How agentic AI will transform the SOC for strategic advantage

When Security operations centers (SOCs) use agentic AI in automation, they unlock efficiency and value throughout the security lifecycle.

In brief

• How can agentic AI transform SOC operations by automating tasks and enabling analysts to focus on higher value detection, investigation and response work? 
• What strategic advantages can organizations gain by applying agentic AI not just to alert handling, but also to pre-alert and post-alert activities?
• What readiness factors — platform integration, data sourcing, and stakeholder buy in — are essential to successfully transform impact of an agentic SOC?

Defining the landscape: automation, GenAI and agentic AI

We have often noticed that security automation, GenAI and agentic AI are used interchangeably. While the outcome or goal of each of these approaches is the same, there are nuances between the three. Security automation involves scripting and coding well-defined, repeatable tasks — such as tuning detection rules or automating data queries. This approach improves efficiency by delivering predictable, reliable outcomes and replacing manual processes. GenAI leverages large language models as a thought partner, supporting analysts in searching, summarizing alerts and suggesting next steps. While powerful, these tools still depend on human oversight to review and act on recommendations. Agentic AI, by contrast, enables intelligent agents to autonomously carry out tasks. These agents can automate workflows, resolve tickets and perform security operations on their own. Leading organizations leverage all three tools in their armory to take strategic advantage. The value comes from knowing when to use each approach: relying on traditional automation for straightforward problems that are deterministic, GenAI for ideation and agentic AI for complex, context-driven challenges where conventional automation falls short.

Agentic AI in action: real-world applications and limitations

Our experience with agentic SOC initiatives shows that the primary focus has been on optimizing L1 and L2 functions by automating the adjudication of alerts and expediting routine ticket resolution. Intelligent agents can query both external sources and internal systems at the same time, streamlining decision-making and improving accuracy. Automating these high-volume tasks brings clear benefits, such as reducing dwell time, speeding up responses and enhancing consistency. However, organizations should manage expectations regarding cost savings, since L1 and L2 activities often represent only a small portion of the overall SOC budget. The true opportunity lies in tackling the complex, high-value tasks at both ends of the SOC value chain.

“With AI changing the speed and scale of cyber threats, traditional defenses are no longer sufficient. Defenders must lead with agentic AI to build smarter, adaptive SOCs and cyber capabilities to drive trust and competitive advantage and deliver greater returns” – Ayan Roy, EY Cybersecurity Leader

The transformative value of agentic AI happens even before an alert is fired

Transformative value is found in activities that occur before or after routine alert management. Developing new detection rules, recommending use cases and mapping threat intelligence are handled by skilled professionals and often account for significant SOC costs. Similarly, the response phase, including integrating with SOAR platforms, generating playbooks and driving incidents to closure, offers opportunities for agentic AI to make a meaningful impact. Our mantra has been: “Automate the high-volume task and augment the higher volume roles.” For example, agentic AI can significantly shorten the time required to develop and deploy threat detection logic or enable dynamic playbooks for emerging threats. By focusing on these areas, organizations can realize efficiency gains that extend well beyond routine operations.

Transforming SOC roles: evolving responsibilities and boundaries

Agentic AI is fundamentally changing the SOC operating model. Where L1 and L2 functions once depended heavily on human analysts, intelligent automation now plays a significant role in triage and investigation functions. Independent reports and academic studies show that agentic SOC reduces alerts by up to 60% and can save more than $2.0 million in response costs. The boundaries between SOC levels are becoming less defined. L1 roles are evolving into more agile L2 positions, empowered to move between triage and deeper investigation with support from AI. This has an impact on how we train and reskill our SOC teams to take advantage of the generational change. At higher levels, agentic AI accelerates advanced containment and enables analysts to innovate, map threats and refine detection logic. The result is a SOC that is faster, more reliable, and more adaptive and ready to take full advantage of intelligent automation.

Unlocking the full potential: requirements for success

To realize the transformative benefits of agentic AI, organizations must focus on integrating with target platforms and identifying the essential data sources to power their models. Securing buy-in from both business stakeholders and analysts is equally important, as their engagement is critical to successful adoption. By creating agentic AI use cases that cover the entire threat management lifecycle, from alert adjudication to threat hunting and logic creation, leaders can deliver value at every level.