The conversations coming out of RSAC 2026 point to a clear shift: security operations are moving toward agent-driven workflows, and MSSPs will be expected to run them. Vendors are building AI systems that can investigate alerts, prioritize incidents, and take action with very little human input. As a result, SOC workflows are getting faster, with responses measured in minutes instead of hours.
For MSSPs, this raises the bar. It’s no longer just about visibility and detection. Customers expect faster containment, consistent response across tenants, and automation that actually works in real environments. Platforms are changing to support this. SOC tools are becoming orchestration layers that bring together detection, investigation, response, and AI governance. At the same time, identity is expanding beyond users to include external exposure and machine activity.
The opportunity for MSSPs depends on how well they can put this into practice. That means standardizing workflows, managing AI-driven activity, and showing clear, measurable outcomes across environments.
At the same time, a tougher challenge is starting to show up. As companies begin using AI in security operations, questions around identity, control, and accountability are becoming more important. These AI systems are starting to act like active parts of the environment, which means they need defined access and oversight. Vendors are beginning to address this with new identity and policy controls, but the model is still evolving. For now, MSSPs are left to bridge that gap. Customers will expect them to manage AI-driven risk as part of their services, even as the tools and best practices are still taking shape. Governance is becoming just as important as detection and response.
Market Pulse: Cybersecurity Deals, Funding, and Platform Shifts
LevelBlue and SentinelOne announce preferred global partnership:
LevelBlue will serve as SentinelOne's preferred global partner provider for MDR and managed SIEM services, and has also been named a preferred provider for incident response. The partnership integrates SentinelOne's AI SIEM and analytics technology with LevelBlue's Indigo platform, which orchestrates security operations across environments alongside threat intelligence and digital forensics capabilities. LevelBlue brings a global team of more than 300 digital forensics and incident response professionals to the partnership. For MSSPs watching the managed detection and response market, this signals a consolidation of the stack - detection, SIEM, and IR under one preferred-provider arrangement.
Arctic Wolf launches Aurora Agentic SOC:
Arctic Wolf announced the availability of the Aurora Agentic SOC, built on the Aurora Superintelligence Platform, combining its Concierge Experience with turnkey agentic AI and designed to significantly reduce the cost, complexity, and uncertainty slowing AI adoption across cybersecurity teams. The focus is on operationalization speed: Arctic Wolf says cases resolve 15x faster, ticket quality is 3x higher, and the SOC can be deployed in as little as 10 days. Arctic Wolf also partnered with Wiz (now part of Google Cloud) to deliver a new integration between Wiz and the Aurora Superintelligence Platform, providing guided investigation, containment, and response workflows for cloud threats. MSSPs building or scaling SOC delivery should watch this closely - it's a blueprint for the agentic SOC as a managed service.
Gurucul launches Open AI SOC Platform: Gurucul launched an open AI-driven SOC platform aimed at giving MSSPs more control over data, costs, and platform flexibility, combining an AI SIEM engine, agentic AI workflows, and a bring-your-own data lake model into a single modular architecture. The platform integrates detection, threat hunting, and incident response across the full lifecycle while allowing organizations to plug into vendor-neutral data environments like Snowflake and Databricks. For MSSPs, the move addresses a persistent challenge around rising data ingestion costs and fragmented toolsets, while also signaling a broader shift toward open, composable SOC platforms where providers can standardize operations without being tied to a single vendor ecosystem.
SentinelOne expands agentic SOC capabilities:
SentinelOne added deeper AI-driven investigation and response workflows within its platform, focused on delivering full attack context and automated remediation. The shift here is from alerts to decisions. MSSPs are expected to move faster from detection to action, and platforms that package investigation and response together help reduce analyst workload and improve response times.
SOCRadar launches AI agent marketplace and identity intelligence: SOCRadar introduced a marketplace model for deploying AI agents alongside expanded identity intelligence across external and SaaS environments. This reflects how MSSPs actually operate - mixing capabilities based on client needs. It also brings identity exposure monitoring closer to core platform workflows, making it easier to package as a recurring service.
Have news to share or just want to connect? Reach us anytime at [email protected].