Home
Blog
AI
October 30, 2025
9
min read

The SOC of the Future Is Already Here: Why Security Leaders Can't Risk Waiting to Adopt AI

After three decades building security software and leading multiple successful exits, I can tell you with certainty: AI in Security Operations Centers isn't a future consideration—it's an urgent present-day requirement. As Command Zero's CPO, I'm witnessing threat actors already wielding AI-powered capabilities to breach defenses faster than human analysts can respond. In my recent conversation with analyst Shelly Kramer, we explored the perfect storm facing modern SOCs—overwhelming alert volumes, critical skills shortages, and expanding attack surfaces—and why AI represents the only viable path forward. Organizations implementing AI are achieving 70% faster time-to-triage, transforming investigations from hours to minutes while elevating junior analysts to productive contributors within weeks. Through a practical crawl-walk-run framework, I outline how security leaders can integrate AI capabilities while preserving existing SIEM investments and empowering their teams. The choice isn't between human analysts and AI—it's achieving harmony between them to create security operations that are faster, more consistent, and more effective than either could achieve alone.

AI
investigations
Security Operations
SOC of the future
Alfred Huger
Cofounder & CPO
In this article
H2 Title
H3 Title

After three decades building security software and leading product organizations through multiple industry transformations, I can confidently say this: the debate about whether AI belongs in your Security Operations Center is over. The question isn't whether AI will reshape security operations—it's whether you'll be prepared when threat actors wielding AI-powered capabilities breach your defenses.

In my recent conversation with Shelly Kramer on Security Square, we explored a truth that security leaders need to confront immediately: AI isn't a future consideration for cybersecurity. It's a present reality that's fundamentally reshaping how we defend against increasingly sophisticated threats. This post examines the forces transforming modern SOCs, the practical realities of AI adoption, and how organizations can successfully navigate this transition while preserving their existing investments and empowering their security teams.

You can read Shelly Kramer’s article based on this interview, or watch the full interview here:  

The Perfect Storm Facing Security Operations Today

Security Operations Centers are confronting a convergence of challenges that have been building for years, and these pressures are reaching a breaking point.

  1. Overwhelming Alert Volumes The first challenge isn't new—high volumes of alert data have plagued SOCs for as long as we've had them. Analysts are drowning in signal, spending countless hours navigating through mountains of alerts to identify the threats that actually matter. What makes this problem particularly acute today is its acceleration. As enterprises adopt dozens or even hundreds of SaaS platforms and digital tools, each one represents new exposure. Every new platform generates its own alert stream, and analysts must navigate through this expanding universe of data sources.
  1. Critical Skills Shortage For every new platform introduced into the enterprise environment—and the training that comes with it—SOCs need analysts who can pick up that work. The problem? Our industry faces a shortage of hundreds of thousands of skilled security professionals, if not millions. This isn't just about finding warm bodies; it's about finding analysts with the expertise to handle complex, multi-platform investigations across an increasingly fragmented security stack.
  1. Expanding Attack Surface The modern enterprise is a labyrinth of interconnected systems. Whether it's SaaS platforms, cloud infrastructure, identity providers, or endpoint systems, the attack surface expands daily. Each new digital tool represents another potential entry point, another system to monitor, another source of alerts to investigate.

These three forces—volume, shortage, and expansion—have been challenging security operations for years. But there's a fourth force that changes everything.

The AI Tsunami: A Fundamental Shift in Threat Landscape

Here's what makes this moment different from every other technological shift in cybersecurity: we're no longer just facing human adversaries.

If you're an analyst operating in an environment where you're accustomed to responding to human beings on the other end of the attack chain, you need to advance that thinking immediately. You're now facing machines—AI-powered threat actors that think faster than you do, excel at correlating information, and make decisions at speeds that humans simply cannot match. They're built for pattern recognition and scale.

The Asymmetry Problem Intensifies

Our industry has always been defined by its inherent asymmetry: defenders must be right every time, while attackers only need to be right once. What's changed is that threat actors are early adopters of AI capabilities, and they don't face the constraints that security teams do. They have no regulatory compliance requirements. They face no budget limitations. They operate without the organizational friction that slows enterprise technology adoption.

