The SOC Is Dead. Long Live the SOC: How AI Is Rewriting the Rules of Cybersecurity Operations

RSA Conference 2025 revealed the cybersecurity industry's decisive shift toward AI-powered autonomous security operations centers, with Google, Microsoft, CrowdStrike, and Palo Alto Networks racing to automate threat detection and response while the industry grapples with governance, workforce, and accountability challenges.
The SOC Is Dead. Long Live the SOC: How AI Is Rewriting the Rules of Cybersecurity Operations
Written by Emma Rogers

SAN FRANCISCO — The annual RSA Conference has long served as the cybersecurity industry’s most reliable barometer. What vendors pitch, what CISOs whisper about in hallway conversations, what dominates keynote stages — it all signals where billions of dollars in enterprise security spending will flow next. This year’s event, held in late April 2025, delivered an unmistakable verdict: artificial intelligence isn’t just another tool in the security analyst’s kit. It’s becoming the analyst.

That sentence would have been hyperbolic two years ago. Not anymore.

Across four days of presentations, product launches, and panel discussions, the message from virtually every major vendor and a growing number of practitioners was consistent. The traditional Security Operations Center — that fluorescent-lit nerve center where teams of analysts triage thousands of alerts per day, most of them false positives — is undergoing a transformation so fundamental that the industry is struggling to find the right vocabulary for it. The term “autonomous SOC” has emerged as the leading candidate, though not everyone agrees on what it means or how fast organizations should pursue it.

According to TechRepublic’s coverage of the conference, multiple major cybersecurity firms — including Google, Microsoft, CrowdStrike, and Palo Alto Networks — unveiled AI-driven products aimed squarely at automating core SOC functions. Google introduced unified security operations capabilities within its Google Unified Security platform. Microsoft expanded its Copilot for Security with new autonomous agents. CrowdStrike pushed its Charlotte AI deeper into detection and response workflows. Palo Alto Networks continued building out its Cortex XSIAM platform with greater automation layers.

The pitch from all of them was remarkably similar: let AI handle the repetitive, high-volume work that burns out human analysts, and free those humans to focus on complex threats that actually require judgment. It sounds reasonable. It is reasonable. But the implementation details matter enormously, and that’s where the industry conversation got interesting.

Start with the numbers that make the case for automation almost irrefutable. The average enterprise SOC processes between 10,000 and 150,000 security alerts per day, depending on the organization’s size and sensor density. Analyst turnover rates hover around 30% annually. The global cybersecurity workforce gap stands at roughly 3.4 million unfilled positions, according to ISC2’s most recent estimates. Meanwhile, attackers are already using generative AI to craft more convincing phishing campaigns, write polymorphic malware, and accelerate reconnaissance. The math doesn’t work without machine assistance.

So the question isn’t whether AI belongs in the SOC. It’s how much autonomy to grant it.

This is where the conversation at RSA 2025 split into camps. On one side, vendors like CrowdStrike and Palo Alto Networks are pushing toward what they describe as near-full automation of Tier 1 and Tier 2 analyst functions — alert triage, initial investigation, enrichment, and even some containment actions. Their argument: the technology is mature enough, the threat volume demands it, and the alternative is drowning in alerts while real attacks slip through.

On the other side, a more cautious contingent of practitioners and governance-focused organizations warned that autonomous AI decision-making in security operations introduces new categories of risk. False positive suppression is one thing. Automated containment — isolating a server, blocking a user account, quarantining a network segment — is something else entirely. Get it wrong, and you’ve created a self-inflicted denial of service.

The tension is productive. And it’s forcing a conversation the industry has needed to have for years about the relationship between automation speed and organizational trust.

TechRepublic reported that AI governance emerged as one of the conference’s dominant themes, with multiple sessions focused on frameworks for responsible AI deployment in security contexts. The challenge is that governance frameworks tend to lag technology deployment by years, and the competitive pressure to adopt AI-driven security tools is intense. CISOs face a genuine dilemma: move too slowly and risk being overwhelmed by AI-augmented attacks; move too fast and risk ceding critical security decisions to systems that aren’t fully understood.

