By now, cyber defense teams have deployed artificial intelligence (AI) technologies for at least several years – to the point where usage of the tools is approaching near ubiquity: Seventy-seven percent of organizations have adopted AI for cybersecurity.
Top AI-assistance needs include phishing/email threat detection (as cited by 52 percent of cybersecurity leaders and C-suite executives), intrusion/anomaly response (46 percent) and security operations automation (43 percent). Beyond that, however, a clear shift has taken hold: One in which autonomous AI agents segue from merely assisting in these and additional tasks to actually helping execute them.
The shift proves essential. Security operations center (SOC) teams face pressures in the form of a lack of time and adequate context. AI agents reduce manual work while creating feedback loops to boost defenses in real-time as threats evolve.
It’s not that agents “know more.” But they can do repeatable work more reliably. They’re good at conducting consistent investigative steps while documenting what they did along the way, to inform SOC professionals about methodologies and outcomes. They avoid the need for manual rebuilds of timelines. Their feedback loops continuously improve detections and lower the risk of systems moving away from their intended protected state, i.e. drift.
Multi-purpose tools
At its best, AI enhances SOC efficiencies in a wide-ranging and often profound manner, for purposes such as these:
Alert enrichment and context-building. Agents gather investigative context across identity, endpoint, email, cloud and security information and event management (SIEM) telemetry, allowing analysts to start with evidence-based narratives instead of a blank page.
Triage and investigation execution. Agents do more than simply recommend next steps – they run investigation workflows end-to-end (with guardrails, of course) such as the building of timelines and correlation of signals.
Consistent case summaries for escalations and closures. Inconsistent documentation often plagues SOC operations. AI tools standardize the recording of case summaries, and how this is communicated.
Response orchestration with human approval gates. With input/oversight from team members, agents elevate their roles from “recommend/assist” to automated containment. A staged approach – with explicit policies, auditability and approvals – illustrates how AI-driven execution can emerge as operationally safe.
Note the mention of humans as part of the process, because it leads to what has become a difficult conversation among cyber defense leaders and professionals: Are AI agents replacing security staff?
Overall, we’d argue they are actually augmenting the people factor (especially at the top of analyst levels), not eliminating it. While some use cases are subject to full, AI-enabled automation, humans will be required, particularly in oversight roles.
A blueprint for empowering AI agents
What’s the difference between AI agent deployments that deliver and those that fall short? It inevitably comes down to the operating model and governance, with the implementation of these best practices:
Start with bounded workflows with clear metrics. It’s always best to start small with tasks which come with obvious success criteria, such as time-to-investigate reduction, triage consistency and documentation completeness. Be sure to measure outcomes/progress along the way.
Define the limitations of autonomy. Governance rules must explicitly state when an agent should strictly make recommendations; when it may execute with human approval; and when it can proceed automatically on its own while remaining within policy guardrails.
Treat AI just like any insider. Frameworks such as zero trust keep organization employees/users from unrestricted access to systems and data. The same mindset should apply to agents. They need their own identities and role-based access control (RBAC), with immutable audit logs and controls to prevent unauthorized actions – especially as autonomy increases.
Ensure evidence trails and explainability. If security team members can’t audit AI’s work – assessing data sources consulted, steps executed, rationale and confidence scores – then the work won’t survive real incident scrutiny.
Incorporate uncertainty recognition into the machine. AI needs to know more than what it can do – it has to know when to pause, based upon uncertainty thresholds and conflicting signals.
Avoid one-off automations by developing closed-loop managed detection and response (MDR) models. SOCs earn the biggest wins when multiple agents collaborate to continuously generate new use cases. A threat profiler agent, for instance, can identify a potential threat and share it with a threat hunting agent to produce hypotheses and hunting queries that are adapted to the organization’s environment. Further collaborations among machines will map threat behavior according to MITRE-disclosed Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK), and flag coverage gaps while recommending/launching detections.
A focus on end-to-end, constantly improving AI cycles represents a game changer for MDR. At this level of optimal operations, SOC team members richly benefit from faster investigations and more consistent outcomes. They achieve continuous detection and coverage enhancements, driven by closed-loop feedback.
And these professionals will always play a key role in supplying the human oversight/governance element. AI agents won’t remove people from security operations – they’ll reduce manual work via automation, making better use of analysts’ time so they get to concentrate on what really matters. With this, the machine emerges not as a job threat, but an indispensable member of the team.
