How does AI impact the role of human analysts in the SOC?

AI acts as a force multiplier rather than a replacement for human staff. It adopts a Human-in-the-Loop (HITL) model where the AI automates routine, context-heavy investigations and filters out false positive 'noise.' This allows human analysts to focus on high-level cognition and nuanced judgment, ultimately reducing burnout and addressing chronic skills shortages.

What are the key criteria for evaluating AI SOC platforms?

According to security analyst Oliver Rochford, buyers should prioritize explainability (ensuring the tool is not a 'black box') and transparent pricing based on metrics like cost-per-investigation rather than opaque 'compute units.' Crucially, organizations should perform novelty testing to see how the AI handles rare, non-routine incidents, not just standard alerts.

What is 'Hacker Slop' in the context of cybersecurity predictions?

'Hacker Slop' refers to a predicted influx of low-quality, AI-generated malicious code . While these threats may be unsophisticated and easy to detect individually, their sheer volume makes them expensive to process. Experts also predict that by 2026, attackers will design specific exploits intended to mislead or cause hallucinations within AI SOC agents.

Can AI security tools replace Managed Detection and Response (MDR) services?

While AI may not yet fully replace a comprehensive MDR service, it offers a 'lightweight' alternative that lowers the barrier for bringing security operations back in-house. By automating investigations and investigations, AI SOC solutions allow organizations to build a more tailored, cost-effective internal model that rivals traditional outsourced capabilities.

How is AI changing the traditional SOAR market?

The distinction between traditional, deterministic SOAR and non-deterministic AI SOC solutions is disappearing. AI is disrupting this architecture by moving beyond simple automation of bounded tasks. It serves as an investigative engine that handles predictable workflows while dynamically adapting to alert context, effectively merging the two categories.

Hype Check: The State of AI in the SOC

I recently sat down with my friend and fellow "recovering Gartner analyst," Oliver Rochford, for a webinar titled "Hype Check: The State of AI in the SOC 2025." Having spent years analyzing trends together, it was the perfect opportunity to cut through the current marketing noise and discuss what is actually working in AI for security operations today.

Here is a recap of our conversation and my most important takeaways for security leaders.

Moving Past the "Cynical" Era

Ten years ago, the promises of AI in security felt like "lipstick on a pig," leading many of us to develop a natural defense of cynicism. Oliver noted that while we’ve seen many "half-baked" attempts in the past, the technology has finally matured into something pragmatic.

As Oliver put it:

"I would say to myself, it's gonna happen. Don't worry. It'll take a little bit longer than you think, but it's gonna happen eventually."

Augmentation, Not Elimination

One major point I highlight is that AI is not here to fire the SOC team. Instead, it addresses the chronic skills shortage and the "noise" of false positives that lead to analyst burnout. It is the Human-in-the-Loop (HITL) model where the AI handles the routine, context-heavy investigations, such as user behavior or cloud environment alerts, and escalates to a human when nuanced judgment or high-level cognition is required.

Oliver highlighted that AI is particularly effective as a force multiplier:

"It’s working well as an augmentation tool and for automation... in circumstances where it’s a little bit more bounded, a little bit more predictable."

Disrupting the Traditional Architecture

We also discussed how AI is fundamentally changing established markets like SOAR and MDR.

The End of Standalone SOAR: Oliver argued that the distinction between traditional (deterministic) SOAR and new (non-deterministic) AI SOC solutions is disappearing.
A "Lightweight" MDR Alternative: AI is lowering the barrier for companies to move security operations back in-house. While it might not replace a full MDR service yet, it allows for a more tailored and cost-effective internal model.

The Buyer’s Checklist: Avoiding the "Stealth Tax"

For those looking to adopt these tools, Oliver provided some invaluable practical guidance. He warned about the potential high costs of integration if a tool only connects to a fraction of your devices.

When evaluating these platforms, we agreed on a few critical criteria:

Explainability: The tool must be able to explain why it reached a conclusion, rather than acting as a black box.
Novelty Testing: Don't just test against routine alerts; see how the AI handles the rare, "novel" incidents.
Transparent Pricing: Avoid the opaque "compute units" pricing models, with preference for those based on clear metrics, like cost per investigation.

"We tend to evaluate these solutions based on false positives, but we shouldn't. We should value it based on how they deal with a breach." — Oliver Rochford

I really like what Oliver said here. Most organizations see the immediate value of reducing the burden of false positives, but that means nothing if it comes at the expense of doing the right thing when real threats materialize.

Predictions for 2026: Hacker Slop and Strategic Attacks

I predict we will see a high volume of "hacker slop": Low-quality, AI-generated malicious code. Those will be easy to catch, but because of the high volume, expensive to process. Oliver’s prediction was even more pointed: he expects the first attacks specifically designed to mislead or "hallucinate" an AI SOC agent.

Oliver shared a powerful analogy to describe our current stage of AI adoption: Gunpowder. In its first 150 years, gunpowder was just as likely to blow up the person using it as the target.

"We still adopted it because when it did go in the right direction, that war was gone."

I guess I'm a little more optimistic here. The analogy is quite good, but I think we already developed a pretty good understanding of how to not blow ourselves up with this new gunpowder. It's still a developing area, but it is producing good results at a quite good level of “safety” right now.

My Final Thought: The future of the SOC isn't about finding a "silver bullet." It's always been true, and those who relied too much on perfect, definitive solutions have failed. Adopting an AI SOC solution is about building an agile security operations architecture where AI acts as the investigative engine, silencing the noise so human analysts can finally focus on the signals that matter.

State of AI in Security Operations

Survey of over 280 SOC leaders reveals insights on enterprise AI SOC adoption, alert investigation times, top use cases, ROI measurement, and more

Download Report

Download Ebook

Frequently Asked Questions

Insights

Text Link

Augusto Barros

AUTHOR

As Principal Product Manager at Prophet Security, Augusto applies his hands-on experience and critical thinking to help push forward the new capabilities of Prophet AI SOC platform