Is Agentic AI the Missing Piece in the Autonomous SOC Puzzle?
SecOps has always been at the cutting edge of cybersecurity innovation. Historically, it has had to be, given that teams sit on the front line against adversaries who are constantly innovating to achieve their goals. This cat-and-mouse game continues to this day as threat actors and security operations centre (SOC) analysts both tap the power of AI. But could the arrival of AI agents be a game changer for defenders?
If AI could be harnessed to work autonomously — managing the full lifecycle of threat detection, investigation and remediation — it could have a significant impact on detection accuracy, response times and human workload. But the journey to a truly autonomous SOC remains fraught with challenges.
Why we need the autonomous SOC
There’s no doubt that today’s SOC managers could do with a hand. Analysts are regularly overwhelmed by surging alert volumes — stemming not only from an increase in threats, but also the number of tools in use across an expansive attack surface. Today’s organisations may manage as many as 83 discrete security tools, each of which may be pushing out data for SOC teams to analyse. Investments in cloud, AI, IoT and other initiatives mean there’s more to secure, and attack, pushing alert volumes ever higher.
Adding to the workload for stretched teams will further cause a dearth of skilled analysts. A 2024 report estimates that SOC skills shortages will increase 21% over the next five years. Alert fatigue amplifies the impact of such gaps in the workforce. In a September study, half (46%) of SOC teams say alert volumes have increased significantly over the past 12-24 months, while three-quarters (73%) cite analyst burnout as a key challenge.
Attacks are also getting smarter. In that same study, 55% of respondents claim threats are increasingly outpacing detection. AI is being used to accelerate vulnerability discovery and exploitation, as well as breakout time. That puts stretched teams under even more pressure, especially if they are flooded with false positives.
To mitigate these challenges, SecOps innovation has come thick and fast over the past few years. XDR is helping teams streamline threat detection and response, while SOAR platforms are now a common feature of the SOC designed to automate workflows. But in many cases the gains they’ve enabled have been incremental at best. Such tools are more about automation than autonomy. This is where agentic AI comes in.
Pros and cons
The truth is that many SOCs already use AI models for detection, by training them on large volumes of malware samples. And they leverage generative AI (GenAI) to act as virtual assistants for low-level analysts — enabling them to ask natural language questions and receive prioritised responses. But agentic AI could provide an even bigger leap forward.
By working accurately and autonomously, it could significantly accelerate mean time to detect and respond (MTTD/MTTR), reducing the impact of intrusions on the organisation. It would almost eliminate human error, alert fatigue and the risk of damaging breaches occurring during holidays and weekends. And it would help to future-proof the organisation even as AI empowers threat actors to scale their own sophisticated attacks.
But there are inevitably hurdles in the way of progress. Agentic AI is most definitely not a plug-and-play solution. To get full value from any system, SOC managers would need to make sure it is integrated with existing tools like SIEM, SOAR, IAM, XDR and threat intelligence platforms. It’s likely such a system would need continuous tuning to remain effective. And governance guardrails must be built in to avoid any unintended consequences.
There’s also a valid concern about the impact an autonomous SOC might have on the junior analyst role. If organisations are effectively using AI to do the job of the Tier 1 staffer, where do aspiring SecOps professionals start their careers? Might we risk worsening skills gaps in the future if entry-level work disappears?
Another major factor is the cost of processing. The large volumes of alerts generated will increase in line with AI-driven attacks and processing these with AI is currently prohibitively expensive. So SOC managers will need to be strategic in how they deploy the technology,
Phasing in an autonomous SOC
As the technology matures, some or all of these barriers to adoption may start to disappear. But until then, a phased approach to adoption is the best policy. As mentioned, the journey from manual and rules-based operations has already begun, with AI-powered automation. The next step will be to achieve partial autonomy — where LLMs analyse detections and alerts to predict new attacks, which they then proactively address by devising new detection logic. Agents will be restricted to working autonomously only on low-risk and/or repetitive responses such as ticket creation.
In this stage, human analysts would keep charge of high-risk decisions. In fact, they would remain in control of most of the SOC workload, overseeing AI output at all times.
Ideally, this will be a stepping stone to a state of full assistance, where AI agents handle all SOC processes — autonomously detecting, investigating and remediating threats and building and running playbooks on the fly. This promises a potential step change in how rapidly and accurately SOCs detect and respond to threats — reducing damage and freeing up human analysts to work on higher value tasks. But let’s be clear, analysts will still be required, albeit in a more hands-off, strategic manner that will see their role evolve into that of “overseer” rather than “doer”.
The right partner
Ultimately, while it promises much, agentic AI is not a panacea. It pays to go slow while the technology evolves, and industry players adapt their solutions. There’s too much at stake to run before we can walk. So, take a phased approach that allows for experimentation in small use cases, without disrupting SOC operations or creating new security risks.
Many organisations may prefer to outsource these capabilities so that they are not directly exposed to such risks. In fact, the MSSP sector could play a critical role in the development of the autonomous SOC, taking on both cost and risk to move the industry forward. That leaves in-house security leaders with an important decision to make: which MSSP to choose.
Martin Jakobsen is the Managing Director of Cybanetix and brings over 20 years of experience delivering NOC and SOC services to a wide range of customers. At Cybanetix, Martin has overseen the company’s growth into a trusted MDR specialist supporting clients across multiple sectors, including large-scale enterprises and public sector organisations. Martin remains focused on expanding Cybanetix’s capabilities and its use of advanced, AI-enabled security operations to deliver practical, intelligence-driven services.
Prior to Cybanetix, Martin served as Managing Director of Capita Cyber Security and holds board positions at KonsensIT A/S and CapMon A/S, contributing his expertise in governance and strategic growth.
He has played a central role in the design and build of some of the UK’s largest government networks and has provided outsourced security operations to multinational enterprises. His combination of technical expertise and leadership has enabled organisations to strengthen their defences and run more resilient security operations.