No Vendor Consolidation In The SOC

Introductory Blurb

Since I published my last co-authored reports on the security data platform and SOC automation market, some interesting developments have occurred in the SIEM market. It is well-known news about the recent consolidation happening Palo Alto Networks’ acquisition of IBM’s QRadar, Crowdstrike’s announcement of their full SIEM platform, and the LogRythmn & Exabeam merger to become one platform. Adjacently, Zscaler with its Avalor acquisition, Fortinet’s SIEM product and more I could list on. All the major cybersecurity players are making a conscious effort to move into the SOC.

What if there is no complete vendor consolidation within the SOC? i.e., no one platform that can provide all the technology requirements across the SOC. Could the Crowdstrike outage become the impetus for the tide to turn back? We’ll explore that hypothesis today.

While I do believe other areas of cybersecurity need consolidation, like SASE, Identity access and management, cloud, and app sec, the paradigm will be different within the SOC. We’ll discuss the implications of these developments and explore the pros and cons of a consolidated SOC relative to a best-of-breed SOC. My post was also inspired by reading Umesh Yerram’s piece, a prominent CISO who writes about the implementation of the modular cybersecurity stack and works by Omer Singer.

I have always believed that vendor consolidation would happen across different cybersecurity markets and industries, but I’m increasingly convinced that within the SOC, we won’t likely have one major platform—at least anytime soon. The recent issue with Crowdstrike points to a case where security leaders would be less hesitant to purchase their entire stack on one vendor to avoid such scenarios from happening in the future.

Thesis

My thesis is that nobody has fully built the complete SOC technology platform that covers all areas where one large platform dominates the market, providing a unified system from data pipeline, data ingest, analytics, and autonomously responding to threats. The large vendors are incentivized to pitch this all-in-one strategy. However, I believe we will have “modular consolidation within the SOC” ie. a SOC stack where companies have modular solutions that fit the requirement for their security needs. They pick the best solution for XDR/SIEM, automation or data pipeline etc.

Most of this premise comes from the fact that we still don’t have a successful all-in-one SOC company. We can acknowledge that Splunk is dominant today in the SIEM market, but it is a well-known fact that Splunk is hated, and it is likely in decline over the next few after its recent acquisition by Cisco. Similar to how successful companies like Crowdstrike have built a name for themselves in endpoint (yes, despite everything happening), Wiz in cloud security, Okta in identity etc. It’s likely we won’t have a top name for the SOC market for a long time.

Below is the market map I created to illustrate how, in today’s SOC, companies gravitate to the best-of-breed solution for each of the major pillars below. The fragmented nature of the SOC will likely remain this way for a long time. We’ll explore some of the reasons much more in the piece.

Torq Technologies: My talk on the SOC automation market

I had a conversation with Torq about the evolution of the SOC automation market. I discussed some findings on how automation and AI are meant to change the SOC over the next few years. Read the full article here:

• Exploring the Future of SOC Automation with Francis Odum. Alternatively, you can watch the full video below.

Today’s Sponsors:

Every once in a while, I meet with new vendors where I’m pleased with their products. A big shoutout and thank you to Intezer and Sekoia for sponsoring the software analyst newsletter.

• Intezer is an autonomous SOC platform built to analyze, reverse engineer, and investigate every alert like an experienced security. Intezer’s objective is to fully automate the tasks of Tier 1 SOC Analysts, extending the capacity and capabilities of analysts to comprehensively triage every alert and prioritize the critical threats. This ultimately helps fill in the talent shortage that is plaguing many security teams.
• Sekoia.io is a threat intelligence-powered SOC platform that provides Extended Detection and Response (XDR) and SIEM solutions based on Cyber Threat Intelligence (CTI). Their solutions enhance modern SOCs’ collaboration, productivity, and protection against cyberattacks. Sekoia is a platform that aims to exemplify this new breed of cybersecurity solutions, as they are poised to become the future of SIEM, SOAR, and a threat intelligence platform (TIP) by evolving into comprehensive SOC platforms.

The Basics Behind The SOC

History

The SIEM/SOC market has undergone many transitions over the years from Arcsight to Splunk and all the way to emerging native solutions on the market. There has been no shortage of solutions available for businesses with the need to store data

Gartner / Oliver Rochford (Author of Cyber Futurists)

If we drill down to the basics, the primary purpose of a Security Operations Center (SOC) is to continuously monitor, detect, analyze, and respond to cybersecurity incidents and threats within an organization. It acts as the central hub for security and utilizes various technologies to detect and respond to security threats. Some of the core technologies utilized include SIEM, SOAR, EDR, NDR, CASB, VM, IAM, TIPs, and UEBA. Most SOCs have endpoint security at the heart of their technologies, and many of these solutions continuously monitor suspicious activities at endpoints and across the network.

