AI in the SOC: Analytics vs Co-pilots vs Agents

The market is confused (like…really confused) about AI in the Security Operations Center (SOC). When people discuss it, they often unknowingly talk about different technologies but use the same terms and phrases to describe them. Many people fundamentally can’t distinguish between different types of AI applications, their uses, or which one solves their problems. Unfortunately, without clarity here, we won’t be able to have intelligent conversations around what will undoubtedly be one of the biggest waves of innovation to affect the SOC in our working careers.

This blog will define three types of AI in the SOC, discuss their pros and cons, explain common implementations, and give you two simple questions you can use to determine what type of AI you’re looking at. 

3 Types of AI in the SOC

There are multiple types or generations of AI which are used in the SOC. Three of the most common are defined below:

Analytics Tools 

What is it:

Using machine learning algorithms for statistical analysis, behavioral modeling, and anomaly detection. These tools broadly fit the definition of artificial intelligence, and vendors have been promoting their AI capabilities for over a decade.

When did it arrive:

Mid-2010s.

Common applications:

User behavior analytics and anomaly detection. It is now integrated into various security tools, including SIEMs, EDRs, email security, network and cloud security solutions.

What it does for the SOC:

Detect possible threats

When does it happen:

Pre-detection stage.

Example vendors:

Exabeam, Securonix, Abnormal Security, Splunk ES, etc. 

ProsCons
Useful for detecting unknown unknowns (undefined threats)Tends to generate many false positives.
Behavioral context is needed for some types of detectionsCreates additional work in the form of alerts, without reducing existing tasks.

Co-pilots/Chatbots

What is it:

A co-pilot is a helper tool, often with a chatbot interface built on top of a large language model. It uses natural language processing to make it easy to ask and answer questions, retrieve or analyze data, and more. Think of it like ChatGPT but designed for security tools. The output is usually data presented in a human-friendly format.

When did it arrive:

These tools emerged around 2020, with broad adoption starting in 2023.

Common applications:

Chatbots, data retrieval and summarization, code generation, etc.

What it does for the SOC:

Assists analysts in performing their work in the Security Operations Center (SOC).

When does it happen:

Typically used in the post-detection stage to aid with further analysis and decision-making.

Example vendors:

Microsoft Security Co-pilot. Charlotte AI, Purple AI, Splunk AI, Etc. 

ProsCons
Effective when the user knows what they want to achieve.Requires users to know what to ask.
Facilitates access to information using natural language.Not suitable for junior analysts.
Provides initial analysis of results.Users must interpret results and decide on next steps.
Significantly improves productivity for senior analysts.The analyst still performs the work, which can be time-consuming.
Useful for specific tasks like threat hunting.
Widely available in both DIY (built on a tools like ChatGPT) and commercial offerings.

AI Agents

What is it:

An AI agent emulates the workflow, processes, and decision-making of a human to perform their tasks. An agent could be trained to do SDR work, customer success work, or in this case SOC analyst work. It combines various AI types, including large language models (LLMs), co-pilots, and analytics capabilities, to produce complete units of work like incident investigations and response recommendations.

When did it arrive:

These tools started appearing in 2023, with many early-stage startups entering the market in early to mid-2024.

Common applications:

Automating tier 1 workflows such as triage and investigation.

What it does for the SOC:

Significantly boosts SOC productivity by automating large portions of the work and providing analysts with decision-ready results.

When does it happen:

Post-detection, performing analysis and decision-making previously handled by human SOC analysts.

ProsCons
Delivers finished tasks by replicating the workflows, knowledge bases, and decision-making processes of analysts.Not widely available. Most SOCs have not used this technology as it is just emerging in the market.
Can automate entire processes without the need for playbooks or maintenance required by previous SOC automation tools like SOAR.The technology and product capabilities are still emerging, leading to significant differences between vendors.
Determines necessary information, performs tests, enriches data, and provides conclusions and recommendations dynamically.Cannot be easily implemented as a DIY solution.
Significantly enhances productivity by changing the analyst’s role.
May also include a co-pilot and analytics capabilities.

Impact on Productivity

SOC teams often deal with hundreds or thousands of alerts daily from various tools. Each triage typically requires around 15 tasks, such as enrichment tasks, checks, tests, and information lookup.

How each tech helps:

  • Analytics Platforms — These can negatively impact productivity by generating valuable (and sometimes not valuable) alerts, adding to the workload.
  • Co-pilots — This tool makes tasks easier but still requires the analyst to ask all 15 questions, summarize the responses, create an action plan, and execute it. Handling thousands of alerts this way is impractical, offering only a significant but incremental productivity boost.
  • AI Agents — AI agents perform triage and investigations, escalating real incidents for review. They provide a decision-ready report with an incident summary, root cause analysis, and a response plan that can be executed with a click. This shift from “doing the work” to “reviewing results” leads to exponential productivity gains.

2 Questions to Ask Yourself

Here are two questions you can ask yourself to quickly determine what type of AI implementation you’re looking at:

  1. Is this pre or post detection?
    This will tell you if you’re looking at an analytics tool which will create more detection signals (work) or help you more efficiently reduce your security alert backlog.  Analytics tools are pre-detection, while co-pilots and AI agents are post-detection.
  1. Who is doing the work?
    If the answer is “a human analyst aided by a chatbot” then you’re talking about a co-pilot implementation.

    If the answer is “an AI analyst with a human reviewing the results”, then you’re looking at an AI-agent implementation.

Want to learn more about AI SOC Analysts?

Visit our website or check out this interactive product tour.