Spend enough time walking the floor at RSA or any major cybersecurity conference, and you’ll eventually be convinced that the fully autonomous security operations center (SOC) is just a software upgrade away. But the current reality is much more nuanced. As the proliferation of AI agents—and the non-human identities (NHIs) they spawn—expands the attack surface to unprecedented size and generative AI adoption multiplies data risk, skills shortages persist in the face of rising threats. Security operations (SecOps) teams have long been exhorted to “work smarter, not harder,” but they need the right tools and processes to actually achieve that aim.
Applied in the right places, AI does have the potential to ease the burden on perennially overworked SecOps teams. But AI washing—the practice of exaggerating or overstating how much AI a vendor’s solution actually employs—is rampant in cybersecurity right now. CISOs need to be careful and strategic in implementing new solutions to ensure that they gain real value, rather than merely adding costs.
“Right now it feels like cybersecurity vendors are moving faster than their customer can move,” says Philip Armbrust, Senior Director of Presales Engineering at SHI. “The largest among them have had AI on their roadmaps for at least five or six years now. If an organization’s SecOps program is already very mature, and they’ve consolidated their technology stack on one of these vendors’ platforms, maybe they’ll be able to gain significant ROI from agentic AI in the SOC right now. But for many companies, realizing that vision is still in the future.”
Here are three important ways that AI can add value in security operations right now.
#1: Materially increase the value of your existing telemetry
It’s long been true—in theory—that the more telemetry data a SecOps team gathers, the better visibility becomes, and the more accurate detections are. It has also long been true—in practice—that more telemetry means more false positive alerts, more dashboards and consoles to monitor, and more frustration and burnout among analysts
AI has enormous potential to change this equation. The more data AI models are trained on and fed, the more effectively they work. And what AI is best at is finding patterns and correlations across large volumes of information. This means that AI-driven SOC platforms can process enormous volumes of telemetry data in milliseconds to identify subtle anomalies or multi-step attack paths that would otherwise be missed.
AI can also clean and enrich telemetry, unifying it with event data from multiple sources to transform it into actionable information that drives measurable improvements in mean time-to-detection (MTTD) and mean time-to-response (MTTR).
#2: Help mature SecOps programs move beyond SIEM
Security information and event management (SIEM) platforms have vexed cybersecurity practitioners just about as long as they’ve existed. SIEMs tend to flood analysts with low-value alerts while demanding endless tuning, rule-writing and integration work. Even though they’re excellent at centralizing logs, they’re often poor at helping analysts understand what’s in those logs: the critical context that enables faster and more accurate response.
“Right now, many organizations with mature security programs are re-evaluating their SIEM implementations,” Brad Bowers, Global Field Chief Information Security Officer at SHI, notes. “They’re asking how they can end their addition to SIEM and replace it with technology that’s more agile and enables automated decision-making at the edge, instead of sending all the telemetry to somewhere central.”
New applied AI solutions can identify potentially malicious activities on endpoints and automatically kill processes, isolate hosts or block connections when high-confidence detections are made. By relying less on SIEM-based correlation, SecOps programs can accelerate response while also making it more precise and surgical. In this model, SIEM retains its role in forensics and compliance, but applied AI at the edge takes over much of the detection and alert triage that used to depend on the SIEM.
#3: Make human analysts smarter and more confident
AI-powered copilots can help security analysts draft emails, but they can also assist them in creating complex search queries, custom correlation rules and platform-specific detection logic. AI tools make it simpler to write scrips, with human oversight needed only for review and validation. These tools can also summarize incidents, build reports and answer natural-language questions, accelerating junior analysts’ acquisition of knowledge and confidence.
“Organizations keep asking if AI is going to replace Tier 1 and Tier 2 analysts,” says Bowers. “The answer is no. AI cannot automatically block all attacks without humans working alongside it. But it can help human analysts decrease the amount of time it takes to detect and respond to threats.”
With AI-augmented security operations, forward-thinking CISOs can boost human analyst productivity and reduce alert fatigue by balancing automation and oversight. In a world where attacks keep getting faster and smarter, the biggest benefits of AI adoption—time and labor savings—are no longer simply nice to have.
“Every organization should be looking for places to apply AI within their SecOps program right now,” adds Bowers. “The key to success is identifying the workflows where AI will drive the biggest improvements in response time. That’s what really matters.”
Want to learn more about how industry leaders are thinking about the biggest challenges in security operations? Download SHI and Stratascale’s 2026 Cyber Trends Report today.
