Cyber Security

AI Is Breaking Traditional SOC Workflows

By Mitchem Boles, Field Chief Information Security Officer, Intezer

As enterprise environments have grown more complex, the volume of security alerts has grown right alongside them. More endpoints, more cloud workloads, more identities, and more signals generated by the tools monitoring them. The result is a Security Operations Center (SOC) that receives hundreds of thousands, sometimes millions, of alerts per year — far more than any team of analysts can investigate in depth. 

The response to this challenge has been triage by severity. High-severity alerts get immediate attention. Medium-severity alerts get investigated when time allows, if ever. Low-severity alerts (e.g., a single port scan, a minor login anomaly, a small behavioral deviation) are routinely deprioritized and skipped entirely. The logic makes sense: With finite analyst hours, focus on the strongest signals and trust vendor verdicts. 

The problem is that this model has a structural blind spot, and attackers are actively exploiting it. 

A recent analysis of 25 million enterprise security alerts found that nearly 1% of real incidents traced back to alerts originally classified at the lowest severity levels. For a large enterprise receiving 450,000 alerts annually, that translates to roughly 54 genuine threats per year, about one per week, going undetected because they never rose to the top of the queue.  

The issue is not that analysts are making bad decisions but rather that the current operating model forces them to accept a coverage gap as a given. 

The attack surface is growing, and AI is boosting attack sophistication  

The stakes of that coverage gap are rising. As AI tools become more capable, threat actors are using them to craft more convincing phishing emails, automate reconnaissance, and generate attack scripts faster than humans can write them. Generative AI has made brand impersonation, already the most common phishing technique, accounting for nearly 29% of cases, more difficult to detect, because the language and visual design of spoofed messages can now closely mirror legitimate communications. 

A recent analysis of 550,000 user-reported phishing emails found that 8% were confirmed to be malicious. Attackers are also adapting to bypass detection infrastructure, encoding JavaScript payloads in SVG images, hiding URLs in PDF annotations, and embedding malicious content in OneDrive shares — methods that exploit trusted platforms and file types that security tools have limited visibility into. 

Mythos is just the tip of the iceberg 

Beyond phishing, developments like Anthropic’s Mythos model, which the company has declined to release publicly after it demonstrated the ability to identify and exploit zero-day vulnerabilities across every major operating system and web browser, illustrate how quickly AI is expanding what sophisticated attackers can do. And Mythos isn’t the only model to demonstrate this. A future where AI can surface previously unknown vulnerabilities AND exploit them faster than defenders can patch them raises serious questions about whether an SOC model built around human capacity can keep pace.  

The capacity bottleneck is the core problem 

What every major attempt to scale security operations has in common — adding analysts, outsourcing to Managed Detection and Response (MDR) providers, deploying AI copilots, building automation on top of SOAR, and more — is that humans still perform the core investigative work. That is the constraint. Human capacity does not scale with alert volume, and the result is that approximately 60% of alerts go unreviewed regardless of whether a team is in-house or outsourced.  

MDR providers have done a great deal of good by giving organizations access to experienced analysts around the clock. But even the best MDR services are bounded by the same operating model limitation. Analysts can only investigate so many alerts per shift, so severity-based triage still determines what gets looked at and what does not. 

AI copilots and summarization tools help analysts move faster, but they do not change the fundamental constraint. If the analyst still has to review and close every investigation, the throughput ceiling remains. 

The shift that changes the math is moving investigative execution itself into AI so that every alert, regardless of severity, receives a real investigation rather than a triage decision about whether to investigate it at all. 

What the new operating model actually looks like 

When AI performs the investigation rather than assisting with it, the coverage equation changes entirely. In some cases, AI SOC solutions can resolve as much as 98% of alerts autonomously, with each investigation producing a full evidence trail, including what was analyzed, what behavioral indicators were found, what forensic techniques were applied, and why the verdict was reached. This leaves only 2% of alerts escalated to a human analyst — a much more reasonable volume than with traditional approaches.  

This is more than alert summarization. Each investigation involves memory forensics, behavioral analysis, threat intelligence correlation, and where warranted, even live endpoint scanning. A login anomaly combined with script execution, privilege changes, and outbound connections is not dismissed as three low-severity events. It is recognized as a coordinated sequence and handled accordingly. 

The result is that low-severity alerts receive the same investigative depth as high-severity ones. The 54 real threats per year that would otherwise slip through the cracks in a large enterprise are found, because every alert is treated as worth understanding rather than worth sorting. 

This is the operating model shift, from triage by capacity to investigation by default. 

Human analysts are doing more, not less  

A common concern about this shift is that it reduces the role of human analysts. The reality is the opposite, but it requires a meaningful change in how that role is defined. 

When analysts are no longer responsible for executing triage on thousands of alerts, they are not left with less to do. They are freed up to work on security challenges that actually require human expertise. Detection engineering such as building behavioral detections mapped to the MITRE ATT&CK framework, tuning noisy rules, and identifying coverage gaps benefits enormously from analysts who are not buried in a ticket queue. Threat hunting, proactive investigation of high-risk identities and endpoints, and security posture work all require the kind of contextual judgment that human expertise is uniquely suited for. 

In this model, analysts supervise outcomes rather than executing investigations. They review the small percentage of escalations for which AI determines that human judgment is required. They provide feedback that continuously improves investigation accuracy. They make strategic decisions about risk tolerance and response policy. And they apply their expertise to the questions that are genuinely complex, environment-specific, or adversarial in ways that no automated playbook anticipated. 

This is not a diminished role. It is a more strategic one. The shift from ticket-closer to outcome-supervisor reflects how security operations actually need to evolve as the threat landscape grows faster than headcount can. 

What full coverage changes about risk 

The importance of investigating every alert is not just operational. It changes what an organization can actually claim to know about its risk posture. 

When only high-severity alerts are investigated, the absence of escalations does not mean the absence of threats. It means the absence of reviewed data. Threats hiding in low-severity signals like early-stage lateral movement, credential misuse that looks like a routine login, or living-off-the-land behavior that blends with normal activity go undetected not because they evaded good analysis but because they were never analyzed at all. 

When every alert is investigated and every verdict is recorded, the feedback loop closes. Detection rules that generate noise can be identified and tuned. Coverage gaps against real attacker techniques become visible. The intelligence gathered from millions of investigations informs better detections going forward. The SOC stops being a reactive queue and starts functioning as a continuously improving system. 

The traditional SOC model was built around a reasonable compromise: With limited capacity, focus resources on the most likely threats. That compromise made sense when there was no alternative. AI SOC changes the constraint. The question is no longer which alerts to prioritize. It is whether organizations are willing to stop accepting a coverage gap that attackers already know how to exploit. 

Author

Related Articles

Back to top button