At the heart of the SOC is the SIEM. As I wrote in my previous piece, the core premise behind a SIEM is to collect data, analyze it, and send an alert based on detection rules. SIEM systems aggregate, analyze, and correlate security event data from various sources within an organization to detect, monitor, and respond to security threats in real-time. They provide centralized visibility and facilitate incident response by identifying unusual or suspicious activities.

The final output of the SIEM is always handled by a security automation solution. When an SIEM detects an incident across any of your security tools, it triggers a SOAR/automation solution to automate certain response actions based on predefined playbooks. For example, the SOAR/hyperautomation platform can automatically initiate protocols to change passwords or shut down accounts if unauthorized access is detected.

Today’s Paradigm

Security tools have significantly changed over recent years. We’ve seen the market’s rapid evolution over the last few years. More and more vendors have emerged within the SIEM space, and many have died along the way. Many of the leading providers ranked in Gartner’s 2024 Magic Quadrant for SIEM have undergone significant organizational and business changes in recent months. We’ll likely see more M&A activities of vendors merging to become stronger players.

Gartner / Oliver Rochford (Author of Cyber Futurists)

While this happens, the SOC’s tool stack has massively expanded. We now have modern enterprises struggling with ingesting and storing massive data volumes while trying to balance associated costs. Most enterprise systems don’t allow for scalable data ingestion without exponential cost increases, making organizations decide between managing costs and financial constraints. There is almost a cost-productivity curve where customers have to manage their scale relative to the ingest cost of available data. This complexity in price and a wide spectrum of data points has led to the rise and success of companies like Cribl and Anvilogic, which play a key role in managing security data before it reaches the SOC.

Source: Anvilogic/Cribl Partnership

Breaking Down Security Operations Center (SOC)

Before diving deep into automation and the challenges faced by security teams, it is important to begin by clearly defining Security Operations Centers (SOCs). SOCs are centralized units within organizations dedicated to monitoring, detecting, analyzing, and responding to cybersecurity incidents. These units play a pivotal role in safeguarding an organization’s digital assets, infrastructure, and sensitive data against a variety of cyber threats. In essence, SOCs are crucial for protecting organizational assets.

How Most SOCs Operate

Security Operations Center (SOC) typically provide monitoring and detection services by collecting and analyzing MELT data, an acronym that refers to the essential types of telemetry required to detect, investigate, and respond to security incidents. In the early days of SOC operations, companies used agents to collect MELT data points i.e.

• Metrics
• Events
• Logs
• Traces

MELT data forms the backbone of the SOC. By collecting and analyzing MELT data, SOC teams gain full visibility into their environment, enabling them to detect anomalies, policy violations, and indicators of compromise (IOCs). Agents (or sensors or APIs) are installed on endpoints or servers to gather this data. Once collected, Tier 2 or Tier 3 security analysts focus on analyzing alerts, writing detection rules, and performing threat hunting in the SIEM. The objective here is to highlight actual threats from the raw alerts, logs and telemetry while storing this information for future investigations and queries.

Differences between Tier 1, Tier 2 and Tier 3 Analysts:

1. Tier 1 Analyst: Primarily responsible for the initial triage of security alerts and incidents using a SIEM. They identify and categorize potential threats. They escalate more high-risk cases to senior analysts.
2. Tier 2 Analyst: Focuses on investigating, containing, and responding to escalated incidents. They fine-tune detection rules for better and improved processes.
3. Tier 3 Analyst: Proactively identifies advanced threats and enhances SOC processes. They conduct threat hunting and malware analysis, leveraging threat intelligence.

Future SOC Architecture

This post isn’t focused on the SOC, but we believe a foundational understanding of this layer is essential to drive the rest. Below is a breakdown of this architecture:

Data Fabric Layer

In SOC teams, a layer of raw security data from diverse sources must be standardized and processed for effective analysis before being sent to a SIEM (or automation solution). This category has two distinct types of vendors. 1) Those focused on building and managing the engineering data pipeline. 2) Those prioritizing data filtering and enrichment to improve detection quality.

The key task is formatting data into a consistent structure to enable seamless integration and adding contextual information, such as IP geolocation or threat intelligence feeds, to improve data quality. We’ll uncover how this layer increasingly intersects with automation efforts.

