AI Is No Longer Optional for your SOC

July 16, 2026
7/16/2026
Gearóid Ó Fearghaíl
Senior Group Product Manager
AI Is No Longer Optional for your SOC

You can call me old, but I remember the good old days of the SOC. Everyone came into the office, applications ran in the data centre, and if something went wrong, I could always walk over to the data centre and unplug something. The organization had risks, but you also had controls, and you knew that if someone did get in, you had time and capacity to detect it before a compromise became a breach. The good old days. But nowadays, everything is SaaS or Cloud, users are working remotely, and trying to shut something out is much more complex.  

This is the modern enterprise. It’s complicated, crosses multiple domains, and creates a broader hybrid attack surface across cloud, SaaS, identity, SASE, and remote access. Remote users are accessing cloud and SaaS applications through SASE, or just logging in through Entra ID. What does this mean for the SOC? More attack surfaces mean more alerts.

And even though it's recent, it makes me feel very old to think that generative AI is only 2 years old or so. Attackers are using AI to do more and attack faster. Attackers are leveraging agentic AI workflows to manage as many as 600 compromised attacks simultaneously and accelerate CVE exploitation. The time to exploit for publicised CVEs is now 8 hours compared to 21 days in 2025. Once inside, attackers also travel at AI speed, with lateral movement from compromised devices within 29 minutes. As a test, threat researchers simulated how quickly an attacker might travel from a leaked AWS key to cloud data exfiltration using Claude Code; the result was 60 seconds.  

This has changed the problem facing the SOC. It's not just more alerts, it's not just more attacks, it's not even less time to respond – it's all 3 problems combined! Companies need to change, or else their risk of breach will rise inexorably as attackers innovate with AI.  

What needs to change

The 3 key focuses for companies needs to be:

  • Reducing the blast radius
  • Detecting threats post-compromise
  • Reducing mean time to respond (MTTR)

None of these is surprising or new. They are just more important with AI-powered attacks.  

Reduce your blast radius

You should proactively look to ensure that, in the event of a compromise, the total area that could be impacted is reduced. Segment your networks and enforce Zero Trust boundaries. Ensure that people have only the permissions they need, so that if an attacker does gain a foothold, they can't get too far.  

Learn more about how Vectra AI can offer visibility into observed privileges and cross-boundary activity in our blog.

Detect threats post-compromise

You will never patch everything. Even the most mature teams have unmanaged devices, legacy systems, misconfigurations, overprivileged accounts, and new CVEs that attackers can exploit faster than security teams can remediate. Prevention is still important, but it cannot be the only line of defence.

That means security teams need to assume compromise and get better at seeing what happens after an attacker gets in. This is where behavioural threat detection matters. Are they using valid credentials? Are they moving laterally? Are they reaching across cloud, identity, SaaS, and network boundaries? Are they touching systems they should not be touching? These are the behaviours that matter when an attacker has already bypassed preventive controls.

Post-compromise detection is how you catch attackers before compromise becomes breach. It gives the SOC a way to detect real attacker activity in progress, understand how far it has spread, and act before the blast radius expands. This is what Vectra is all about and I won’t go into detail here, but we have plenty of content on this elsewhere.

Faster time to response

Reducing a threat’s blast radius and detecting threats post compromise are critical, but today I'm going to focus on achieving faster time-to-response. To ensure your response to malicious activity is effective, it needs to occur as quickly as possible.

A lot of the conversation about SOC efficiency still focuses on detection, but for many mature teams, detection is no longer the slowest part of the response chain.  

Take Vectra AI’s TDIR and Attack Signal Intelligence solution as an example. Vectra AI’s detections fire within minutes of real-time attacker activity. Prioritization isn’t an issue either; we’ve perfected the balance between avoiding false positives and real activity with our AI prioritization engine.  We’ve also specifically focused on attacker velocity to ensure we stay ahead of them. Lastly, response actions should be inherently quick once a decision has been made. If you know a host is malicious, clicking a few buttons to contain it should not be part of the process that takes hours. If you need 3 managerial approvals before taking a response action, you have bigger problems.

No, the bottleneck is investigation.

That is where the analyst has to read the detections, understand the sequence of activity, build the attack timeline, cross-reference external context, check internal context, assess blast radius, decide whether the behaviour is malicious or benign, determine what needs to be contained, and then generate a report or escalation summary that someone else can understand. This work is valuable, but a significant portion of it is also repetitive collection and synthesis.

That distinction matters. The point is not that investigation is easy, or that analysts are spending time on unimportant work. The point is that analysts are often forced to spend too much of their time assembling the picture before they can apply judgement to it. They are copying information from one system to another, checking whether an IP is known, looking up what an account normally does, trying to understand whether an observed privilege matters, and piecing together the story of an incident from fragments spread across multiple tools.

Data synthesis is an LLM superpower, which makes investigation automation one of the clearest opportunities for AI in the SOC.

But before we just go ahead and slap AI onto our workflows, let's consider where we are and where we are going.

Let's use AI

The framework below is a common view on many AI systems, including self-driving cars.

Each step involves more AI integration, and less manual work.

According to Vectra AI research, 80% of our customers are working towards at least a partially autonomous system. This makes obvious sense, as this will supercharge their SOC and make their organization safer.

But barely 10% are there now, and no one has reached level 4, or full autonomy. That's not surprising at all; AI is overconfident, and it's unclear who is liable if they make a mistake. Also, the costs of these systems are unknown, and they rely on ground truth that many organizations have difficulty establishing. Companies need to ensure they have proper controls in place, in addition to projecting costs for when AI companies, like OpenAI, are no longer in a VC-subsidized wonderland and start making a profit. Another thing to consider is that data driving any AI system must be accurate and comprehensive. For example, in the case of a lack of signal, this does not necessarily mean nothing has happened (see more about how attackers can bypass endpoint protection), and most of the time, this requires a very mature analyst to recognize.  

But no one is happy with where they are now. Analyst burnout is documented. The AI they’re trying to use isn’t working, like simple Copilot chatbots are trying to answer without context or an understanding of the customer environment. Often, analysts end up copying and pasting things into a separate window anyway. The AI output sounds smart, but that doesn’t mean it’s accurate.  

How to get to AI

So, how do we get to a proactive, AI-driven SOC?  We've seen our customers looking at 4 main paths to get there.

Choosing the path is choosing the trade-off between simplicity and control. The simplest solution is to use out-of-the-box tooling provided by vendors, but you’ll run into limitations. At the other extreme, you can build a fully custom AI ecosystem.  

Whatever path you choose, the Vectra AI Platform supports it, whether you access our insights via API or MCP, utilize the agents within our UI, or provide API or MCP access to our agents. The point is that we want to and will make it easy for you to be an expert in your environment, as Vectra AI is the expert in AI-native security.

Utopia is around the corner

If attackers can move from initial access to meaningful impact in minutes, a multi-hour investigation process is not good enough. It is imperative to get response times down and catch compromises before they become breaches. Better response times don't just mean a reduced risk of breach; they also mean more productive analysts, monitoring more alerts in less time, and most importantly, a happier SOC, who can focus on the most valuable, interesting items and the actual decision making.

AI is no longer optional in the SOC because the old model does not scale to the new problem. The attack surface is broader, attackers are moving faster, and the manual work required to understand incidents has become the bottleneck. The organisations that succeed will not be the ones that simply add a chatbot to the side of the console. They will be the ones that use AI to redesign investigations itself, carefully, transparently, and with enough control that analysts can trust what the system is doing

FAQs