The buzz around AI, particularly the notion of an "AI SOC," has reached a fever pitch. It's so intense that many technology vendors in this space don't even need to drum up demand; the sheer volume of conversations among CISOs and SOC managers creates an almost irresistible pull for them to explore and test these solutions. So, why would I, of all people, try to temper this excitement? Isn't it beneficial for positioning our own solution in the market?
The problem with hype, however, is that it often follows Gartner's famous Hype Cycle curve. Technologies shoot up quickly, only to plummet dramatically into the “trough of disillusionment.” While riding the crest of the hype wave might feel exhilarating initially, those who do so irresponsibly often find themselves struggling once it passes the peak of inflated expectations. They promise the moon and stars, only to suffer a strong reputational hit when users realize that not all their lofty expectations can be met by the technology.
That's precisely why it's crucial for us to take a clear-eyed look at the technology we're developing and articulate both what it can and what it cannot do. This transparency doesn't imply that what's impossible today will remain so forever. AI technologies are evolving at an astonishing pace, and capabilities that are out of reach now may become commonplace in just a few months.
What an AI SOC Analyst Can Do
AI SOC analysts are already powerful tools that can significantly enhance security operations. They can:
- Run simple to moderately complex alert investigations: AI can be trained to follow established investigation playbooks for common alert types. For instance, if a specific type of malware alert fires, the AI can automatically gather relevant logs from endpoints and identity systems, query threat intelligence sources, and then correlate this information to determine the scope and severity of the alert. This frees human analysts from repetitive initial triage.
- Figure out queries to run on security tools and other systems as part of the investigation: Instead of an analyst manually crafting complex SIEM queries or navigating various security tools, an AI SOC analyst can translate investigation requirements into the appropriate query language for different systems. For example, given an IP address or a username, the AI can automatically generate queries to pull associated activities from EDRs and identity providers, accelerating the data collection phase.
- Aggregate and summarize collected evidence to reach a conclusion: Once data is collected, an AI can process vast amounts of disparate information, identify key patterns, and synthesize it into a concise summary. Imagine an investigation involving hundreds of log entries from multiple sources; the AI can highlight the most critical events, flag suspicious anomalies, and present a coherent narrative that points towards a potential compromise or a benign event, enabling faster decision-making for human analysts.
- Adapt investigation steps to the customer environment based on analyst feedback: AI models can learn and improve over time. As human analysts provide feedback on the accuracy and effectiveness of AI-driven investigations, the AI can adapt its logic and refine its investigative steps. This ensures that the AI's capabilities become increasingly tailored to the specific nuances and requirements of each organization's unique environment, making it more effective and reducing false positives or irrelevant information.
{{ebook-cta}}
What an AI SOC Analyst Cannot Do
Despite their impressive capabilities, it's vital to acknowledge the current limitations of AI SOC analysts. They cannot:
- Figure out what is important and what is not important to your organization: While AI can process vast amounts of data and identify anomalies, it lacks the inherent understanding of an organization's unique business context, critical assets, and risk tolerance. A human analyst knows that an alert on a CEO's laptop might require immediate, high-priority attention, whereas a similar alert on a test server might be low priority. AI alone cannot make these nuanced, business-driven judgments without being fed with the appropriate context. It doesn't instinctively grasp the impact of a potential breach on reputation, intellectual property, or regulatory compliance.
- Make decisions based on policies or rules it doesn't know or hasn't been informed: AI operates on data and algorithms it has been trained on. If a new security policy is implemented, or a specific business process dictates a unique response to a certain type of alert, the AI will not inherently know this. It cannot infer intent or extrapolate beyond its programmed knowledge base. Human analysts, on the other hand, can quickly internalize new policies, understand their implications, and adapt their decision-making accordingly, even in ambiguous situations.
- Investigate alerts for which no evidence is available: An AI, by its very nature, relies on data. If an attack leaves no discernible digital trace in the systems it monitors, or if the relevant logs are not collected or retained, the AI has nothing to analyze. It cannot "imagine" or "guess" evidence. This is a fundamental limitation of any data-driven system, and it underscores the importance of comprehensive logging and data collection alongside AI adoption. Some organizations feed alerts to an AI SOC Analyst but do not connect it to any investigation sources, limiting the ability of the tool to gather the necessary data to reach any conclusions. Human analysts must check multiple data sources to make a determination about an alert, and it's no different for AI-based systems.
- Fully remediate or contain attacks autonomously and without risk of causing disruption: While AI can recommend or even initiate automated response actions (like isolating a host or blocking an IP), full, autonomous remediation of complex attacks carries significant risks. An incorrect automated response could inadvertently disrupt critical business operations, cause data loss, or even exacerbate the attack. Human oversight is crucial here to ensure that any containment or remediation actions are proportionate, well-understood, and do not introduce unintended negative consequences. The potential for "collateral damage" from autonomous AI remediation is a major concern.
- Identify novel attacks with methods still unknown: We'll often see people claiming that AI can find “unknown unknowns." This claim is largely misleading. AI is excellent at finding "known unknowns" – cases where we know what kind of attack traces to look for, even if the specific variant is new. For instance, AI can detect anomalous network traffic patterns even if the specific malware signature is not in its database because it has learned what "normal" traffic looks like. However, if an attacker devises a completely new method that leaves no recognizable footprint or behaves in a way that falls outside of any pre-defined "normal" or "abnormal" patterns, current AI systems will struggle. If even humans rarely find attacks for which there's truly no evidence or that we still don't know what evidence would look like, how would machines that are trained in human knowledge and existing data do better? True "unknown unknowns" often require human intuition, creative problem-solving, and out-of-the-box thinking – capabilities that AI has yet to demonstrate.
There's a tremendous amount of value in what AI SOC analysts can already accomplish for us. Dismissing their potential solely because of what they currently cannot do would be shortsighted. Organizations that are strategically deploying AI SOC analysts are actively reducing manual toil and recovering valuable human hours. This allows human security professionals to focus on the higher-level, more complex activities where their unique critical thinking, intuition, and contextual understanding are still indispensable.
AI SOC Analysts are not a silver bullet that will miraculously solve every challenge in threat detection, investigation, and response. However, they can significantly ease the burden by taking on a large chunk of the associated workload, particularly the repetitive and high-volume tasks. Ultimately, they serve as a powerful resource optimization tool, and smart security leaders are leveraging them precisely in this capacity.