Storage and Detection Layer

Companies leverage threat detection rules to define the logic for identifying malicious activity in their data. Once processed, data is routed to a centralized repository for storage and analysis. This may involve a SIEM (Security Information and Event Management) offering real-time monitoring and alerting or a cloud-based data lake designed to reduce costs.

AI Response & Automation

When detection rules are triggered, or alerts are generated, SOC analysts thoroughly investigate these alerts, assess their severity levels, and implement appropriate remediation measures. Modern SOC automation solutions are evolving to adopt a more proactive approach, integrating directly with security tools rather than relying solely on SIEM alerts. This advancement allows for enhanced alert enrichment and contextual analysis, leading to more efficient remediation processes. Analysts can now differentiate real threats from false positives more quickly and conduct thorough assessments and containment strategies. For incident response, teams can now manage security incidents more effectively, conducting deeper investigations by leveraging indicators discovered during the triage phase, with legacy SOAR solutions proving particularly effective in this domain. While AI technology is poised to revolutionize SOC operations in this layer, its adoption remains complicated by SOC leaders’ ongoing concerns about SIEM-related costs and implementation challenges.

Full Market Ecosystem for Security Operations (in 2024)

In summary, the SOC is the centralized hub for monitoring, detecting, analyzing, and responding to cybersecurity incidents. Its core processes include data collection, where telemetry (MELT: Metrics, Events, Logs, Traces) is gathered from endpoints, networks, and systems; alert triage, prioritizing and categorizing threats; investigation, conducting root cause analyses and threat hunting; response, mitigating and remediating incidents; and continuous improvement, updating detection rules and workflows based on new threats. By leveraging SIEMs, automation tools, and skilled analysts across Tier 1 (triage), Tier 2 (response), and Tier 3 (proactive hunting), SOCs protect an organization’s assets against evolving cyber threats.

Outsourced & Managed Security Operations

Organizations with large budgets and extensive scale may choose to build a fully internal SOC, purchasing all the necessary technologies. In this report, we outline the processes and technologies involved in creating a modern SOC. However, it is important to note that not every organization will implement all these technologies.

Smaller and mid-sized companies often turn to managed 24/7 SOC services. These include Managed Detection and Response (MDR) providers or Managed Security Service Providers (MSSPs), which use their own SIEM, EDR, or other solutions to monitor client environments around the clock. These services identify alerts, assess potential threats, and notify clients about incidents requiring attention.

By leveraging managed services, organizations reduce their need for in-house expertise while managing costs associated with these technologies. Additionally, outsourcing tasks such as threat intelligence, forensic investigations, and incident response (IR) can help internal SOCs manage reporting and integrate multiple threat feeds more effectively.

The Evolution of Automation In Cybersecurity

At its core, automation has a single purpose: to let machines perform repetitive, time-consuming and monotonous tasks. This frees up scarce human analysts to focus on more important issues, such as threat hunting and proactive investigations. A common concern, both in cybersecurity and other industries, is that automation might replace human workers. While this fear is partly justified, automation primarily enhances human capabilities in security operations and helps bridge the talent gap in cybersecurity.

Different organizations and SOC teams have been approaching automation in different ways, depending on budget, technical talent and team size. Key approaches include:

1. Bespoke automation scripts: Many organizations initially relied on bespoke, in-house scripts to manage security tasks. These custom scripts, while tailored to specific organizational needs, often required significant software engineering expertise to develop and maintain.
2. Generalist Automation: Next came RPA and automation solutions like Zapier, n8n, and UIPath, which primarily focused on automating workflows across various applications and systems without the need for extensive coding knowledge. While these tools enhanced operational efficiency, they were often not designed specifically for security operations beyond basic IT workflows.

History of Automation In Cybersecurity Operations

Traditional SOAR Platforms

Security Operations Automation & Response were the first generation of products built to automate security operations tasks. SOAR platforms were built with security-specific capabilities, including threat intelligence/SIEM platforms integration, incident response playbooks, and automated workflows tailored for security incidents. These solutions were designed to address the outputs of SIEM’s by automating responses and providing tools for managing, planning, and coordinating incident response activities.

These systems were built to understand and prioritize alerts based on their security relevance, enabling SOC teams to quickly identify and respond to critical threats. By 2018, advanced SOAR platforms began integrating artificial intelligence (AI) and machine learning (ML) to enhance threat detection and response, making these systems not only reactive but also proactive by predicting and mitigating potential security threats.

