Security operations, automation, and response (SOAR) platforms have been foundational to most SOCs for years. They’re invaluable for managing alert overload and automating routine tasks – but they’re fast becoming outmoded.
Automation only works as well as the playbooks behind it. The effort required to build, configure, and maintain those playbooks can become a major operational task in itself.
That’s why some SOC teams are turning towards autonomous agentic AI systems that investigate alerts on their own, rather than simply executing predefined workflows. Instead of asking what steps it should run, as playbooks do, an agentic system asks what is happening.
That shift – from merely executing instructions to conducting investigations – could significantly reduce the SOC’s reliance on traditional SOAR playbooks. The result is improved response speed and analyst effectiveness. The result is an agentic SOC.
The Automation Model SOAR Relies On
SOAR platforms were designed to handle the rapidly growing volume of security alerts in the SOC. Automation was necessary to avoid overwhelming analysts. So, security leaders brought in playbooks.
A SOAR playbook defines a sequence of automated steps that respond to a particular alert type. For example, a phishing alert might trigger actions such as:
- Retrieving email metadata
- Checking sender reputation
- Analyzing embedded links
- Querying endpoint activity
- Notifying the user
- Escalating the incident if indicators appear malicious
Essentially, playbooks standardize incident response and reduce repetitive manual work. But unfortunately, automation only works for the scenarios the playbook was designed to handle. Playbooks are inherently rigid and unable to adapt to more complex situations. They work great for predictable incidents, but cyberattacks rarely follow predictable patterns.
Why Playbook Maintenance Wears Teams Down
You probably understand the effort necessary to build a playbook. But chances are, you’re underestimating the ongoing work required to maintain one.
You need to update playbooks whenever infrastructure changes, new tools are deployed, detection rules evolve, or attacker techniques shift. You must test and monitor integrations between systems, and handle edge cases to prevent automation failures.
That’s a lot of work, and work that never really ends.
Many SOC teams spend significant time debugging automation logic, correcting broken integrations, or adjusting playbooks that no longer reflect current attack patterns. Often, the effort required to maintain automation projects drags analysts away from investigation. And, considering that in 2023, the average SOC team spent nearly three hours a day manually triaging alerts, that’s time the SOC can’t afford to waste.
Ask yourself: how much time is my SOC spending configuring and maintaining SOAR playbooks compared with actually investigating threats?
How Agentic AI Improves on Basic Playbooks
Autonomous, agentic AI systems take a different approach. Rather than executing a playbook, they perform an investigation like the one a human analyst would conduct.
When an alert appears, the system gathers context and asks investigative questions:
- What activity triggered the alert?
- Does the surrounding evidence suggest malicious behavior?
- What related events exist across the environment?
- Is there lateral movement or credential misuse?
- How significant is the risk in context?
Instead of following a predetermined script, the system determines what information is needed and how to obtain it. It then adapts its approach based on the information it gathers. If new indicators emerge, the analysis can expand. If the alert proves benign, the investigation can close early.
Adapting to Evolving Attacks
As noted, rigidity is another major drawback of playbooks. They’re designed around known attack patterns, and when attackers change tactics, the playbook may fail to capture the broader context or may require manual updates.
Agentic systems can adapt to evolving attack behavior because they evaluate evidence dynamically. If an alert reveals suspicious activity, the system might examine login history, endpoint behavior, and identity anomalies. If the evidence suggests a broader compromise, the investigation can expand across systems. Its approach adjusts.
In an era of complex, multi-stage attacks, credential abuse, and rapid lateral movement, that dynamism is essential to stop attackers in their tracks.
End-to-End Investigation Without Constant Human Input
Agentic AI has yet another capability that SOAR playbooks don’t: the ability to perform investigations from start to finish.
In traditional workflows, analysts need to intervene regularly, reviewing alerts, gathering context from different tools, analyzing evidence, and deciding whether escalation is necessary.
Agentic systems, however, can investigate alerts end-to-end – from initial triage through preliminary verdict – without requiring human input at each stage. The system gathers data, correlates events, evaluates the evidence, and determines whether the alert actually represents a real threat. It manages the entire workflow.
Analysts are still involved, but their role changes. They simply review the results and make final response decisions when necessary.
The Role of Human Oversight and Transparency
Of course, when AI works autonomously, human oversight and transparency are more important than ever. The major concern is that they remove human control from security operations. That they replace analysts.
But done properly, agentic systems support analysts rather than replace them. Each conclusion the system reaches includes a clear rationale explaining the evidence gathered and the reasoning behind the decision. Analysts can review the investigation, audit the logic, and verify that the assessment is accurate. That’s a core tenet of AI governance.
The bottom line is that human oversight remains central to the process. The AI investigates the alert and remains central to the process. Analysts retain authority over final response decisions. That’s automation without sacrificing accountability.
Rethinking Playbooks
At this point, you might be questioning what the role of playbooks is in a post-agentic AI world.
Today, many organizations dedicate significant effort to building and maintaining playbooks that encode incident response knowledge into automation scripts. But when autonomous agents perform that role dynamically, the role of playbooks is likely to shift.
Instead of defining every possible response step in advance, teams can focus on defining investigation goals, security policies, and response guardrails. Automation becomes about enabling intelligent investigation.
That change could reduce the operational overhead associated with traditional SOAR systems.
The Next Phase of Security Operations
SOAR platforms represented an important step in the evolution of SOC automation. But we’ve gone further up the stairs. SecOps is becoming more complex, and static playbooks often don’t meet the demands of evolving threats.
Autonomous agentic AI systems focus more on investigation than execution. They analyze alerts more dynamically, adapt to evidence, and support analysts with context. Ultimately, they free up analysts to spend more time on high-value tasks, instead of wading through a deluge of alerts and tuning playbooks.
You can either choose to build your own AI agents – the better option if you operate in a highly regulated environment – or the simpler option is to implement an AI SOC analyst platform.
It’s still early days, but that’s the future of the SOC.
Author:
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He’s written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