Several speakers at RSA addressed this directly. The consensus, to the extent one existed, was that organizations should adopt a graduated autonomy model — start with AI handling alert triage and investigation enrichment under human supervision, then progressively expand the machine’s decision-making authority as confidence in its accuracy grows. Think of it as a security clearance system for AI agents, where trust is earned through demonstrated performance rather than assumed at deployment.

Google’s approach at the conference illustrated this philosophy. Its unified security operations platform integrates Gemini-powered AI agents that can investigate alerts, correlate telemetry across endpoints, network, and cloud infrastructure, and recommend response actions. But the system is designed with human-in-the-loop checkpoints for high-impact decisions. An AI agent might automatically enrich an alert with threat intelligence, correlate it with related events, and draft an incident summary — but the decision to isolate a production server still routes to a human analyst for approval.

Microsoft’s strategy with Security Copilot follows a similar pattern, though with some distinctions. The company has been aggressively expanding Copilot’s autonomous capabilities, introducing what it calls “security agents” that can independently handle specific workflows. At RSA, Microsoft showcased agents designed to manage phishing investigation, identity compromise assessment, and vulnerability prioritization. The agents operate within defined parameters and escalate to humans when they encounter scenarios outside their confidence thresholds.

CrowdStrike, characteristically, took the most aggressive public stance. The company’s Charlotte AI platform now handles what CrowdStrike claims is the equivalent of 100 analyst-hours of work per day for large enterprise customers. The company’s pitch at RSA emphasized speed — specifically, the gap between attacker breakout time (the interval between initial compromise and lateral movement) and defender response time. CrowdStrike’s data shows average breakout time dropping below 60 minutes for sophisticated adversaries. If your SOC can’t investigate and respond within that window, automation isn’t optional.

Palo Alto Networks took a platform-centric approach, positioning Cortex XSIAM as the foundation for what the company calls the “autonomous SOC.” CEO Nikesh Arora has been vocal about his belief that the cybersecurity industry is undergoing consolidation, with platform vendors absorbing the functions of dozens of point solutions. At RSA, Palo Alto demonstrated XSIAM’s ability to ingest, normalize, and correlate data from hundreds of sources, then apply AI-driven analytics to detect and respond to threats with minimal human intervention.

But here’s the thing about vendor demonstrations: they work on conference stages. The real test is production environments with messy data, legacy systems, undocumented network configurations, and regulatory constraints that vary by industry and geography.

Several CISOs speaking at RSA panels offered a more measured perspective. One recurring theme was the gap between AI’s theoretical capabilities and practical deployment realities. Many organizations still struggle with basic data hygiene — inconsistent logging, incomplete asset inventories, fragmented identity management. Layering AI automation on top of poor data foundations doesn’t produce intelligent automation. It produces automated confusion.

This point deserves emphasis. The most sophisticated AI-driven SOC platform in the world is only as good as the data it ingests. And for many organizations, particularly those in highly regulated industries like financial services and healthcare, getting data into a usable state for AI consumption remains a multi-year project involving significant investment in data engineering, integration, and governance.

The governance dimension extends beyond data quality. As AI agents gain more autonomy in security operations, questions of accountability become urgent. If an AI agent makes a containment decision that disrupts business operations, who’s responsible? The vendor? The CISO? The analyst who configured the automation rules? Existing regulatory frameworks don’t provide clear answers, and the legal landscape is evolving rapidly.

The European Union’s AI Act, which began phased enforcement in 2025, classifies certain AI applications in critical infrastructure — including cybersecurity — as high-risk, subjecting them to stringent transparency and oversight requirements. U.S. regulation remains more fragmented, with sector-specific guidance from agencies like the SEC, CISA, and various state-level privacy authorities. For multinational organizations, navigating these overlapping requirements while deploying AI-driven security tools is a genuine operational challenge.

And then there’s the adversarial dimension. Attackers aren’t standing still while defenders deploy AI. The same large language model capabilities that power security AI agents can be turned against them. Prompt injection attacks against AI-powered security tools are an emerging threat vector. Adversarial machine learning techniques that can fool AI-driven detection systems are well-documented in academic research and increasingly observed in the wild. The risk of an AI arms race — where defenders and attackers continuously train models to outmaneuver each other — is not theoretical. It’s happening now.

