The buzz around AI, particularly the notion of an "AI SOC," has reached a fever pitch. It's so intense that many technology vendors in this space don't even need to drum up demand; the sheer volume of conversations among CISOs and SOC managers creates an almost irresistible pull for them to explore and test these solutions. So, why would I, of all people, try to temper this excitement? Isn't it beneficial for positioning our own solution in the market?
The problem with hype, however, is that it often follows Gartner's famous Hype Cycle curve. Technologies shoot up quickly, only to plummet dramatically into the “trough of disillusionment.” While riding the crest of the hype wave might feel exhilarating initially, those who do so irresponsibly often find themselves struggling once it passes the peak of inflated expectations. They promise the moon and stars, only to suffer a strong reputational hit when users realize that not all their lofty expectations can be met by the technology.
That's precisely why it's crucial for us to take a clear-eyed look at the technology we're developing and articulate both what it can and what it cannot do. This transparency doesn't imply that what's impossible today will remain so forever. AI technologies are evolving at an astonishing pace, and capabilities that are out of reach now may become commonplace in just a few months.
What an AI SOC Analyst Can Do
AI SOC analysts are already powerful tools that can significantly enhance security operations. They can:
- Run simple to moderately complex alert investigations: AI can be trained to follow established investigation playbooks for common alert types. For instance, if a specific type of malware alert fires, the AI can automatically gather relevant logs from endpoints and identity systems, query threat intelligence sources, and then correlate this information to determine the scope and severity of the alert. This frees human analysts from repetitive initial triage.
- Figure out queries to run on security tools and other systems as part of the investigation: Instead of an analyst manually crafting complex SIEM queries or navigating various security tools, an AI SOC analyst can translate investigation requirements into the appropriate query language for different systems. For example, given an IP address or a username, the AI can automatically generate queries to pull associated activities from EDRs and identity providers, accelerating the data collection phase.
- Aggregate and summarize collected evidence to reach a conclusion: Once data is collected, an AI can process vast amounts of disparate information, identify key patterns, and synthesize it into a concise summary. Imagine an investigation involving hundreds of log entries from multiple sources; the AI can highlight the most critical events, flag suspicious anomalies, and present a coherent narrative that points towards a potential compromise or a benign event, enabling faster decision-making for human analysts.
- Adapt investigation steps to the customer environment based on analyst feedback: AI models can learn and improve over time. As human analysts provide feedback on the accuracy and effectiveness of AI-driven investigations, the AI can adapt its logic and refine its investigative steps. This ensures that the AI's capabilities become increasingly tailored to the specific nuances and requirements of each organization's unique environment, making it more effective and reducing false positives or irrelevant information.
What an AI SOC Analyst Cannot Do
Despite their impressive capabilities, it's vital to acknowledge the current limitations of AI SOC analysts. They cannot:
- Figure out what is important and what is not important to your organization: While AI can process vast amounts of data and identify anomalies, it lacks the inherent understanding of an organization's unique business context, critical assets, and risk tolerance. A human analyst knows that an alert on a CEO's laptop might require immediate, high-priority attention, whereas a similar alert on a test server might be low priority. AI alone cannot make these nuanced, business-driven judgments without being fed with the appropriate context. It doesn't instinctively grasp the impact of a potential breach on reputation, intellectual property, or regulatory compliance.
- Make decisions based on policies or rules it doesn't know or hasn't been informed: AI operates on data and algorithms it has been trained on. If a new security policy is implemented, or a specific business process dictates a unique response to a certain type of alert, the AI will not inherently know this. It cannot infer intent or extrapolate beyond its programmed knowledge base. Human analysts, on the other hand, can quickly internalize new policies, understand their implications, and adapt their decision-making accordingly, even in ambiguous situations.
- Investigate alerts for which no evidence is available: An AI, by its very nature, relies on data. If an attack leaves no discernible digital trace in the systems it monitors, or if the relevant logs are not collected or retained, the AI has nothing to analyze. It cannot "imagine" or "guess" evidence. This is a fundamental limitation of any data-driven system, and it underscores the importance of comprehensive logging and data collection alongside AI adoption. Some organizations feed alerts to an AI SOC Analyst but do not connect it to any investigation sources, limiting the ability of the tool to gather the necessary data to reach any conclusions. Human analysts must check multiple data sources to make a determination about an alert, and it's no different for AI-based systems.