Sample vendors include Phantom Cyber, acquired by Splunk in 2018, which was one of the earliest and most prominent names in the SOAR space. Phantom’s platform allows security teams to automate tasks, orchestrate workflows, and integrate various security tools. Subsequently, Google SecOps was built around the acquisition of Siemplify, which offered a security operations platform often categorized as a SOAR solution.

Key Challenges with legacy SOAR platforms

Despite their promise, traditional SOAR solutions often fell short of expectations, creating significant challenges for security teams:

• Complex Implementation: Lengthy deployment cycles and extensive configuration requirements delayed time-to-value
• Resource-Intensive Management: High total cost of ownership (TCO) due to the need for specialized expertise and ongoing maintenance
• Integration Limitations: Restricted connectivity with existing security tools and difficulties adapting to new technologies
• Alert Management Issues: Inconsistent alert handling and missed critical alerts due to rigid playbook structures
• Limited Adaptability: Inflexible frameworks that struggled to accommodate evolving security needs and emerging threats

Hyperautomation

The 2020s brought a range of challenges for Security Operations Centers (SOC) that existing SOAR tools struggled to address. Cybersecurity threats became increasingly sophisticated as businesses integrated more cloud-native data solutions and contended with numerous security tools. Simultaneously, there was a growing demand for experienced cybersecurity professionals, but the supply remained limited.

These legacy SOAR tools faced a significant challenge as they grew in size and complexity, often compelling organizations to hire experts or spend on professional services. Companies needed to invest heavily in professional services. These additional costs frequently exceeded the initial price of the SOAR tool itself.

Defining AI-SOC

AI for SOC (Security Operations Center) is a flawed acronym for defining this category, a category often surrounded by buzzwords. It primarily represents an advanced cybersecurity framework incorporating LLMs (post-ChatGPT) into traditional SOC processes.

These next generation of solutions aim to leverage machines to replicate the role of security analysts. As discussed earlier, enterprises traditionally routed alerts through a SOAR workflow, or human analysts would manually assess and respond to alerts or security incidents. The goal of an AI SOC analyst is to immediately process low-level alerts, automatically triage them, and investigate incidents.

AI for SOC signifies a shift from reactive, manual security processes to a proactive, intelligence-driven paradigm. Its main components include—

1. Triage,
2. Investigation,
3. Response, and,
4. Workflow automation

Together, these components create an ecosystem that enhances efficiency. These systems are not intended to replace analysts but to empower them to focus on larger security challenges while continuously adapting to an ever-changing threat landscape.

As of today, most AI functionalities excel at tasks typically performed by Tier 1 analysts. AI for SOC can be split into a few core categories, primarily aimed at automating the following:

1. Alerting and Triage: AI handles the flood of alerts, highlights critical ones, and enriches indicators of compromise (IOCs) with actionable threat intelligence.
2. Investigation and Threat Hunting: AI delves deeper into incidents, correlates data, and uncovers hidden threats. It checks past user behavior to understand threat patterns.
3. Response Execution: AI automates remediation while keeping humans in the loop for oversight. It may refer back to business systems such as directory information, emails, and tickets for context before taking action.
4. Proactive Process Engineering: AI evolves workflows and integrations to meet the dynamic demands of cybersecurity.
5. Evidence Analysis: AI analyzes PDFs, shell scripts, packet captures, and other evidence for malicious intent.

AI-SOC Assistant Vendors (Post-2022 ChatGPT)

Based on our research, this is our framework for categorizing the vendors that have emerged or existing solutions that rebuilt their solutions around emerging LLM technologies and model advancements for understanding language:

1. AI-XDR & Security co-pilot platforms
2. AI-SOC Tier 1 Analyst for alert triage & Investigation
3. AI-SOC Tier 2/3 Analyst for advanced incident response and threat hunting
4. AI Automation Engineer for creating custom advanced security workflows

1) AI-Powered XDR & Co-Pilot Platforms

The largest EDR/XDR vendors, such as Microsoft, Palo Alto Networks, and Crowdstrike, now provide AI-powered XDR platforms and co-pilot solutions. These vendors have evolved from focusing solely on endpoint telemetry to ingesting diverse third-party data powered by XDR solutions with basic response capabilities.

With advancements in AI/LLM, these vendors have incorporated generative AI, significantly enhancing their solutions’ ability to triage alerts automatically and provide robust AI-driven summaries and log data analysis. Many began with co-pilot releases, and leading vendors in this category include:

• CrowdStrike’s Charlotte AI
• Microsoft Security Copilot
• SentinelOne PurpleAI
• Palo Alto Networks (Cortex XSIAM)
• Splunk ES, Google SecOps, Radware, etc.

