.jpg)
A few weeks back, we hosted our largest user conference to date in Munich! On the last day, we hosted a CTF competition focused on threat hunting and investigations. Guess who was able to solve the most complicated challenge the fastest? AI.
Not the easiest question. Not a basic lookup. The hardest one. It solved it in under two minutes. It required understanding the context, exploring metadata, pivoting, decoding payload, asking the right follow-up questions, running multiple queries, connecting the dots, and eventually finding the final flag.
In other words, it had to behave a lot like a SOC analyst.
That moment was a great reminder of where AI agents can bring real value. Not by replacing expertise, and not by magically solving every problem, but by accelerating the repetitive investigative work that slows analysts down every day.
It was not a generic LLM solving these challenges out of the box. It was a curated AI agent optimized with the right set of skills to fully operate the Vectra AI Platform — a project we released as open source on the same day as the event.
AI happens at different stages of the stack
Before we talk about AI agents, Model Context Protocol (MCP), etc., it is important to step back and clarify something: AI is not new to Vectra AI.
AI is part of our DNA.
Vectra AI was built from the ground up to use machine learning and AI techniques to detect attacker behavior. That includes supervised and unsupervised learning methods designed to identify behaviors across the attack lifecycle, not just known tools, signatures, or static indicators.
That distinction matters.
Attackers can change tools. They can rename files. They can rotate infrastructure. They can modify commands. But their behavior still follows patterns – the same patterns reflected in the MITRE ATT&CK Framework. They still need to move laterally. They still need to escalate privileges. They still need command-and-control. They still need to discover, access, and exfiltrate data.
This is where AI has always played a critical role in the Vectra AI Platform: powering behavioral detection across the MITRE ATT&CK kill chain in a way that is broader, more resilient, and more useful than simply looking for known-bad artifacts.
But detection is only the first layer.
Over the years, Vectra AI has also developed AI capabilities that operate before the signal ever reaches the analyst. This is an important part of the story, because the value of AI in the SOC is not only about what happens when an analyst asks a question in natural language. A lot of the value comes from what happens earlier in the pipeline.
For example, AI Triage helps automatically reduce noise and operationalize detections, so teams can focus on the activity that matters instead of drowning in alerts. Vectra AI has also invested in AI-powered threat detection and AI-driven prioritization, helping security teams understand which entities, behaviors, and attack patterns deserve attention first.
In other words, by the time a signal is presented to the analyst, it has already benefited from multiple layers of AI.
That is what makes the next stage so powerful.
When an analyst uses AI-assisted search inside the Vectra AI Platform, or when a team connects its own LLM or local agent to Vectra through APIs and MCP, they are not starting from raw, unfiltered telemetry. They are consuming an enriched, AI-powered signal that has already been detected, triaged, prioritized, and contextualized by the platform.
This is a big difference.
AI in the SOC is having a moment.
Actually, let’s be honest: it is having many moments. Every vendor has an AI story. Every analyst report has an AI angle. Every conference has at least one session promising that agentic AI, copilots, assistants, MCP, automation, and “human-in-the-loop” workflows are about to change everything.
And they probably are.
But during Hunt Club in Munich, one thing became very clear: most security teams are not asking, “Is AI coming to the SOC?”
They are asking something much more practical:
“Where do we start, what should we trust, and how do we make this useful without creating another operational mess?”
That was the focus of the session I recently delivered at Hunt Club Munich, where we talked about AI in the SOC stack and how defenders can move from AI hype to operational reality.
The goal was simple: make it practical. Not another abstract AI conversation. Not another “future of the SOC” prediction. We wanted people to leave with a clear view of what AI can do today, how Vectra AI is enabling AI inside the SOC, and how teams can start experimenting with their own local agents using the open source starter kit we released as part of the presentation.
Because the real question is not whether AI will be part of the SOC.
The real question is: which path makes sense for your team right now?
The audience told us something important
One of the most valuable parts of Hunt Club Munich was not just what we presented. It was what we heard back.
