Any hyped technology produces a strong reaction from smart people capable of identifying when things go out of proportion (or when dots get closer to the “peak of inflated expectations”). It hasn't been different with AI SOC solutions. In the past few days, I've seen a couple of very good LinkedIn posts from very smart guys questioning the value and proposition of these tools:

I read these while going through “booth duty” at Black Hat, and since then I was dying to jump in the conversation. It wasn't just a simple case of posting rabid “you are wrong!!” comments, as their posts have merits. While they highlight the challenges of low-fidelity detection and the perceived redundancy with existing SOAR tools, a closer look reveals that AI SOC solutions are not just another "band-aid" but a necessary evolution in security operations. Sometimes they solve a different, yet equally critical, problem. They also approach some of the old problems in a more efficient and effective manner. So let's jump in.

The Problem with Detection: More Than Just "Bad Detections"

Erik Bloch's point about low-fidelity alerts and the "logical fallacy" of using AI to triage them is a powerful one. It’s true that many detection solutions (like XDR and SIEM) are plagued by noise. However, the issue isn't always that the detections are "bad." Instead, it's that detection systems have inherent limitations.

Detection is only the first step. At the moment an alert is triggered, the system often lacks the full context to determine if the activity is truly malicious or just benign business activity. For example, a user account accessing a sensitive file at an unusual time might be a legitimate task, or it could be a sign of a compromised account. The initial detection is a signal, but it's not the full story.

This is where AI SOC solutions come in. They are not designed to fix "crap detection tools" but to dramatically improve what happens after a detection. They focus on the investigation and response phases, where a huge amount of manual effort is typically spent. By automating the collection of additional context—such as network logs, endpoint data, and user behavior—AI SOC platforms can quickly validate and contextualize an alert.

This post-detection capability can also support the detection phase itself. For instance, a SIEM alert that might normally be dismissed as a high false positive can be used as the starting point for a more in-depth, automated investigation. An AI SOC solution can check a workstation with an EDR tool, extract additional indicators, and submit them to sandboxes for analysis. This process, which would take a human analyst significant time, is reduced from minutes to seconds, turning a simple, unconfirmed alert into a confirmed detection with full context. This is not a band-aid; it's a fundamental improvement in the investigative process that makes the entire security operation smarter. In fact, having the ability to run fast (and cheaper) investigations opens the window of opportunity for detection engineers, who won't need to deliver only high signal-to-noise detections, possibly leaving out situations where the ratio is not good, but the potential impact of a true positive is strong enough to justify an investigation. The cost/benefit analysis of detections can be very different when the substantial change in investigation capacity that AI SOC tools provide is taken into consideration.

The Role of AI SOC in a World with SOAR

Anton's question about the need for an "AI SOC tool" for a happy SOAR user is another excellent point. SOAR was created to solve the exact problem of post-detection automation. So, are AI SOC solutions just a rebranding of SOAR? Not exactly.

The major caution point about SOAR since its inception has been the significant development and maintenance work required. Playbooks are notoriously difficult to create and maintain, often requiring specialized skills and a dedicated team. While a company may have successfully built playbooks that work, the high maintenance cost and burden are often hidden.

AI SOC solutions, in many cases, are more effective at delivering the promised automation without this heavy burden. They often use more sophisticated, machine-learning-driven engines that can dynamically create and execute investigative workflows based on the context of an alert, rather than relying on brittle, manually-coded playbooks.

So, should a "happy SOAR user" move to an AI SOC solution? It depends. While their SOAR might be delivering results, it could be at a high maintenance cost. An AI SOC solution could significantly reduce this burden. Moreover, there are cases where organizations have adopted a hybrid approach. They might use their SOAR platform for specific, well-defined use cases like vulnerability management and access management, where the playbooks are simple and relatively static, while adopting an AI SOC platform for the more dynamic and complex needs of triage and investigation.

In conclusion, AI SOC solutions are not a replacement for good detection or a simple band-aid for a broken system. They represent a new generation of technology that addresses the high-friction, high-effort gap between detection and response. They provide a more efficient, less burdensome way to automate investigations, validate alerts, and ultimately, free up human analysts to focus on true threats.

The questions from Erik Bloch and Anton Chuvakin are important, but the answer is clear: AI SOC solutions are not just hype. Of course, there will be exaggerated claims, as we always see during this phase of the hype cycle. But they are a necessary and valuable evolution in the fight to secure our digital world.