One of the major capabilities of these solutions is their security Co-Pilot feature, which enhances SOC operations through various intelligent functionalities. These Co-Pilots help analysts navigate data sources more efficiently, enabling them to more quickly find ground-truths and expedite their investigations, research, and discovery processes. They provide analysts with guided responses for incident handling, automatically generate detailed incident reports, and conduct thorough analyses of scripts and code for potential threats.

These co-pilots are particularly helpful in efficiently summarizing incidents, offering analysts quick insights, and accelerating their investigation processes. This, in turn, reduces response times and lessens the analysts’ workload. What makes these security pilots powerful is their foundations built on vast datasets, such as Microsoft’s security-specific model, which has been trained on a collection of over 65 trillion security signals.

Another key advantage these vendors possess is their extensive datasets, drawn from threat intelligence and endpoint telemetry, which enable advanced AI model training. These massive telemetry datasets, accumulated over the years, provide a significant competitive edge in developing robust AI models and comprehensive threat intelligence capabilities. Additionally, they benefit from strong ecosystem integration by seamlessly combining proprietary tools (e.g., Cortex, Falcon) with third-party platforms.

For example,

• Charlotte AI can correlate seemingly unrelated alerts to identify complex attack patterns and provide real-time threat hunting capabilities, leveraging its strengths at the endpoint These platforms now offer integrated AI capabilities that combine alert analysis with automated response orchestration, creating a more streamlined security workflow.
• Enhanced Analysis, Human-Guided Decisions: AI serves as an intelligent assistant, processing vast amounts of data and providing insights, but critical security decisions still require human expertise. Modern AI-powered alert analysis systems act as intelligent collaborators which enhance the capabilities of security teams by automating complex analysis tasks.

2) AI-SOC Tier 1 Analyst Solutions

These solutions are taking things a step further with the goal of emulating a human Tier 1 analyst’s actions when an alert is generated. By automating routine investigation tasks typically performed by human analysts, they aim to reduce response times and lighten the workload for security teams. These systems go beyond simple alert summaries, delivering enriched, actionable insights. Their core functionalities can be categorized into the following key roles:

Alert Grouping: They leverage AI tools to efficiently organize and consolidate alerts to minimize noise and provide a clearer picture of potential threats:

• Alert deduplication and grouping per asset: They identify and consolidate duplicate events that may have bypassed initial SIEM filtering. They also aggregate alerts related to the same asset, creating a holistic view of potential threats.
• False positives alerts: These solutions sift through extensive datasets to identify genuine threats and dismiss false positives. They provide analysts with detailed explanations for closing cases. Despite AI’s advancements in streamlining triage, human expertise remains critical to validate alerts and make the final call.

Alert Enrichment (True Positives): AI enhances raw alerts by adding essential context, empowering analysts with the information needed for thorough investigations and decision-making. Key enrichment areas include:

• Indicator of Compromise (IOC) Enrichment: This is a key component. The system leverages threat intelligence feeds to perform checks using both paid and open-source intelligence sources, or consults a Threat Intelligence Platform (TIP) if an enterprise has all intelligence data centralized in a central location.
• Machine (Endpoint/Server) Enrichment: Systems gather detailed information about affected machines, such as configurations, vulnerabilities, and activity patterns.
• Account (Identity and Access Management) Enrichment: Solutions retrieve user account details, access patterns, and recent activity to identify potential misuse or compromise.

Through strong, alert grouping and enrichment capabilities, many of the AI-SOC Analysts aim to enhance the human analyst workflow and, subsequently, over time, replace repetitive tasks with an AI agent. However, there are some limitations:

• Predefined Detections: AI Tier 1 systems primarily operate within the scope of predefined detection rules and require regular fine-tuning to adapt to new threats.
• Onboarding Challenges: Configuring these tools during initial deployment and for new detection scenarios can be resource-intensive.
• Additional time spent on False Positives (FPs): While AI helps streamline triage, human expertise is still needed to validate alerts and make the final call. There is fear regarding the time required to manage these solutions relative to an analyst.

Don’t expect these tools to eliminate false positives (FPs) entirely. While they help, a human must still make the final call on alerts. AI Tier 1 tools guide you toward the answer but won’t make the decision for you—they’re primarily designed to automate routine tasks, freeing analysts to focus on more critical issues.