During the session, we asked the audience a simple question: where is your SOC today, and where do you want it to be in three years?
The answers were telling.
Today, most teams described their SOC as being somewhere between rules-based and AI-assisted. but when we asked where they want to be in three years, the picture changed completely!
Now, yes, those numbers tell a story. They also tell us something very human: defenders are ambitious, but they are not reckless.
The biggest jump is not toward “AI does everything.” It is toward partial autonomy, where AI can run the full investigation and recommend a response, but the human still reviews every action and makes the final decision.
That nuance matters.
The audience was not saying, “Please remove the analyst from the SOC.” They were saying, “Please remove the repetitive, exhausting, time-consuming work that keeps analysts from doing what they are actually good at.”
And honestly, that is exactly where the conversation about AI in the SOC needs to be.
Because the path from manual investigation to autonomous response is not a single leap. It is a maturity curve.
That progression matters because every SOC is starting from a different place.
Some teams in the room were already experimenting with local agents, MCP servers, custom workflows, and internal automation. Others were earlier in the journey, still trying to understand where AI belongs in the stack and how to make sure it does not introduce new risk, new complexity, or a new class of false confidence.
And that is the point: AI adoption in the SOC is not just a technology question. It is an operating model question.
- Can we trust the data feeding the model?
- Can analysts understand why the AI made a recommendation?
- Can we keep humans involved where decisions matter?
- Can we avoid sending sensitive data where it should not go?
The survey confirmed what many security leaders already feel: teams want to move fast, but they want to move safely. They want AI to help them reduce response times from hours to minutes, but they also want control, transparency, and confidence.
The SOC does not need more magic. It needs useful AI that fits how defenders actually work.
AI in the SOC starts with the stack
That maturity curve is exactly why we talked about AI in the stack during the presentation.
Because where AI sits matters.
If AI sits only at the top of detection, disconnected from the context and workflow, it becomes a chatbot over noisy data. Sometimes helpful, often impressive, but not correct!
If AI is embedded deeper into the workflow, connected to high-fidelity signal, investigation context, entity behavior, response actions, and analyst feedback, it becomes much more powerful. It can help triage, correlate, prioritize, investigate, summarize, hunt, and guide response.
That distinction is critical for a successful journey to build trust in your system.
Two paths, One objective
At Hunt Club, we wanted to be very clear about something: there is not only one right way to adopt AI in Your SOC.
There are at least two practical paths to get started! At Vectra AI, we want to make sure that we provide the best experience no matter which path you're taking!
The first path is the fastest and simplest for many customers: use AI capabilities already built into the Vectra AI Platform.
This path is for teams that want the benefits of AI without having to stand up their own agent infrastructure, wire up tools, manage local configurations, or maintain custom workflows. The AI is already embedded where the work happens. Analysts can use natural language to investigate, ask questions, pivot, summarize, and move faster across detections and entities.
They get value right away! Out Of the box!
For many teams, this is the right starting point. Not because they lack ambition, but because they value operational simplicity. They want AI that works inside the product, with the right data, the right permissions, and the right workflow.
The second path is for teams that are further along in their AI journey, or simply want more control: build local agents that can operate against your SOC workflows and your data, including data from the Vectra AI Platform.
This is an open-ended agent framework that can connect to the tools, context, and processes already present in your environment. It gives teams more flexibility to customize the experience, encode their own playbooks, and decide exactly how agents should interact with their SOC operations.
And of course, these two paths are not mutually exclusive.
You can use both at the same time. In fact, many teams will likely start with the built-in AI capabilities in the Vectra AI Platform, then gradually experiment with local agents as their maturity, requirements, and confidence grow. The important thing is not choosing one path forever. It is choosing the path that gives your team value today, while keeping the door open for where you want to go next.
For those teams, we wanted to provide more than slides. So we released something practical!! A turnkey solution you can use TODAY!
Introducing the Vectra AI SOC Agent Starter
As part of the presentation, we released the Vectra AI SOC Agent Starter, an open source starter pack for building an AI agent or assistant on top of the Vectra AI Platform.