Several RSA sessions focused specifically on AI security — that is, securing the AI systems themselves rather than using AI for security. This meta-problem is one the industry is only beginning to grapple with seriously. If your SOC increasingly depends on AI agents for critical decisions, the integrity and reliability of those AI systems become existential concerns. Model poisoning, data manipulation, and adversarial evasion techniques represent attack surfaces that most security teams aren’t yet equipped to defend.

The workforce implications are also more nuanced than the vendor narrative suggests. The standard pitch is that AI will eliminate tedious work and let analysts focus on high-value tasks. True, as far as it goes. But it sidesteps an uncomfortable question: what happens to the entry-level analyst pipeline?

Tier 1 SOC analyst roles have traditionally served as the industry’s on-ramp — the position where new cybersecurity professionals learn the fundamentals of threat detection, log analysis, and incident response. If AI automates most Tier 1 functions, the entry point shifts. Junior analysts may need to arrive with AI management and prompt engineering skills rather than traditional log analysis abilities. The cybersecurity talent pipeline, already strained, faces a skills recalibration that educational institutions and training programs are only beginning to address.

Some organizations are already experimenting with hybrid models where junior analysts work alongside AI agents, using the AI as a training tool rather than a replacement. The AI handles the initial investigation and presents its reasoning to the human analyst, who reviews, validates, and learns from the process. It’s an interesting approach that could accelerate skill development while maintaining human oversight. But it requires deliberate organizational design and investment in mentorship that many resource-constrained security teams can’t easily afford.

The financial dynamics of AI-driven SOC transformation deserve scrutiny too. Vendor pricing models for AI security tools vary widely, and total cost of ownership calculations are complicated by data ingestion costs, cloud computing expenses for AI inference, and the professional services investment required for deployment and tuning. Several CISOs at RSA privately expressed frustration with what they described as opaque pricing structures that make it difficult to compare solutions or predict costs at scale.

There’s also a consolidation dynamic at play. The major platform vendors — Microsoft, Google, Palo Alto Networks, CrowdStrike — are using AI capabilities as a wedge to drive platform adoption and reduce customers’ reliance on best-of-breed point solutions. This has significant implications for the broader cybersecurity vendor market, where hundreds of smaller companies have built businesses around specific security functions that are now being absorbed into AI-powered platforms. Expect accelerated M&A activity and some painful market corrections among smaller vendors that can’t match the AI investment levels of the platform players.

Not all the news from RSA was about SOC automation. Identity security, cloud security posture management, and application security all received significant attention. But even in these adjacent domains, AI was the connective tissue. Identity threat detection and response (ITDR) solutions increasingly use AI to detect anomalous authentication patterns. Cloud security tools are applying machine learning to configuration drift detection. Application security vendors are integrating AI-powered code analysis into developer workflows.

The convergence is real. And it’s accelerating.

What makes this moment different from previous waves of cybersecurity automation hype — and there have been several, from SOAR platforms to XDR to various flavors of “autonomous” detection — is the underlying technology’s capability. Large language models and multi-modal AI systems can process, correlate, and reason about security data in ways that previous automation technologies simply couldn’t. The gap between what vendors promise and what the technology can actually deliver has narrowed significantly, even if it hasn’t closed entirely.

But technology capability is necessary, not sufficient. The organizations that will extract the most value from AI-driven security operations are those that invest equally in data foundations, governance frameworks, workforce development, and organizational change management. The ones that treat AI as a magic box to be plugged in and left alone will be disappointed — or worse, dangerously overconfident.

RSA 2025 made one thing clear: the future of cybersecurity operations is increasingly autonomous. The debate is no longer about whether to automate but about how fast, how far, and with what safeguards. The answers will differ by organization, industry, and risk appetite. But the direction of travel is set.

The SOC as we’ve known it for two decades — rows of analysts staring at dashboards, manually triaging alerts, and burning out at alarming rates — is ending. What replaces it will be faster, more capable, and far more dependent on machines. Whether it will also be more secure depends entirely on how thoughtfully the industry manages the transition.

That’s the real test. Not whether AI can do the work. Whether we can govern it well enough to trust it with the work.

Subscribe for Updates

AISecurityPro Newsletter

A focused newsletter covering the security, risk, and governance challenges emerging from the rapid adoption of artificial intelligence.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us