• Sample vendors: Some of the leading vendors include Dropzone, Prophet AI and Hunters AI.
• Dropzone: I was impressed by Dropzone’s visualization – its user-friendly UI and interface designed for seamless navigation by analysts.
• Prophet AI: I was impressed at their rapid deployment. Prophet AI integrates into environments faster than competitors, providing visibility to investigative questions and evidence.
• Hunters AI: They released Hunters AI-Assisted Investigation, which leverages advanced AI capabilities to offer tailored context, explanations, and actionable next steps. This solution is designed to empower analysts of all skill levels. It provides enhanced contextual summaries, relevant explanations, and guided remediation. Analysts gain a unified view of all related information, with Hunters AI enabling rapid investigation. It saves analysts significant time through automated context and actionable insights, addressing the challenges of high alert volumes. Hunters AI provides a full analysis of AI-Assisted Investigation.
• There are many solutions on the market, including Intezer AI SOC solutions, which are worth noting.

3) AI-SOC Tier 2 Analyst – Reactive Threat Hunter

The first tier of analysts performs basic responsibilities within security operations centers. However, there is another group of analysts that has more advanced skills. They are usually responsible for in-depth incident analysis, threat hunting, and leveraging threat intelligence, package analyzers, or forensic tools within their investigation workflow.

These analysts can be referred to as AI Responders and Threat Hunters. This takes automation a step further. It doesn’t just analyze the alert; it also executes a response. For instance, it can isolate a host, quarantine a file, or adjust your block/allow lists—all automatically.

So, imagine you’ve received an alert from your Tier 1 AI tool, and it’s flagged as a suspicious file. The AI Tier 2 platform can jump in and take actions such as:

• Implementing containment, eradication, and recovery steps for confirmed incidents.
• Performing host isolation.
• Managing file quarantine.
• Automatically updating block/allow lists.
• Correlating data from multiple sources to build a detailed picture of an attack and evaluating the blast radius of an incident.
• Engaging in reactive threat-hunting once an incident has been triggered.

While these automated actions follow predefined playbooks and work efficiently for routine tasks, they have limitations with complex or custom workflows. The systems perform best on familiar, established processes but become less reliable when handling intricate scenarios—such as compliance alerts, which we’ll discuss later. In general, some solutions are evolving to address the highly dynamic, undefined, and technical scenarios in the SOC.

4) AI Automation Engineer: The Future of Custom Workflows

AI Automation Engineers combine next-generation SOAR/Hyperautomation with large language model (LLM) capabilities into a unified platform. This emerging market segment shows tremendous potential. The key innovation lies in using AI to create automation workflows through simple natural language commands. They enable Security Operations Center (SOC) teams to create sophisticated workflows with minimal coding expertise.

Some of the reasons we favour this category include:

1. Strong workflow capabilities: These solutions already have strong playbooks and automated predefined workflows for triaging alerts, gathering data, and performing initial investigations. They can do this across a vast number of use cases within the enterprise
2. Moving past static workflows: Historically, traditional SOAR solutions, relied on playbooks that executed static workflows, often lacking the ability to adapt to dynamic scenarios or nuanced contexts. Incorporating AI now dynamically enriches workflows by interpreting the context of incidents and adapting responses accordingly. For example: AI can determine whether a flagged IP address is truly malicious based on updated threat intelligence or automatically tailor remediation steps based on the criticality of the affected asset.
3. Continuous Learning & Adaptation: Historically, SOAR relied on preconfigured rules and manual updates to playbooks, which can become outdated as threats evolve. Now, using AI systems to learn from every incident, they continuously improve their detection and response capabilities.
4. Custom automation: Build and modify workflows specific to your environment. Teams can use NLP to create automation flows using conversational commands instead of code. This technology is key for teams needing to rapidly implement new detection logic or optimize response strategies.

Leading platforms like Torq, Tines, Mindflow, and Blink Ops are pioneering this space. The only limitation with these solutions is that they typically require more resources and expertise to manage effectively.

Real-World Case Study of an AI-Powered Unified SOC Workflow

This breakdown explains the core processes involved:

1. Identification: We start with a SIEM alert, let’s take the example of admin account spinning up a new resource in a region that is not usually used. We then proceed with the usual triage process to determine which steps can actually be fully automated, rather than spending over 30 minutes doing it manually. (Note that all of these steps take into consideration that we have all necessary data points to enrich the data and run analysis.)

   Alert Reception and Triage Agent Activation – Deduplication and Grouping: One of the first things an AI for SOC or Hyperautomation platform does is identify similar alerts triggered for the same cloud account or user. This reduces noise and helps focus on the actual issue at hand.

