The Smarter SOC

Security operations centers are under pressure from both sides. Threat actors are moving faster, environments are more complex, and analysts are being asked to make better decisions across more telemetry than any team can reasonably review by hand.

That is why artificial intelligence is becoming a meaningful part of modern security operations. Used well, AI can help analysts triage alerts, correlate activity across tools, summarize incidents, enrich investigations, and prepare response guidance faster than traditional workflows allow.

 

The data supports that direction. A 2025 Cloud Security Alliance benchmark study found that AI-assisted SOC analysts completed investigations 45 to 61 percent faster and with 22 to 29 percent higher accuracy than analysts working without the AI-assisted platform. Microsoft’s Copilot for Security productivity study found that experienced security professionals completed assigned tasks 22 percent faster overall with Copilot and were 7 percent more accurate. Splunk’s 2025 State of Security research also reflects the operational reality driving adoption: 59 percent of respondents reported too many alerts, and 55 percent reported too many false positives.

 

In other words, AI is not just a novelty in the SOC. It is becoming part of how serious teams manage scale.

 

But that does not mean every organization should be racing toward a fully autonomous SOC.

 

There is an important difference between an AI-assisted SOC and an AI-only SOC. In the first model, AI strengthens the analyst. It accelerates the gathering, enrichment, sorting, and summarizing of information so human operators can focus attention where judgment matters most. In the second model, the organization begins to shift more of the investigative and response burden to autonomous systems that may act with minimal human review.

 

That second model is not foolish. In fact, it may eventually become the preferred model for many environments. Security operations already contain tasks that are highly repeatable, measurable, and well suited to automation. As AI systems become more explainable, better governed, more resilient against adversarial manipulation, and more tightly integrated with enterprise telemetry, higher levels of autonomy will make sense.

 

The problem is timing. For many organizations, and especially for critical infrastructure, the technology and operating model are not yet mature enough to remove human accountability from the center of the SOC.

 

Recent academic and industry research points in the same direction. A 2025 survey of AI-augmented SOC capabilities found significant improvements in alert triage, false-positive reduction, and response speed, but also identified persistent issues around interpretability, data quality, hallucinations, privacy leakage, legacy-system integration, and adversarial attacks. A separate 2025 framework for human-AI collaboration in SOCs argues for tiered autonomy rather than binary automation, matching the level of AI independence to task complexity, risk, and trust thresholds.

 

That is the practical middle ground: not “no AI,” and not “AI runs everything.” The right question is where autonomy belongs, how it is governed, and when human validation is still required.

 

This matters even more in critical infrastructure. When a security decision affects public safety, emergency communications, utilities, local government, transportation, healthcare, or other high-consequence environments, the SOC is not only protecting data. It is protecting operational continuity. A false positive can create disruption. A false negative can leave a real attack unattended. A poorly governed automated response can interrupt systems that communities depend on.

 

For those environments, trust is not abstract. Leaders need to know who is watching, who understands the mission, who can explain what happened, and who is accountable when the situation changes. AI can support that trust, but it does not replace it by itself.

 

That is why the strongest SOC model today is human-led and AI-assisted.

 

In a human-led, AI-assisted SOC, AI handles work that machines are well suited to do: scanning large volumes of telemetry, surfacing patterns, assembling context, identifying related events, drafting summaries, and helping analysts move faster through routine investigative steps. Human analysts remain responsible for validation, escalation, customer communication, response judgment, and mission-aware decision-making.

 

This model improves speed without pretending that speed is the only value that matters. It improves consistency without pretending that every environment is the same. It uses AI to reduce analyst fatigue, but it does not ask customers to trust an opaque system without accountable human oversight.

 

That is also the operating philosophy behind Mayfly inside OTM Cyber’s SOC.

 

Mayfly is designed as an AI-supported capability that strengthens how our SOC detects, investigates, contextualizes, and prepares response guidance. It helps our analysts focus attention, preserve context, and work more consistently across mission-critical customer environments. It is not a replacement for human judgment. It is a way to make that judgment faster, better informed, and more scalable.

 

The future of the SOC will almost certainly include more autonomy than we use today. That future should be welcomed, but it should be earned. Security teams need evidence, governance, explainability, policy controls, and operational trust before they hand over decisions that can affect real-world continuity.

 

AI belongs in the SOC. The evidence is already strong enough to say that.

 

But for critical infrastructure, the best answer today is not a SOC without people. It is a SOC where people are equipped with better tools, better context, and better speed.

 

Sources

1. Cloud Security Alliance, “Beyond the Hype: A Benchmark Study of AI Agents in the SOC,” 2025.
   https://cloudsecurityalliance.org/artifacts/a-benchmark-study-of-ai-agents-in-the-soc

2. Microsoft, “Microsoft Copilot for Security Productivity Findings,” January 2024.
   https://www.microsoft.com/content/dam/microsoft/final/en-us/microsoft-product-and-services/microsoft-dynamics-365/pdf/Microsoft-Copilot-for-Security-productivity-findings-Whitepaper-Jan2024.pdf

3. Splunk, “State of Security 2025: The Stronger, Smarter SOC of the Future,” 2025.
   https://www.splunk.com/en_us/campaigns/state-of-security.html

4. IBM, “Cost of a Data Breach Report 2025,” 2025.
   https://www.ibm.com/reports/data-breach

5. National Institute of Standards and Technology, “Artificial Intelligence Risk Management Framework (AI RMF 1.0),” January 26, 2023.
   https://www.nist.gov/publications/artificial-intelligence-risk-management-framework-ai-rmf-10

6. Alzahrani et al., “AI-Augmented SOC: A Survey of LLMs and Agents for Security Automation,” MDPI, 2025.
   https://www.mdpi.com/2624-800X/5/4/95

7. Mohsin, Janicke, Ibrahim, Sarker, and Camtepe, “A Unified Framework for Human AI Collaboration in Security Operations Centers with Trusted Autonomy,” arXiv, 2025.
   https://arxiv.org/abs/2505.23397