Beyond the hype: How security leaders can build AI agents that matter

Every day, analysts lose hours to repetitive tasks like enriching alerts or updating tickets. These are essential, but not exactly the kind of work that gets you out of bed in the morning.

At Tines, we call this “muckwork,” the low-leverage tasks that clog our days and drain our teams.

The right AI agents can automate this kind of toil. But not all AI belongs everywhere, and deploying it without clear purpose can be just another distraction. Here are three key things to keep in mind for cybersecurity leaders to best approach agents with the clarity and discipline these powerful tools demand.

1. Develop frameworks where agents, copilots, or automation fit best

AI doesn’t need to be all or nothing. Think of automation on a spectrum from simple if/then logic, to human-in-the-loop copilots, to fully autonomous agents.

At one end, deterministic automation handles predictable, rule-based actions: if a phishing email is reported, log it and notify IT. In the middle, copilots assist humans. For instance, an LLM summarizing a threat intel report or suggesting triage steps. At the far end, agents can act independently, deciding and executing without human input.

The key for security leaders is matching the right level of autonomy to the task. Use agents for high-volume, well-scoped tasks like alert enrichment, threat scoring, or automatically isolating devices with known indicators. Use copilots when human judgment matters, such as during investigations, policy reviews, or anomaly triage that requires contextual nuance. And rely on tried-and-true deterministic logic for compliance-heavy processes like user access reviews, evidence collection, or incident documentation where auditability is critical.

At Tines, we build our platform to support this full-spectrum approach out of the box. Our customers can start with deterministic workflows, enhance them with copilots, and graduate to agents as confidence and context grow, all within a secure environment.

This flexibility is essential in modern SOCs. One team might use agents to handle repetitive malware submissions to VirusTotal, while another uses copilots to guide threat hunting efforts. The right mix ensures teams automate with purpose.

2. Guard against AI over-investment

AI can be expensive… in model costs, in time, and in change management. McKinsey has found that, while 92 percent of companies plan to increase AI investments over the next three years, almost none have been able to fully integrate it into workflows and drive notable business outcomes. For cybersecurity teams already stretched thin, that’s a caution flag.

To avoid AI bloat, start with the problem, not the model. Determine the desired outcome (e.g. Faster MTTR? Less burnout?) and work backwards. From there, pick visible, measurable workflows to begin. That way, you can use early wins, like automating alert triage, to justify further investment.

Finally, track ROI the same way you would any tooling. Are agents reducing time-to-close? Lowering false positives? Improving analyst morale?

The best AI investments save time and restore focus. By targeting muck work, you free up your team for the work only humans can do.

3. Security needs to be table stakes

At Tines, we built our agents to run inside the platform’s secure infrastructure. Nothing leaves the environment, nothing is stored for reuse, and customers stay in control. That’s the standard every security leader should demand.

Here are a couple things I would recommend prioritizing when designing agent secure architectures:

• Zero data exfiltration: Keep all processing within secure, monitored environments.
   
• Granular access controls: Apply least-privilege principles…no more, no less.
   
• Auditability and revocation: Ensure every agent action is logged and reversible.
   
• Clear explainability: If your team can’t understand what an agent is doing, it doesn’t belong in production.

Security teams can’t afford ambiguity. You need agents you can trust and verify.

Why security professionals should care

In an incredibly short period of time, the promise of AI in cybersecurity has gone from the theoretical to the operational. Done right, AI agents help teams do more with less, respond faster, and stay focused on high-impact work. They can eliminate alert fatigue, reduce burnout and turnover, and strengthen security postures through offloading repetitive, mindless muck work.

But the key is in execution and strategic implementation. Don’t chase AI for its own sake. Build frameworks, track impact, and insist on secure design. Do that, and you’ll reclaim your team’s time, confidence, and capacity to lead.