The autonomous SOC – how AI is reshaping security operations

There was so much to absorb at the conference, so I’ve split my thoughts into two blogs. You can click here to read the second blog.

A welcome surprise for me at RSAC 2026 was learning how we can use AI for good. How will it affect jobs, what will it mean for our children and the future in general?

When looking to the future, the security conversation wasn’t just around how we secure AI, but how quickly it is being used to transform security operations. This raises bigger questions around the role of the analyst and how much we trust automation, as well as thinking about what a modern Security Operations Centre (SOC) looks like in an AI-driven world. It’s here that AI is already making a tangible impact.

The shift from tools to autonomous workflows

We’ve used automation in the SOC for years – managed security service providers (MSSP) use AI for triage, investigation, playbook execution and even response actions, however we can now see something fundamentally different emerging. AI isn’t just assisting analysts, it’s starting to replicate entire workflows. Many people assume this automation is carried out with a considerable amount of human guardrails, however there are actually fewer than you’d imagine.

A high-level view might look like this:

• Triage agent – reviews and prioritises alerts
• Investigation agent – OODA (observe, orient, decide, act) – enriches data and gathers context
• Playbook agent – executes predefined response actions – aligned to specific threats
• Reviewer agent – validates decisions and provides oversight – provides transparency to human analyst team and customers

These activities act as a coordinated system, mirroring how human analysts collaborate within a SOC. They are tracked, monitored and cases are then updated and sent for a final review by a human, before making its way to a customer.

What does this mean in practice?

We have relied upon human action in the SOC for decades, and this change is not simply carrying out a search via an LLM or doing enrichment or creating reports. Activities that once required multiple analysts across different tiers can now be carried out continuously, and at machine speed, with each agent working in tandem within a set of defined parameters and expertise to achieve their goal. Agents are pulling in telemetry, applying logic, executing actions and updating cases.

We’re seeing measurable improvements in MTTD (mean time to detect), MTTR (Mean time to respond) as well as consistency in delivering end-to-end operational workflows.

How non-MSSP organisations can adopt agentic SOC

Not every organisation is going to jump straight into a fully autonomous SOC – or be able to straight away. At RSAC, I saw a plethora of vendors and products directing their attention to how non-MSSP organisations can take advantage of agentic SOC. I saw that adoption broadly takes one of three approaches:

1. Fully managed

Products with services that you consume largely unknowingly, handling triage, investigation, response and reporting. This is the easiest way to benefit from agentic SOC capabilities without needing to build them internally.

2. Platform-integrated agents (SIEM/XDR)

Major SIEM and XDR platforms are now introducing built in agent capabilities, available to deploy within various areas of your own SOC processes, in whatever operating model you're using. These will allow organisations to automate parts of SOC workflows, deploy agents within existing processes and augment analyst decision-making. At the very least, these will give organisations a fantastic entry point into automating and assisting human activity within the SOC and a fantastic ‘starter for 10’.

3. Open agent platforms

By far the most innovative space at RSAC, these platforms sit independently of existing tooling and integrate via APIs into SIEM, SOAR, ITSM and case management systems.

The type of features available here were incredibly interesting:

• Human analyst monitoring – to understand the operating procedures of your team.
• Automated playbook flow creation – once learnt, the agent then creates a playbook and flow to execute what it has learnt.
• Behavioural tuning – allowing analysts to chat with the learning agent like a human, to tweak and understand what it’s created.
• Specialist agents –  with security expertise, based on learning from models focused on incident response and forensics.

These platforms capture and scale human expertise, rather than just automate predefined rules.

Integration with the SOC and meeting organisations where they are

How these open-platform agents integrate with the SOC and tooling was also fascinating. Most solutions don’t require a complete overhaul of the SOC, instead they layer into existing environments through API integrations or backend connectors. Some have alternate forms of integration, using browser plugins to monitor and understand how analysts are completing their work. This flexibility allows organisations to adopt AI at their own pace, rather than committing to a full, complete transformation.

Evolution, not replacement

AI in the SOC is already delivering real, measurable value, however it works best when combined with human oversight, context and judgement. The most successful organisations won’t be those that remove humans from the loop entirely, they’ll be the ones that redefine the loop, using AI to handle speed and scale, leaving humans to focus on critical thinking, decision-making and continuous improvement. Humans and agents need to work together for the good of the organisation, balancing innovation with control, automation with accountability and speed with resilience. Those that succeed will be the ones that treat AI security as a foundational capability, not an afterthought.

If you’d like to find out more about Softcat’s services and solutions, please click here.