The Role of Humans in an AI-Augmented SOC
Intelligence is the fuel that powers the SOC. Large Language Models (LLMs) can help mimic human reasoning to alleviate most of the effort involved in triaging and investigating detections. Encoded with cybersecurity know-how and expertise, AI agents can automate many of the repetitive tasks that previously fell on human shoulders. Human SOC team members can now function more like tech leaders of AI agents and spend more time on higher-value projects.
Humans are still crucial in AI-augmented SOC. When it comes to response, they will make important decisions and coordinate with other teams. They will:
- Coordinate and follow up on tricky requests to other teams.
- Perform potentially disruptive remediation actions.
- Continuously acquire, monitor, and adjust detection engines/rules.
- Review AI agent investigations and reports.
- Define policies and recommend appropriate response mechanisms.
- Perform ad-hoc hunting and research.
The Role of Gen AI Agents in SOC
Gen AI agents take on the bulk of the triage and investigation work. They will:
- Investigate 100% of alerts, working 24/7 and giving every alert attention.
- Gather, inspect, and correlate data using various tools and sources.
- Write detailed incident reports based on their investigations.
- Perform low-impact threat mitigation by automating responses for low-risk threats.
The Continued Use of Playbooks and Scripts
SOAR playbooks and script-based automation are used for a small subset of prescribed actions where there is little ambiguity. They are suited for strictly defined tasks like:
- Adding or enriching context to data points.
- Automating allow/deny policy-based responses.
- Responding to known-bad IOCs by shutting down malicious activity.
Benefits of an AI-Augmented SOC
The future AI-augmented SOC offloads numerous time-intensive tasks from human analysts to AI agents. This will change the role of SOC analysts for the better—making their work more intellectually interesting and improving security for their employers. Human security staff will have more time for:
- Improving vulnerability management and patching processes.
- Implementing zero-trust strategies for users, devices, networks, and applications.
- Running table-top exercises to prepare for incidents.
- Enhancing cross-departmental collaboration and training.
- Improving visibility by configuring logging and operationalizing security tools.
Clearing the Investigation Bottleneck
In the AI-augmented SOC, key performance indicators will improve, especially mean-time-to-detection (MTTR). AI agents will clear the most critical bottleneck impeding SOC effectiveness: investigation. Today, security teams struggle to keep up with the volume of detections, but AI agents will enable SOCs to investigate 100% of alerts, reducing the number of missed true positives and speeding up response times.
The Impact of AI Agents
The current state of SOCs is characterized by under-resourced human-only teams using scripts and playbooks, which are time-intensive and slow to investigate and respond. The future state will see AI-augmented SOCs with significant improvements in efficiency, allowing humans to focus on policy and decision-making. AI agents will handle the majority of the work, reducing mean-time-to-response to as little as three minutes.
Today’s SOC is overloaded, and traditional methods are no longer sufficient. The path to a more efficient SOC lies in the integration of AI agents. While a fully autonomous SOC is not yet possible, the development of LLMs will transform the role of human analysts, making them tech leaders of AI agents and allowing them to focus on more valuable security operations projects. If you are interested in learning more about how our AI analysts can help, visit our demo gallery or schedule a demo today.