With attackers now leveraging AI to build faster, more adaptive campaigns, the Security Operations Center is at a critical inflection point. To explore this shift, we sat down with Dominic Jainy, an IT strategist whose work at the intersection of AI and cybersecurity gives him a unique perspective on the future of threat defense. He argues that the SOC of 2026 won’t just be about better detection, but about fundamentally changing the way analysts interact with threats.
In our conversation, we explored the critical move away from passive, report-based analysis toward a live, “analyst-in-the-loop” model that empowers immediate action. Dominic detailed how modern attacks are evolving to require human interaction, a challenge that renders traditional automated sandboxes ineffective. We also touched upon the growing importance of visual evidence in translating technical findings into clear business risks for leadership, and how these new methodologies are not only improving SOC efficiency but are essential for confronting the next wave of AI-driven threats.
The article contrasts the old “run-wait-review” cycle with a new “analyst-in-the-loop” model. Can you walk me through an analyst’s workflow using this live model, and share a specific example of how this immediacy helped stop a threat that would have otherwise progressed?
Absolutely. The old way feels incredibly slow and disconnected now. An analyst would get a suspicious file, upload it to a sandbox, and then… wait. You’d go grab a coffee, handle another ticket, and come back ten minutes later to a static report. If the threat was designed to stall or wait for a specific user action, the report would often come back inconclusive. So you’d have to tweak the settings and run it again, starting the clock over. This “run-wait-review” loop is a huge time sink.
In the live model, the game completely changes. Imagine an analyst gets an alert for a suspicious document. They detonate it in an interactive sandbox and are watching the execution as it happens. The document opens and immediately launches a PowerShell window, but then nothing happens. It just sits there. In the old model, the sandbox would time out and report “no malicious activity.” But with an analyst in the loop, they can immediately interact with that terminal. They might type a simple command like dir to see what happens. This simple interaction can be the trigger the malware was waiting for. Suddenly, it kicks off its next stage, attempting to connect to a command-and-control server. The analyst sees this connection in real-time, grabs the IOC, blocks it at the firewall, and closes the case. What could have taken 30 minutes and multiple re-runs is now resolved in under 90 seconds, all because the analyst could step in and push the attack forward.
You mentioned that attacks increasingly require human participation, citing QR codes and manual PowerShell commands. Could you describe a recent, real-world attack that hinged on this, and explain step-by-step how an interactive sandbox uncovers the full chain where a traditional one would have failed?
We’re seeing this constantly. Attackers know that automated systems are looking for direct malicious payloads, so they create roadblocks that require a human touch. A great example is a recent phishing campaign that used a QR code to deliver a payload. The email itself was clean—just a simple message saying “Action Required: Please review your shared document” with a QR code. A traditional sandbox might not even process the QR code. If it did, it would find the first URL, which leads to a legitimate-looking but fake CAPTCHA page. The automated sandbox would see this page, find no malicious scripts, and stop, marking the URL as safe. The attack ends there, and the threat is missed.
Now, let’s look at it with an interactive, automated analysis. The system scans the QR code and extracts the URL. It navigates to the CAPTCHA page, but instead of stopping, it solves the challenge automatically, just as a user would. This reveals the next step: a redirect to a file-sharing site. The system follows that redirect and encounters another roadblock—a button that says “Download Secure Document.” An interactive system is designed to click that button. Upon clicking, it downloads a ZIP file, which it then automatically extracts. Inside is a password-protected script. The system uses common passwords or context from the email to unlock it, and only then does it execute the final PowerShell payload. The analyst watches this entire chain unfold in a single, continuous flow. They see the evasion, the redirects, and the final payload execution. A traditional tool sees a benign landing page; the interactive tool reveals the entire attack path from QR code to compromise.
The content highlights the need for visual proof to bridge the gap between technical detection and business understanding. Can you share an anecdote where a visual report changed an executive’s perspective on a threat, and what key elements in that report made it so effective?
This is something I’m incredibly passionate about because it’s where security truly connects with the business. I remember a case where the SOC was trying to get funding for better endpoint protection, but the leadership team was hesitant. The analysts were presenting logs showing strange outbound network traffic from the finance department, but to the executives, it was just a blur of IP addresses and port numbers. They heard “potential data exfiltration,” but it didn’t feel real; it sounded like a probability, not a certainty.