When any new technology emerges, the advantage typically goes to the attacker initially. But with AI, we don't have time for that traditional lag. The most efficient attack attempts organizations face today are already being driven through large language models—from social engineering to exploit development. The price of non-engagement isn't just substantial; it's potentially catastrophic.

Career Evolution in SecOps: From Alert Review to Strategic Defense

One of the most pressing concerns I hear from security professionals centers on job displacement. Let me be direct: AI will replace certain jobs and job functions. That's not fear-mongering; it's an honest assessment of where we're headed.

But here's the critical nuance that gets lost in that conversation: this transformation could be the best thing to happen to security professionals in decades.

Eliminating the Drudgery

Nobody entered cybersecurity dreaming of reviewing mind-numbingly boring alerts all day. That wasn't what drew talented people to this field. They came for the intellectual challenge, the opportunity to directly counter adversaries, the satisfaction of solving complex puzzles. AI removes the repetitive, low-value tasks that have consumed analyst time for years—the work that burns people out and drives them from the profession.

Elevating Capabilities Across the Board

AI helps level up your entire team. Machines don't forget investigative steps. They're better at detailed analysis and comprehensive reporting. They can build auditable investigation trails and produce work that consistently reflects best practices. With proper implementation, AI can turn every analyst into a high performer and bring people off the bench who weren't previously able to contribute at tier-2 or tier-3 levels.

Common challenges security teams face include:

  • Inconsistent investigation quality across analysts of varying experience levels
  • Junior analysts consigned to alert triage without path to complex work
  • Senior analysts overwhelmed with the hardest cases due to limited team depth
  • Superficial investigations due to time pressures and workload constraints

AI addresses each of these challenges by providing consistent investigative frameworks, encoded expertise, and the capacity to handle routine work autonomously—freeing human analysts for high-value activities.

The Future SOC Analyst

The SOC will flatten considerably over the next several years. Analysts will evolve from task executors to workflow orchestrators. They'll guide AI agents, educate systems within their environments, and serve as the critical human-in-the-loop decision makers who provide judgment, context, and strategic thinking that AI cannot replicate.

This means analysts will spend their time on:

  • Guiding investigative workflows and defining priorities
  • Acting as orchestrators who direct AI agents toward organizational objectives
  • Checking and validating AI-generated findings
  • Stage-gating decisions that require human judgment
  • Working directly with adversaries through attack mapping and behavioral analysis
  • Conducting the truly complex, novel investigations that demand human creativity

These are the intellectually stimulating aspects of cybersecurity that attracted people to the field in the first place. AI removes the drudgery and returns analysts to meaningful security work.

Achieving Measurable Outcomes: The Business Case for AI in the SOC

Based on deployments we're seeing with Command Zero customers today, the business benefits of AI integration are substantial and quantifiable.

Speed and Efficiency Gains

Organizations implementing AI in their SOCs are achieving 70% or greater reductions in time-to-triage. What previously consumed hours now takes minutes. This isn't incremental improvement—it's transformation. When you can reduce mean-time-to-contain and mean-time-to-remediate by this magnitude, you're fundamentally changing your security posture and limiting the window attackers have to operate within your environment.

Consistency and Quality

Perhaps more valuable than speed is consistency. Your organization doesn't have analysts who are all at exactly the same skill level. Typically, a small number of senior analysts handle the most complex cases because they have time-in-seat, experience, or simply exceptional aptitude. AI democratizes that expertise. It ensures that every investigation, regardless of who conducts it, meets a consistent standard of thoroughness and quality.

Key benefits for SecOps teams include:

  • Accuracy: Ensures thorough and precise investigations across all cases
  • Speed: Dramatically reduces time required per investigation
  • Confidence: Empowers analysts to close cases with certainty based on comprehensive analysis
  • Consistency: Standardizes investigation processes across the entire team
  • Knowledge Sharing: Facilitates learning and collaboration through encoded expertise

Accelerated Onboarding

Junior analysts who would traditionally spend months ramping up to productive contribution can now participate in complex investigations within their first week. This has profound implications for staffing efficiency and knowledge retention within security organizations.

Resource Optimization

Every security leader operates under OpEx constraints. The more effectively you can operationalize your existing team—getting high-quality, consistent outputs from all members—the more you can refine budget allocation and apply resources to program areas that truly need extension. Rather than continuously hiring to handle the same repetitive tasks, you can focus investment on strategic capabilities that advance your security mission.

