation and response functions in the SOC, solutions are expanding their feature set to other adjacent areas. These areas include threat intelligence, threat hunting, GRC, and vulnerability management.
Examples: 7ai, Exaforce, Bricklayer, Simbian
Striking the Right Balance: AI and Humans in Partnership
These AI SOC Analysts show strong promise for ROI in terms of time, and even dollars saved, for human analysts. They are augmenting Tier 1 analysts with initial triage and investigation, and also beginning to impact Tier 2 and Tier 3, as capabilities begin expanding. Even with AI analysts offloading a variety of tasks, there is still a strong need for human analyst oversight throughout the process. While AI SOC Analysts can automate the routine tasks in the SOC, humans will still be required for strategic optimization guidance. Humans are best to evaluate root cause analysis and lessons learned, provide guidance on organizational role accountability, and give feedback to the AI analysts overtime, as trust is being built. Even after the AI analysts have been successfully trained in an environment, there is still benefit in having the human analyst review certain alerts. This will ensure alerts are handled properly and human analysts maintain knowledge on activities throughout the SOC, therefore preventing atrophy of human expertise.
The right balance will come through leveraging AI for what it’s good at: speed, scale, pattern recognition, WHILE actively cultivating the human skills of creative thinking, contextual understanding, and intuition. When asked what SOC analysts’ responsibilities will look like when AI analysts are implemented, CISOs are imagining a world where analysts are able to be more proactive with their time – conducting more threat hunting, participating in security design reviews, running innovative projects, etc. Together, this strategy has the potential to make an efficient and successful SOC.
The Path Forward
To begin taking advantage of AI analysts, the first step will be to evaluate your use cases and determine the best path forward for your organization because, as mentioned, there are different agents to choose from.
To start:
-
Define clear objectives: Determine most significant challenges in your SOC
-
Select the right agent: Evaluate the integrations, scope of alerts, solution architecture, and desired capabilities beyond triage and investigation. While this blog focused on emerging AI SOC Analysts, there are security platforms implementing agentic capabilities. These platforms are creating agents within the lens of their own offerings, but may be an option for your organization depending on your environment.
-
Evaluate data management across SOC: An AI analyst can only be as successful as the data and tools at its disposal. It can’t create visibility and findings where telemetry doesn’t exist. Before deploying, evaluate your SOC architecture and toolsets to ensure data quality and accuracy.
-
Phased rollout with human oversight and iteration: When rolling out these AI analysts, many solutions have capabilities for starting with human oversight, providing feedback loops, and eventually becoming more autonomous.
As time goes on and these AI analysts become part of your SOC team, it is likely that this type of machine level processing will start to challenge your existing SOC toolsets. Especially as these AI SOC Analyst solutions continue to expand their offerings in detection, triage, and response, there may be some overlap with use cases such as such as your detection engineering, SIEM, and SOAR. While this won’t necessarily lead to a full replacement, it will create an interesting opportunity to reevaluate how your toolsets work together and create the optimal way forward.
If you’re curious to learn more or want to stay on top of the latest enhancements in this space, feel free to reach out to us at innovation@trace3.com.
Kiersten Putnam is a Senior Innovation Researcher at Trace3. She is passionate about new innovative approaches that challenge traditional processes across the enterprise. As a member of the Innovation Team, she delivers research content on emerging trends and solutions across enterprise cloud, security, data, and infrastructure. When she's not researching, she is either exploring the surrounding areas of Denver, Colorado where she lives, or planning her next trip abroad.