- Fully remediate or contain attacks autonomously and without risk of causing disruption: While AI can recommend or even initiate automated response actions (like isolating a host or blocking an IP), full, autonomous remediation of complex attacks carries significant risks. An incorrect automated response could inadvertently disrupt critical business operations, cause data loss, or even exacerbate the attack. Human oversight is crucial here to ensure that any containment or remediation actions are proportionate, well-understood, and do not introduce unintended negative consequences. The potential for "collateral damage" from autonomous AI remediation is a major concern.
- Identify novel attacks with methods still unknown: We'll often see people claiming that AI can find “unknown unknowns." This claim is largely misleading. AI is excellent at finding "known unknowns" – cases where we know what kind of attack traces to look for, even if the specific variant is new. For instance, AI can detect anomalous network traffic patterns even if the specific malware signature is not in its database because it has learned what "normal" traffic looks like. However, if an attacker devises a completely new method that leaves no recognizable footprint or behaves in a way that falls outside of any pre-defined "normal" or "abnormal" patterns, current AI systems will struggle. If even humans rarely find attacks for which there's truly no evidence or that we still don't know what evidence would look like, how would machines that are trained in human knowledge and existing data do better? True "unknown unknowns" often require human intuition, creative problem-solving, and out-of-the-box thinking – capabilities that AI has yet to demonstrate.
There's a tremendous amount of value in what AI SOC analysts can already accomplish for us. Dismissing their potential solely because of what they currently cannot do would be shortsighted. Organizations that are strategically deploying AI SOC analysts are actively reducing manual toil and recovering valuable human hours. This allows human security professionals to focus on the higher-level, more complex activities where their unique critical thinking, intuition, and contextual understanding are still indispensable.
AI SOC Analysts are not a silver bullet that will miraculously solve every challenge in threat detection, investigation, and response. However, they can significantly ease the burden by taking on a large chunk of the associated workload, particularly the repetitive and high-volume tasks. Ultimately, they serve as a powerful resource optimization tool, and smart security leaders are leveraging them precisely in this capacity.
Frequently Asked Questions (FAQ)
What can an AI SOC Analyst do today?
An AI SOC Analyst can automate many parts of alert triage and investigation. It can gather relevant evidence, run queries across security tools, summarize findings, and adapt its investigations based on analyst feedback. These capabilities help security teams respond faster and reduce manual workload.
Can AI SOC Analysts replace human security analysts?
AI SOC Analysts cannot fully replace human analysts. While they can handle repetitive investigative tasks and summarize large volumes of data, they lack contextual understanding of business priorities and can't make judgment calls in ambiguous situations.
What are the limitations of current AI SOC Analysts?
Current AI SOC analysts cannot assess business impact, interpret unknown policies, or act without sufficient data. They also struggle to identify entirely novel attacks and cannot remediate threats without human oversight due to potential operational risks.
How do AI SOC Analysts adapt to different environments?
AI SOC Analysts can adapt by learning from analyst feedback and organizational data. Over time, they refine their logic to better align with the unique context, toolsets, and workflows of the environments in which they operate.
Can AI detect unknown threats that humans can't?
AI is good at detecting patterns it has been trained to recognize or that deviate from normal behavior. However, detecting truly novel attack techniques—those without existing footprints or behavioral baselines—still requires human intuition and creativity.
What kind of evidence or data does an AI SOC Analyst need?
AI SOC Analysts rely on available log and telemetry data from connected tools. If data is missing or incomplete, the AI may be unable to conduct a meaningful investigation or reach a valid conclusion.
Can an AI SOC Analyst take response actions on its own?
AI SOC Analysts can recommend or initiate basic response actions, like isolating endpoints or blocking IPs. However, full autonomous remediation is risky without human oversight, as it could cause unintended disruptions.
What is the measurable impact of using an AI SOC Analyst?
Using an AI SOC Analyst can significantly reduce investigation time and manual workload. Organizations often see faster response times, fewer false positives reaching human analysts, and better use of limited security resources.
-min.webp)
.svg)
-min.avif)
-min.avif)
