Guest blog courtesy of Conifers.
Every agentic SOC pitch aimed at MSSPs sells the same thing right now: faster triage. The line is always some version of automate Tier 1, clear the queue, grow without adding headcount. It's the safe story, because the queue is the pain that everyone can see.
Palo Alto's Unit 42 clocked attacks moving 4x faster year over year, with time from initial access to stolen data down to about 72 minutes. CrowdStrike put the criminal breakout time at 29 minutes. So agents go where the pain is loudest, the alert queue.
Triage runs on whatever's upstream
Triage sits at the downstream end of the pipeline. The agent investigating alerts is only as good as the detections underneath it, and those detections are only as good as the threat hunting and intel feeding them. Upstream decides whether any of it works. And the automation barely touches it.
For an enterprise, a detection built without context creates noise. For an MSSP, this repeats across every tenant, and because every environment carries its own context — assets, identities, business logic, risk tolerance — and the noise multiplies. Layer automated triage on top, and you've built a system that reaches the wrong verdict faster, with a confidence score attached.
Watch the number these vendors lead with about alerts processed. Two million, three million, take your pick. That figure measures how much noise the platform chewed through. When 96% of what hits the queue is a false positive, which is the reality in plenty of SOCs, most of that volume should never have fired. Clearing it faster makes you a very efficient garbage collector. The better move is to stop generating the garbage, and that's a detection problem.
Ask any detection engineer how many of their rules they'd trust today. Not most of them. Detections decay. One goes silent when a log source quietly changes format, and the fields the rule keys on stop showing up. Another turns noisy when the environment drifts, and yesterday's normal trips today's rule. Tuning runs months behind the threat, because the person who'd fix it is busy closing tickets, the bad detections generated. Now run that across 40 client environments, each with its own stack and its own drift.
Threat hunting has the same problem from the other side. Most providers run hunting as a side task for one senior analyst, when they run it at all. Coverage is thin and uneven between tenants. The intel meant to drive it shows up as raw volume with no relevance attached, so it sits unread.
The questions worth asking a vendor
The sharper question for an MSSP owner is whether the system improves the stages that feed detections. Does a finding from a hunt become a new detection on its own? Does an investigation retune the detection that just misfired? Does today’s intel change what the agents look for tomorrow? When the answer is no, what you've bought is a faster way to process the same noise, from detections that break again every time a client's environment shifts.
The variance problem
The speed story also misses consistency. For a service provider, the number that matters is the gap between your best tenant and your worst, between your strongest analyst and your newest hire. A system that learns each tenant's environment on its own and keeps that knowledge current closes that gap. The context behind every decision stays specific to that client and walled off from every other tenant. A new analyst picks up the tenant's full history on day one, so the service a client gets holds steady no matter who's on shift.
Governance lands in the same place. When a client asks why an incident was handled the way it was, the answer has to reach back up the chain: which detection fired, why it fired, what the hunt found, and what the intel flagged. An evidence trail that starts at the response only covers the easy half.
The providers who win are the ones fixing the upstream first, the detections, the hunting, the intel, so the speed at which everyone's selling lands on the right answer. A fast verdict on a broken detection is just a wrong answer arriving sooner. Fix the source first.
