With the term “AI SOC” suddenly dominating cybersecurity conversations, we’re joined by Dominic Jainy, an IT professional with deep expertise in applying advanced technologies like AI to real-world business challenges. We’re here to look past the buzzwords and understand the substantive shifts happening in security operations. Our discussion will touch on why this seemingly new category is gaining traction now, how the intense, unavoidable pressures of the SOC make it a unique proving ground for AI, and what this evolution means for the technologies, enterprises, and human analysts at the center of it all. We’ll explore the transition from AI as an assistant to a genuine operator and the critical importance of stability when moving from a pilot to a production environment.
Many frame the “AI SOC” as a new category, yet some platforms have been operating in this space for years. What specific market shifts or technological milestones have recently pushed this long-standing operational need into the spotlight, leading to this sudden surge of interest?
That’s the core of the issue, isn’t it? The buzz is new, but the work is not. What we’re seeing is less a technological invention and more of a delayed market recognition. For over a decade, security operations teams have been fighting a losing battle against alert volume. The model of a human analyst manually triaging every potential threat broke a long, long time ago. The recent explosion in mainstream AI has simply provided the vocabulary and the venture capital interest to frame this existing problem as a “new category.” It’s not that a single new algorithm suddenly made this possible; rather, the broader cultural moment around AI has finally forced the industry to pay attention to a problem that security practitioners have been screaming about for years. The need was always there; the fashionable terminology just caught up.
Unlike other enterprise functions, security operations hit the limits of human scale long ago due to overwhelming alert volumes. How does this “unavoidable” need change the implementation and success metrics for AI in the SOC compared to AI projects aimed at merely optimizing already-functional workflows?
It changes everything, fundamentally. Most enterprise AI projects are trying to make a functional process, like sales or HR, a little bit better or more efficient. They are optimizations. The security operations center never had that luxury; it was a function that was already broken by design. When you’re dealing with potentially billions of security events flowing through your systems every single day, you are long past the point of human scale. The success metric isn’t a 10% improvement in efficiency. The success metric is survival. It’s about reducing the probability of a catastrophic breach from “likely” to “manageable.” This “unavoidable” pressure means the AI isn’t a nice-to-have, it’s a core operational necessity. You’re not implementing it to be innovative; you’re implementing it because the alternative is to be completely overwhelmed.
Early security automation focused on assisting analysts with tasks like alert enrichment, but now AI handles entire workflows. Could you walk through a concrete example, like an impossible travel scenario, detailing the before-and-after steps and the impact on key metrics like mean time to respond?
Certainly. The “impossible travel” alert is a classic, and it perfectly illustrates the shift. Before, an alert fires: your CEO logged in from their home office in New York and then, ten minutes later, from a cafe in Tokyo. A junior analyst gets the alert. Their heart probably skips a beat. They start a manual, frantic investigation: checking IP address reputation, looking up the CEO’s calendar, verifying recent login patterns, and maybe even trying to contact an executive assistant to confirm travel. All of this is manual, stressful, and, as the data shows, can easily take twenty minutes of focused work. Now, picture it with modern AI. The alert fires, and the platform instantly and automatically correlates dozens of data points. It sees the login is from a known corporate VPN exit node, cross-references the CEO’s calendar which shows a meeting with the Tokyo office, and checks that their corporate-issued mobile device is also in that geography. Within seconds, it closes the alert as a false positive with full documentation. That twenty minutes of human toil is gone. Multiply that across thousands of similar alerts, and your mean time to respond plummets, while your analysts are freed from the noise to hunt for real threats.
Large enterprises often prioritize stability and a proven track record over novel features. When scaling from a pilot environment to a full deployment handling hundreds of thousands of endpoints, what are the key operational hurdles and architectural considerations that separate an established platform from an ambitious newcomer?
This is where the rubber truly meets the road. A demo or a small pilot environment is one thing, but a live, large-scale enterprise SOC is an entirely different beast. The biggest hurdle is proving you can operate under immense, relentless pressure without fail. An ambitious newcomer might have a slick agentic interface, but can their platform ingest and process billions of events from two hundred thousand endpoints without latency or crashing? Enterprises want to know that your system won’t become the single point of failure. It’s about architectural resilience, mature integrations with dozens of other legacy and modern tools, and the operational experience that only comes from years of running in these demanding environments. When I was earlier in my career, I saw brilliant tech fail simply because the vendor couldn’t provide the stability and support a global company requires. It’s not just about features; it’s about being a trusted operational partner.
With AI handling high-volume, repetitive tasks, the human analyst’s role is shifting from “alert chaser” to strategist. What new skills will be most critical for analysts to develop, and how should organizations restructure their SOC teams and career paths to support this evolution?
The shift is profound and, frankly, long overdue. The most critical skill will no longer be speed in closing tickets, but depth in understanding threats. Analysts need to become true investigators and threat hunters. This means developing skills in forensic analysis, strategic thinking about attacker campaigns, and understanding the “why” behind an alert, not just the “what.” Instead of chasing down every impossible travel alert, they can now use that freed-up time to proactively hunt for the subtle signs of a patient attacker already inside the network—the kinds of things AI might not spot. Organizations must completely rethink their career paths. Success can no longer be measured by “alerts closed per hour.” It must be measured by the quality of investigations, the discovery of novel threats, and the strategic improvements made to the overall security posture. We need to create roles and compensation that reward analysts for being deep thinkers, not just fast clickers.
What is your forecast for the AI SOC space over the next three to five years?
I believe we’re going to see a rapid market consolidation driven by a flight to quality and proven execution. The initial wave of hype and new startups with flashy “agentic” messaging will give way to the hard realities of enterprise requirements. CISOs and security leaders will increasingly ask not “what can your AI do in a demo?” but “show me how it performs under pressure in a SOC like mine.” Platforms that have already navigated large-scale deployments, like Torq, which recently secured a $140 million Series D, will solidify their positions as the foundational layers of the modern SOC. The conversation will mature from novelty to reliability. We’ll also see a significant pull from the federal and public sectors, which have immense scale and strict oversight demands, further favoring platforms that can demonstrate stability and a proven track record. The future isn’t about ambitious roadmaps; it’s about platforms that are already operating at scale, day in and day out.