Human-only SoCs are unsustainable, but AI-only SoCs are still beyond the reach of current technology.
The industry has responded by increasingly adopting hybrid approaches.
Today, hybrid security operations centers are the preferred method for teams looking to leverage AI capabilities while keeping their feet firmly on the ground. Humans are in control. Artificial intelligence does the boring work. Everything comes together – but faster, more precisely, and with a sense of judgment at the helm.
Learn about hybrid SOC – a model in which agents use artificial intelligence Answer to humans — and find out why these half-human, half-robot teams are redefining cybersecurity.
Wasting time on human-led investigations
Gartner It predicts that by 2026, more than half of all SOCs will use some type of AI-based decision support.
This does not mean that people are no longer smart enough, or even that the landscape has become “too complex” for analysts to track today’s problems. The problem is size, and often size alone.
A human-led investigation takes an average of approximately 10 to 20 minutes per alert (with some estimates suggesting it ranges from 30 to 60 minutes). In a world where security operations centers handle hundreds (if not thousands) of alerts daily, simply narrowing things down to high-priority issues still leaves teams with dozens of investigations to complete.
This will be difficult for you SOC of any sizeuntil if It was fully staffed (and these analysts had nothing else to do).
But when artificial intelligence is added to the mix, things change. As he pointed out The safety of the Propheta leading AI SOC solutions provider, says when AI is brought into the mix, “the average time to investigate drops from more than 30 minutes to less than five minutes” and “investigation coverage extends to 100% of alerts rather than the portion that most teams can review manually.”
This completely changes the game. Here’s how.
What AI brings to the table in investigations
Artificial intelligence alone is powerful. But these days, agent AI is being used to do what AI does, and more.
In a hybrid SOC scenario, an agentic AI—the type that thinks and reasons for itself through human stimuli—is used as a trainee. Imagine a very good, very precise beginner who doesn’t get tired and does exactly what you say, exactly when you say it. This is agentic artificial intelligence.
You get:
- Independent investigations: AI agents collect data, correlate evidence, and reach conclusions For each alert. Is this a false positive result? Is this a viable attack path? Is this escalation worth it? All the stones were turned over. Nothing is missed.
- Decision, not guesswork: Instead of closing Accidents With the ‘possibility’ of them being benign, the AI agents do their best and make sure that each one of them leads nowhere. then They close it.
- Context and audit paths: Alerts are prioritized and enriched with context from across the environment. AI agents don’t just collect telemetry from other instruments; They go one step further and do forensic examination on good leads. They record every step.
These capabilities are what human analysts would do anyway, but at night, on weekends, and on alert 942 days. Pair that with unparalleled speed and accuracy, and you’ll see why security operations centers (SOCs) need an AI-powered approach.
Where do humans come from?
These autonomous, automated capabilities could make it seem as if security operations centers (SOCs) could be run entirely by AI. not yet.
There is still a need for humans at the top, making the decisions and giving the green light to the rules of the game and policies. We move from doing path tasks (such as sorting and querying data) to just “big brain” tasks: judging, checking, and making the final decision.
This not only keeps humans “in the loop” but also… On top.
Speaking to this point, Avani DesaiThe EO at cybersecurity firm Shellman said she “strongly believes that having a human in the loop is not enough when we talk about truly effective AI.”
Instead, it advocates putting humans in leadership. “You don’t just supervise, you design the control systems and guardrails,” she says.
This is what is enabled in a truly hybrid SOC.
Empower employees with AI-powered answers
Then there is the benefit of quick search and quick answers. There is a skills gap between where most SOCs are and where they need to be. This gap existed before artificial intelligence, and is now wider.
But with natural language queries (NLQs), AI is paradoxically helping us catch up. A mid-tier analyst could look at a sophisticated attack path (provided to her by her AI SOC platform) and not be able to fully connect the dots.
She can ask: “Tell me about it,” and the AI will summarize what’s happening in plain language, along with the steps for treatment. The analyst will still be responsible for making decisions, deploying the robots, and overseeing the mission. But artificial intelligence will be instrumental in getting them there.
Automated documentation to simplify human decisions
Reporting is a necessary evil among analysts, one that can also be made easier by half the AI in the hybrid security operations center.
good SOC Artificial Intelligence Platforms It does not operate according to a “black box” model; They show their work. They keep track of what they’ve done and keep a paper trail for reviewers. This not only helps in the audit process, but also helps get all stakeholders on the same page during investigations.
CEOs and executives get a high-level view of the problem. Information security managers Managers get a more technically in-depth report. Experts and auditors can get any level of granularity they need.
Again, humans dictate reporting standards. Artificial intelligence is constantly working, tracking, and generating data in the background.
Keep humans in command
Hybrid security operations companies see the risks of placing modern cybersecurity requirements squarely on humans (who are underpowered) or machines (dangerous and overpowered).
You need a combination of both, with humans at the front to set the stage, implement guidelines, set boundaries, and make the final decision.
like Nikki Webb“The future is not about replacing people with AI, it’s about AI supporting people,” says , a director at Custodian360 and an AI SOC user, “it’s about AI supporting people. Analysts must remain at the center of SOC operations, because only humans can truly separate the noise from the risks.”
(tags for translation) AI SOC