A Practical Implementation Framework: AI for SOC

For security leaders ready to move forward, success requires a measured, systematic approach that protects existing investments while gradually expanding AI capabilities.

Crawl: Establish Foundation and Validate  

Begin by treating AI like a junior analyst. Start with known-good logic and simple, well-defined use cases. All simple alert-based cases should flow to AI systems initially, with human analysts reviewing and approving the work before moving to the next stage. This accomplishes several objectives: it validates AI decision-making quality, builds team confidence in the technology, and establishes baseline metrics for improvement.

Walk: Integrate Existing Infrastructure  

Move to more complex scenarios by embedding AI into your existing investments, particularly your SIEM. Your team has spent years developing queries, correlation rules, and investigative workflows. These represent substantial organizational knowledge that shouldn't be discarded. Successful AI implementation leverages these existing assets, allowing AI to use your best tooling and proven practices. Gradually expand AI involvement from simple investigations to more complex scenarios.

Run: Full Integration and Optimization  

At maturity, AI participates across your investigative spectrum—from initial triage through complex, multi-system investigations. It operates directly with your SIEM and other security tools, working autonomously where appropriate and in collaboration with analysts where human judgment adds value. Throughout this journey, measure continuously: track case quality, investigation time, consistency metrics, and cost per investigation.

Critical success factors include:

  • Measuring and tracking metrics AI work just as you would human analyst performance
  • Maintaining human-in-the-loop validation, especially early in deployment
  • Starting with use cases where AI advantage is clear and measurable
  • Preserving existing infrastructure and process investments
  • Building team confidence through transparent, auditable AI decision-making

Command Zero's Approach: End-to-end SecOps Analysis at Scale

At Command Zero, we deliver end-to-end analysis for security operations. This includes triage, prioritization of cases and complex case investigation. These cases might originate from alerts, HR-led inquiries, or any situation requiring an analyst to drive an investigation to conclusion to truly understand the security implications. The platform delivers the best of AI, automation and human intelligence for security operations.  

Hybrid Architecture for Maximum Flexibility

We've built a platform with an agentic subsystem that can complete investigations autonomously, allowing analysts to work human-in-the-loop, reviewing findings and making decisions. But we also enable human analysts to drive complex investigations themselves, pulling in AI agents to assist where they add value—report building, correlation, pattern recognition, and tasks that humans aren't optimized for.

This dual-mode approach recognizes a fundamental truth: both fully autonomous and analyst-led investigations have their place in modern SOCs. The platform should support both modalities seamlessly.

Addressing What Matters Most

We recognize that AI-powered triage might help you knock down 5,000 routine cases more quickly. That's valuable but not enough. Command Zero helps SecOps teams sift through thousandas of signals and identify the 50 cases that need deep analysis. The platform then focuses on the 50 investigations that could put your organization on the front page of the New York Times if handled improperly. These are the cases where thoroughness, context, and comprehensive analysis are non-negotiable—where getting it wrong has severe business consequences.

By combining encoded investigative expertise, cross-platform visibility, and AI-powered analysis, we help security teams handle these critical investigations with consistency and confidence, regardless of which analyst is assigned to the case.

The Path Forward: Commitment and Action

After 30 years building security software and witnessing countless technology cycles, I understand the skepticism that exists in our industry. We've been oversold on security solutions repeatedly. We've seen vendors market well beyond their actual capabilities. That skepticism is justified.

But this time, it is different.

You are already being exposed to AI in your security environment. The question isn't whether AI will impact your SOC—it's whether you'll be exposed to it only through attackers, or whether you'll adopt it as well to level the playing field.

Security leaders must move beyond debate and into action:

  • Acknowledge that threat actors are already leveraging AI against your organization
  • Recognize that the skills shortage makes AI adoption strategically necessary
  • Accept that the expanding attack surface requires automation at scale
  • Commit to a measured implementation that preserves existing investments
  • Invest in building team AI capabilities now, before the gap widens

This isn't the security industry crying wolf. The threat is real, it's current, and organizations that delay adoption are accepting significant risk.