   • Alert Enrichment:
     • Internal Enrichment: The AI platform enriches the alert with details about the admin account, historical provisioning patterns, and resource types. It checks whether this activity aligns with previously authorized changes or expected admin behaviour. In this case, the automation—whether it’s a whitebox or blackbox solution—would connect with your IAM or ITDR systems to gather this context.
     • External Enrichment: The AI pulls in threat intelligence to check if the admin’s IP or related activity matches known bad actors or tactics. For instance, are these resources linked to cryptomining campaigns or flagged IPs? The quality of this enrichment depends heavily on the threat intelligence feeds you’re using and your confidence in their reliability. Here, the automation consolidates all relevant information into one place, making it easier for an analyst—or the AI agent itself—to determine if the alert is a true positive (TP), a false positive (FP), or requires escalation.
   • The key questions addressed include:
     • Who is involved (admin account); Where is the activity originating from? And when did it occur?
2. Containment (Tier 2 – Investigation)

   Digging through logs and connecting the dots has always been one of those tedious, time-consuming tasks. With today’s AI for SOC and hyperautomation platforms, we can significantly speed this up—or, in some cases, even let the platform handle it autonomously.

   • Timeline Analysis: With the help of the AI, the alert summery can reconstruct the sequence of events to pinpoint when the provisioning began. This step involves accessing logs, searching for key indicators, and automatically building a timeline that provides a clear picture of what happened and when.
   • Forensic Evidence: Collecting forensic evidence—another labor-intensive step—can be fully automated. The platform captures snapshots of affected cloud instances, lists all running processes and active connections, and prepares saved searches for relevant CloudTrail logs or API activity. This ensures that analysts (or even the AI itself) have everything they need for further analysis.
   • The key questions we aim to address:
     • What is happening (e.g., resource misuse)?
     • Why is it occurring (e.g., compromised credentials, malicious intent)?
3. Eradication (Tier 3 – Remediation) – Automated Remediation:

   Automated remediation has been around since the early days of SOAR, and with hyperautomation platforms, you can take it to the next level. For AI-driven SOCs, though, this is still a mixed bag because every organization has its own way of handling remediation.

   In cases where the system is allowed to auto-remediate, it’s straightforward: isolate the affected host, rotate compromised credentials, or block IOCs. These actions can be executed seamlessly by the automation platform without human intervention.

   However, if the remediation steps need to follow a change management process, things get a bit more structured. Here, the platform could generate the required change request or even prepare CloudFormation/Terraform templates for review and approval before applying fixes. This ensures compliance with organizational policies while still leveraging automation to save time.

4. Lessons Learned: Adaptive Learning: AI shines in this phase by automating what used to be painful manual work. It can generate detailed root cause analyses and incident summaries tailored for management and stakeholders, ensuring everyone gets the insights they need. But the real value lies in automating the feedback loop.

   With adaptive learning, any newly discovered IOCs or TTPs are automatically added to your Threat Intelligence repository, enriching your defenses for the future. At the same time, any detection gaps identified during the incident are pushed directly into the backlog for your detection engineering team to address. This ensures continuous improvement and keeps your defenses sharp without adding extra overhead.

Torq released their security AI workflow builder and Torq AI Socrates. We’ll use a case study to see how Torq would handle suspicious IP behaviour.

Incident Case Study Description for how AI-powered SOAR + LLM converge:

A SOC receives an alert about suspicious outbound traffic from a corporate device to an unknown IP address. This IP has been flagged by a threat intelligence feed as associated with malware command-and-control servers.

How Torq Socrates Solved the Incident

1. Detection and Workflow Creation: A junior analyst notices the alert and uses the AI Workflow Builder to create an automation rule using a prompt: “Check IP address 192.168.1.100 with VirusTotal and other integrated threat intelligence feeds. If flagged as malicious, initiate containment actions and alert the SOC.” The workflow is automatically generated and deployed, enabling Torq Socrates to take over the investigation.
2. Enrichment and Validation: Socrates pulls additional context from SIEM logs to determine recent activity from the device, EDR tools for evidence of malware or suspicious processes, and uses threat intelligence feeds to confirm whether the IP is flagged as malicious across multiple sources.
3. Autonomous Decision-Making: Socrates identifies that the IP is flagged as malicious with high confidence. It autonomously isolates the affected device from the corporate network using integration with the EDR platform. Furthermore, it alerts the security team through Slack with a summary of actions taken.
4. Human Oversight and Summary Report: Torq generates a detailed report on the incident that happened, such as a device attempting to communicate with a flagged IP. The report includes timestamped activity logs and confirms that no data exfiltration was detected, and the device was isolated. Analysts review the summary to confirm actions and decide on further remediation.
5. Proactive Follow-Up: If required, automated mitigation is initiated. Password resets are triggered for the user associated with the device. A forensic investigation begins, initiating a deep scan of the isolated device to identify potential malware and its origin.
6. Communication and Documentation: Torq notifies stakeholders (e.g., IT and management) with a tailored report explaining the incident and resolutions in non-technical terms. Immutable documentation is auto-generated for compliance records, ensuring full traceability of the actions taken.