Then, we re-ran the analysis in a sandbox that produced a full visual report, including a process tree and screen recordings. The next time we met, we didn’t show them logs. We showed them a video. They saw, step-by-step, an employee opening what looked like a normal invoice. They watched as that invoice spawned a hidden PowerShell process. Then, they saw a visual graph showing that PowerShell process accessing a specific folder on the network drive labeled “Financial Projections,” creating a compressed file, and then making a connection to an IP address geolocated in a hostile country. You could feel the air leave the room. It was no longer an abstract threat. They saw their own data, their own file names, being actively stolen. That visual, undeniable proof completely changed the conversation from “Is this a real risk?” to “How quickly can we implement a solution?” The key was context and clarity—tying every technical action directly to a visible, understandable business impact.
The article claims a 30% reduction in Tier 1 to Tier 2 escalations. Can you break down how giving a Tier 1 analyst full-chain visibility from the start empowers them to make stronger verdicts, and provide a metric-driven example of how this improves overall SOC efficiency?
That 30% figure is a direct result of empowering Tier 1 analysts with tools that provide context, not just alerts. Traditionally, a Tier 1 analyst is on the front lines, dealing with a flood of alerts, often with very little information. An alert might say “Potentially Malicious File Detected on Host X,” but provide only a file hash. The Tier 1 analyst doesn’t have the context or the advanced tools to determine if it’s a real threat or a false positive, so their only safe option is to escalate it to a Tier 2 analyst, who then has to start the investigation from scratch. This creates a massive bottleneck.
When you give that same Tier 1 analyst an interactive sandbox, they can take that file hash, detonate it, and within two minutes, see the entire story. They can see that the file was downloaded from a legitimate software update, that it only makes network connections to the vendor’s servers, and that it doesn’t try to establish persistence or access sensitive files. They now have full-chain visibility. They can confidently say, “This is a benign file, part of a legitimate application,” and close the ticket. That’s one less case for the Tier 2 team. When you multiply that by the thousands of alerts an organization sees, you see how that 30% reduction is achieved. It’s not just about closing tickets faster; it frees up your most experienced Tier 2 analysts to focus on genuine, complex threats, which is a massive boost to overall SOC efficiency. It’s a direct contributor to the 50% cut in Mean Time to Respond (MTTR) mentioned in the article.
Considering the article’s point that attackers are building campaigns around AI, how does the shift toward live, interactive analysis prepare SOCs for these more adaptive threats? Please describe a hypothetical AI-driven attack and how this methodology would be uniquely suited to deconstruct it in real time.
This is the frontline of cybersecurity for 2026 and beyond. AI-driven attacks are designed to be chameleon-like. Imagine a piece of malware that, upon execution, runs a series of subtle checks to determine if it’s in an automated analysis environment. It might check for common sandbox artifacts, monitor for perfectly uniform mouse movements, or even measure system uptime to see if the machine was just freshly spun up. If it detects any of these, it stays completely dormant, presenting itself as benign. A fully automated sandbox would run its course and give a clean report.
This is where the analyst-in-the-loop becomes your ace in the hole. An analyst can introduce the one thing that an AI model struggles to predict: human randomness. Inside the live sandbox, the analyst can mimic a real user. They can open a web browser and search for something unrelated. They can open Notepad and type a few sentences. They can let the mouse sit idle for an irregular amount of time before suddenly moving it to click a file. This unpredictable, organic behavior can bypass the AI’s environmental checks. The malware, now convinced it’s on a real user’s machine, proceeds to its next stage—perhaps decrypting its malicious payload or reaching out to its C2 server. The analyst is there, watching this happen live, and can capture the true nature of the threat precisely because their interaction outsmarted the machine’s logic. It’s human intuition versus artificial intelligence, and a live, interactive methodology is what allows the human to win.
What is your forecast for the future of SOC operations?
My forecast is that the line between the security analyst and their tools will continue to blur, leading to a state of true symbiosis. The SOC of the near future won’t be a room of people staring at static dashboards and waiting for alerts. It will be more like a cockpit, where analysts are active pilots navigating a complex and dynamic threat environment. Their primary skill won’t just be interpreting data after the fact, but actively engaging with potential threats in real time, using interactive platforms to steer investigations, test hypotheses on the fly, and force threats to reveal themselves. Automation will handle the repetitive, predictable tasks, but the core of the SOC will revolve around the analyst’s intuition and creativity, amplified by tools that allow them to directly interact with and dismantle adaptive, intelligent threats. Success will be defined not by how many alerts you can close, but by how effectively you can outmaneuver a thinking adversary.