AI-Augmented SOC: The Evolution of Security Operations

Guest blog courtesy of D3 Security.

Welcome to another episode of "Let's SOC About It." In our latest episode, Amy sits down with Francis Odum, cybersecurity researcher and founder of Software Analyst Cybersecurity Research. Their conversation examines the growing role of AI in security operations centers and provides critical insights for security leaders navigating this technological evolution.

The discussion traces the journey from automation tools from the emergence of low-code/no-code platforms, to today's AI-augmented capabilities. Francis shares evidence from early adopters, including a major ride-hailing company that significantly reduced tier-one workloads, by automating the processing of EDR and telemetry data, while improving detection and response metrics.

Beyond technological capabilities, Francis offers a nuanced perspective on workforce transformation. Rather than eliminating tier-one analyst positions, he envisions these roles evolving to focus on higher-value activities as AI handles routine tasks like false positive filtering, alert enrichment, and case documentation. AI-driven summaries and prioritization enable analysts to focus on the most critical threats

For security leaders planning their 2025-2026 technology roadmaps, this episode provides valuable context on adoption trends across different industries and practical implementation strategies.

Episode Highlights:

No Fixed Terminology to Describe it Yet (0:50-3:00): The terms autonomous SOC, AI SOC, and AI-augmented SOC are explored. Francis expresses a preference for "AI-augmented SOC," which emphasizes an augmentation process rather than full autonomy. The discussion highlights that the security industry has not yet settled on standard terminology for AI in the SOC.

A Brief History of Security Automation (2:50-7:00): The discussion revisits the early promises of automating the SOC around 2015, noting that these promises did not materialize as expected. Companies sold the dream of full automation, but the reality involved a lot of manual effort. The evolution of automation in security operations, from complex SOAR tools to low-code/no-code automation capabilities, is explained.

AI vs. Basic Automation (10:00-11:00): Francis clarifies the difference between basic automation and AI-driven intelligence. Automation involves creating playbooks and workflows to manage and resolve alerts, while AI can read context from thousands of data points and make intelligent decisions.

The Evolving Role of Tier One Analysts (21:00-25:00): Francis uses the calculator as an analogy: while basic tasks are automated, critical thinking becomes more important. He suggests that the tier one role will likely remain but will require a focus on training and education for different levels of tasks.