This hyperautomation process combines automation and AI to address the full lifecycle of an incident, from detection to resolution. We recommend visiting here to read about the new solution: Guide to AI in the SOC manifesto.

The role of AI agents in SecOps

Most of this report has outlined the current status quo of AI in the SOC, including a unified AI-powered SOC with a human-in-the-loop case study above. However, moving forward, we believe AI agents will have a big role to play in cybersecurity.

AI Agents – SecOps Implementation

So, what exactly is an AI agent?

While we’re accustomed to interacting with Large Language Models (LLMs) like ChatGPT through simple text prompts and responses, AI agents take this interaction to the next level. Imagine an LLM that doesn’t just provide answers but can plan, make decisions, and carry out tasks until they’re fully completed. In essence, an AI agent is like a chatbot with the added abilities to take actions, access tools, and iteratively work through tasks without needing constant human intervention.

You might wonder why we need agents when advanced LLMs like GPT-4 already exist. The key limitation of non-agentic LLMs is their inability to adapt beyond the initial prompt and response—they can’t perform actions or refine their output without additional input. AI agents shine by offering adaptability and flexibility, allowing them to think, iterate, and improve their responses autonomously.

This enhanced capability is primarily achieved through a concept called ReAct, short for “Reasoning and Acting.” Think of it as giving the LLM the ability to loop through reasoning and actions until it completes its task satisfactorily. It’s similar to how you might go back and forth with ChatGPT multiple times to refine an answer—except the AI agent does this internally, streamlining the process.

Imagine a scenario where you no longer need to manually write automation scripts. Instead, an AI agent or a browser-based plugin monitors your daily tasks, suggests processes to automate, and even builds the automation for you. Need to integrate a new tool or service? The AI agent retrieves the API documentation and constructs the integration with all available actions. This isn’t a distant future—it’s the transformative potential of AI agents in cybersecurity today.

AI agents hold the promise of revolutionising cybersecurity by automating repetitive tasks, enhancing threat detection, and enabling more proactive defense strategies. However, trust, explainability, and integration challenges must be addressed to fully realise their potential. By carefully evaluating the benefits and considering the criteria outlined above, organisations can make informed decisions about adopting AI agents to strengthen their cybersecurity posture.

Broader Challenges / Barriers To AI-SOC Assistant Adoption

• Trust Issues: The biggest challenge is that security operators don’t fully trust these solutions enough to adopt them. Secondly, there is also a concern about putting these technologies at the front line due to the fear of missing something crucial.
• Limited Customization and Black Box AI: A significant challenge in the industry is the prevalence of black box solutions, where AI model training occurs behind the scenes. Enterprises only receive final outputs like enriched alerts and remediation recommendations, without visibility into or control over the underlying processes. Many vendors restrict the ability to customize or fine-tune their models, creating a dependency on vendor updates and fixes. This limitation becomes particularly problematic for large enterprises with unique security requirements. While smaller organizations might benefit from quick deployment and standardized solutions, enterprises often need more flexibility to address their specific security contexts and detection scenarios. A lack of transparency in decision-making (common in Black Box solutions) can conflict with compliance requirements in regulated industries.
• Analyst Involvements – AI tools do not fully replace human analysts; they complement them. Analysts are still required to validate findings, handle escalations, and adapt workflows to evolving threats. Teams must be trained to interact effectively with AI-powered systems, which may face resistance or steep learning curves.
• Accuracy & efficacy of models – It is crucial for technologies that these models become highly accurate when compared to a human analyst over 30, 60 and 90 days. The ability of a model to produce similar results to how a top-tier analyst would respond is key.

Conclusion: The Path to Full AI-Driven SOCs

• If we want to take SOC automation to the next level, we need platforms that handle the entire cycle—from incident response to detection engineering, automation, and finally, testing the whole process. Right now, most AI SOC tools only offer pieces of that puzzle, giving you a false sense of security that you’ve automated more than you actually have.
• And don’t forget, while these platforms are decent at automating incident response, they tend to struggle with compliance alerts and governance issues. The truth is, a large chunk of the alerts in any given environment are related to vulnerability management or cloud security, and these aren’t handled as effectively by current AI solutions.