Conclusion: Building the SOC That Can Handle Today’s and Tomorrow’s Demands

The SOC of the future isn't a distant vision—it's taking shape in organizations today. Security teams implementing AI thoughtfully are seeing faster response times, more consistent outcomes, and analysts freed to focus on work that truly requires human insight and creativity.

For security professionals, this transformation represents opportunity, not threat. Your intellectual curiosity, problem-solving instincts, and ability to think strategically about adversary behavior remain your competitive advantages. Lean into AI, experiment with it, and position yourself as the expert who bridges human intelligence with artificial intelligence. Your career trajectory—and your organization's security posture—depends on it.

At Command Zero, our vision extends beyond any single technology or approach. We're working to transform how security analyses are conducted in complex, modern environments, giving every analyst the tools and encoded expertise to operate at the highest levels. As threat actors increasingly leverage AI to scale and enhance their operations, security teams deserve platforms that enable them to meet that challenge with confidence.

The future of security operations lies not in choosing between human analysts and AI, but in achieving harmony between them—leveraging the strengths of each to create security operations that are faster, more consistent, and more effective than either could achieve alone.

If you're ready to explore how AI can transform your security investigations while preserving your existing investments and empowering your team, I'd welcome the conversation.

Alfred Huger
Cofounder & CPO

Continue reading

AI
Highlight

If Your AI SOC Can’t Show Its Work, You’ve Got a Compliance Problem Coming

The era of unregulated "black box" AI in security operations is ending due to new legal frameworks like the EU AI Act. With the EU Act now enforceable law and full compliance for high-risk systems required by August 2026, security leaders face strict mandates for transparency, auditability, and human oversight. The author warns that "showing your work" is no longer just a best practice, but a regulatory necessity with significant financial penalties for non-compliance. While the US lacks a single federal law, a patchwork of state regulations in Colorado, California, and Texas is creating similar pressure for explainability. Because AI-driven SOC tools make consequential autonomous decisions—such as blocking traffic or dismissing threat alerts—they fall squarely into these high-risk categories. The piece contends that if a security platform cannot produce a clear reasoning chain or audit trail for its actions, it creates a dangerous compliance gap. The article concludes by positioning Command Zero’s platform as a solution specifically designed to meet these rigorous transparency standards.
James Therrien
Feb 3, 2026
7
min read
AI
Highlight

The Federated Truth: Why Data Lakes Are Failing Investigations

The Federated Truth This article argues that traditional security architectures based on data centralization (Data Lakes and SIEMs) are failing to meet the needs of modern investigations due to prohibitive storage costs, data ingestion lags, and incomplete visibility. The author identifies a "SecOps Last Mile" problem, where analysts lose critical time switching between disconnected consoles to access data that was never ingested into the central repository. The proposed solution is a Federated Data Model, such as Command Zero, which queries data directly where it resides (EDR, Identity Providers, etc.) via APIs rather than moving it. This approach eliminates ingestion delays, provides access to 100% of real-time data, and reduces infrastructure costs. By leveraging AI to normalize these distributed queries, the federated model allows analysts to investigate threats in seconds rather than hours, shifting the focus from data management to rapid threat resolution.
Eric Hulse
Jan 27, 2026
10
min read
AI
Highlight

The Black Box SOC AI Agent Problem (And How to Fix It)

Security Operations Centers face a difficult paradox where AI agents offer necessary speed but create unacceptable liability due to their "black box" nature. CISOs remain hesitant to deploy these autonomous systems because they cannot explain the reasoning behind actions like blocking users or terminating processes, which leads to compliance failures and a lack of trust. Traditional AI models prioritize prediction over the transparency required for complex, iterative cyber investigations. Command Zero addresses this critical gap by introducing a "glass box" architecture designed for verified autonomy rather than blind trust. This approach transforms the investigation process into a visible, auditable "stack trace" where every query, source, and decision is exposed to the analyst. Beyond simple transparency, the system ensures pivotability, allowing human analysts to seamlessly take over and inject expertise into autonomous workflows without losing baseline data. By combining this visibility with the ability to customize investigation logic for specific environments, Command Zero allows organizations to safely leverage the speed of AI automation while maintaining the rigorous oversight and explainability essential for modern security operations.
Eric Hulse
Jan 23, 2026
8
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All