Tim Leehealey is the Co-founder and VP of Strategy at Strike48. Below, Tim sets out how Agentic AI is extending the capabilities of modern Security Operations Centres (SOC).
From alert handling to adaptive execution, the next evolution of SOC performance is here
Most SOCs aren’t short of alerts anymore. In many environments, detection is doing exactly what it was designed to do. Signals are coming through consistently, often with enough context to indicate that something needs attention, and the underlying detection layer has improved significantly over the past few years. Where things start to get less straightforward is what happens after that point.
An alert arrives, it’s enriched and prioritised, but the next step still depends on someone making sense of it in the context of that specific environment. Sometimes it aligns with what’s been seen before, and the decision is relatively clear. More often, it sits somewhere in between, where the signals are familiar but not quite identical, and the path forward isn’t immediately obvious. That’s where the workflow begins to rely less on process and more on interpretation. This is where agentic AI starts to play a much more direct role.
In practice, that part of the job takes up more time than most teams expect. Analysts are pulling together context, checking how signals relate to each other, and working out whether what they’re seeing fits closely enough to act on with confidence. Even in well-structured SOCs, this sits slightly outside the formal workflow, which is why it’s harder to standardise. As environments scale, that gap becomes harder to manage.
Detection continues to scale because it’s largely driven by data and rules, but decision-making doesn’t follow the same pattern. The more alerts you introduce, the more interpretation is required, and the more the outcome depends on how consistently those decisions are made across different analysts and different environments. Over time, the operation becomes more dependent on individual experience than most teams are comfortable acknowledging.
Rather than treating each alert as a separate task that needs to be worked through from the beginning, agentic systems operate within the workflow and build context as part of the process itself. As alerts move through triage, the system is already correlating activity, bringing in relevant historical patterns, and narrowing down what actually matters before the analyst needs to go looking for it.
That changes how the work starts. Instead of beginning with interpretation, analysts are starting from a position where much of that context has already been assembled. The decision still requires judgement, but the effort required to reach that point becomes more consistent, and less dependent on how much context needs to be gathered manually. Over time, that begins to affect how the entire workflow behaves.
In practice, this shows up in fairly small ways at first. Analysts spend less time jumping between tools, less time pulling together fragmented context, and more time actually deciding what needs to happen next. It doesn’t remove complexity, but it reduces how much of that complexity has to be reconstructed manually for each alert. Over time, that shift becomes more noticeable, particularly in environments where volume would normally start to slow things down.
Decisions start to align more closely across the team because they are being made from a shared foundation. The need to revalidate or escalate simply to build confidence reduces, and the variation that naturally develops in high-volume environments becomes easier to control. The workflow doesn’t become rigid, but it becomes more stable.
As Keven Knight, CEO of Talion Cyber Security, explains:
“The industry has made significant progress in improving visibility, and in many environments that baseline is now in place. What becomes more consequential is how that visibility is translated into decisions that carry risk. At a governance level, the question is not whether signals can be identified, but whether the organisation can ensure that similar situations lead to consistent, accountable outcomes. That is where resilience is ultimately determined, and where many models begin to show strain as complexity increases.”
That shift becomes more visible at scale, particularly in MSSP environments. Operating across multiple clients introduces constant variation, and maintaining consistency across those environments is one of the harder parts of the model. By supporting the decision layer directly, agentic AI allows that consistency to be built into how the workflow operates, rather than relying on individual experience to hold it together.
What becomes clear over time is that this is not simply an efficiency gain. It changes where the effort sits inside the SOC. Instead of analysts spending a large portion of their time assembling context, that effort moves earlier in the process and becomes part of how the system operates. The analyst remains central, but their role shifts toward applying judgement to a more complete picture, rather than constructing that picture from scratch.
That shift has wider implications. As more structure is introduced into the decision layer, the balance between detection, interpretation, and execution begins to change. The workflow becomes less dependent on individual effort to maintain consistency, and more of that consistency is built into how decisions are supported. Over time, this affects how teams scale, how work is distributed, and how predictable outcomes become across different environments.
Agentic AI doesn’t replace the SOC, but it does change how it operates at its core. Detection remains critical, but it is no longer where performance is defined. That is determined by how effectively organisations can move from signal to action, and how consistently those decisions hold up under scale. By supporting that part of the process directly, agentic systems are reshaping the execution layer of security operations in a way that is already beginning to take hold.