The repository is intentionally small: read it, run it, then extend it.
The goal is simple: give security teams a practical starting point for building their own AI-powered SOC assistant.
The repo provides the core pieces an agent needs to operate with Vectra AI:
- An LLM of your choice, such as Claude, GPT, Gemini, or another model through your preferred agent host.
- An MCP server that provides the ability for the agent to interact with the data in the Vectra Platform (detection, scoring, PCAP, metadata, logs, etc.)
- Agent skills for SOC workflows, SQL recipes, reporting, threat hunting, and PCAP triage. Skills are especially oriented to provide expertise on operating the Vectra platform!
- An AGENTS.md that tells the agent what it is, which skills exist, and when to use them. See this as an onboarding file for the agent
This is not positioned as a finished product. It is a starter kit, helping you to get started!
Fork it. Trim it. Add your own SOC playbooks. Teach it your escalation policy, your past incidents, your vocabulary, your architecture ,your reporting format, your handoff process. Make it yours and your agent will get BETTER and BETTER!
Why we released it!
There is always a temptation in cybersecurity to keep everything behind the curtain!! Not here!
With the explosion of AI, the introduction of MCP, and the emergence of new standards for agentic workflows, we wanted to take a different approach. From the start, our goal has been to make sure the Vectra AI Platform is not only AI-enabled, but also AI-operable! meaning it can be safely and effectively operated through an LLM-driven workflow.
That is why we invested early in MCP. We were the first NDR vendors to release MCP servers, and we have continued to expand them based on customer feedback. That includes support for capabilities such as multi-tenancy and the ability to query network metadata directly.
But MCP is only one part of the story.
We have also been investing in our APIs to make sure they support the kinds of questions analysts actually ask during an investigation. Because if an analyst wants to understand what happened, which entity matters, what changed, what is risky, or what should happen next, the platform needs to expose the right context in a way AI agents can use efficiently.
We shared more about some of that research in a previous blog post, and it is worth checking out for a deeper look at how we think about AI-operated security platforms.
This is also why, with the Vectra AI SOC Agent Starter, we wanted to go one step further.
- Not just explain the concept.
- Not just show an architecture diagram.
- Not just say, “AI agents are coming.”
We wanted to provide a practical, step-by-step way for teams to get started (in minutes!) with a local SOC agent — built, curated, and tested by us.
The idea is simple: give customers and practitioners a safe starting point. Something they can read, run, test, adapt, and extend based on their own SOC workflows.
This was never meant to be another “AI will save the SOC someday” story. It was much more practical than that: Here is how you can start experimenting safely, today.
Try prompts like: “vectra priorities“
Using aliases included in the Vectra AI skills will automatically analyze the latest prioritized entity from the Vectra AI Platform.
“Here is a CISA advisory. Hunt for everything in it across our tenant.”
Those examples are exactly the kind of workflows we wanted to make approachable. Because the best way to understand AI agents is not to admire the architecture diagram. It is to run the workflow and see where it helps, where it needs guardrails, and where your team wants to customize it.
Call to action
AI adoption in the SOC does not have to be a fork in the road. Think of it as a maturity journey.
Start with the AI capabilities already built into the Vectra AI Platform. This is the fastest way to get value: AI-assisted search, AI investigations, enriched context, prioritization, and guidance directly inside the workflows analysts already use.
Then, when your team is ready for more customization, extend with local agents using the Vectra AI SOC Agent Starter. Connect your own tools, encode your playbooks, add your SOC-specific context, and shape the agent around the way your team actually works.
These steps are not mutually exclusive. Many teams will use both: built-in AI for immediate value, and local agents for deeper customization over time.
The goal is simple: start practical, build trust, keep humans in control, and increase autonomy as your SOC matures. Explore the starter kit, try the built-in AI capabilities, send us feedback, contribute to the open source project, or reach out for a live demo. We are here to help you make AI useful in your SOC operations today.
The future of the SOC will not be defined by AI hype. It will be defined by defenders who know how to put AI to work.