The challenges SOCs currently face
As cyber threats grow more complex, automated, and persistent, security operations centres (SOCs) are struggling to keep pace. Modern attacks, particularly ransomware, no longer rely on a single point of entry.
Instead, threat actors chain together phishing, credential compromise, exploitation of vulnerabilities, lateral movement, and data exfiltration, often using legitimate tools to remain undetected. This multi-vector reality has exposed the limits of traditional SOC models that depend on siloed tools and manual processes.
Despite years of investment in firewalls, endpoint protection, identity systems, and network monitoring, many organisations still face delayed detection and response.
The challenge is not a lack of technology, but fragmentation.
Security tools are typically built for specific use cases and operate independently, creating blind spots across the attack lifecycle. As a result, SOC teams are overwhelmed with alerts, struggle to prioritise incidents, and face growing analyst fatigue.
It is within this context that the concept of the “autonomous SOC” has emerged.
Often misunderstood as a future where machines replace human analysts, the reality is far more pragmatic.
In a Splunk-iTNews Asia webinar “The Autonomous SOC: Debunking AI Myths”, Tengku Shahrizam, Splunk’s Senior Security Advisor, shared his insights about the future of SOCs and the impact of AI, pointing out that autonomy in security is actually not about removing humans from the loop, but about enabling them to work more effectively through AI-driven augmentation.
Why traditional SOC models are no longer sufficient
One of the key insights from the autonomous SOC discussion, said Shahrizam, is that SOC inefficiency rarely stems from a single failure point. Instead, it is driven by a combination of people, process, and technology challenges.
“Organisations operate SOCs through a variety of models - fully in-house, outsourced, or hybrid - often with unclear role definitions across L1, L2, and L3 analysts. Incident response, detection engineering, threat hunting, and threat intelligence frequently operate in silos, limiting collaboration and slowing decision-making during critical incidents,” he said.
Shahrizam added that even when advanced tools are in place, a lack of integration is preventing teams from seeing the bigger or full picture.
Detection engineering exemplifies this challenge, he explained, being one of the most critical yet hardest capabilities to mature within a SOC. This is because effective detections require deep contextual understanding, continuous tuning, and strong feedback loops between hunting, intelligence, and response teams. Many organisations often struggle to resource this function adequately, leading to noisy alerts, blind spots, and delayed response.
These operational realities have fuelled a persistent misconception: that AI is needed to replace analysts because humans can no longer cope with the scale of threats.
- Tengku Shahrizam, Senior Security Advisor, Splunk.
In practice, this framing misses the real opportunity. AI’s true value lies not in replacement, but in reducing complexity, improving signal quality, and enabling analysts to focus on higher-value work.
Debunking the myth: AI will replace SOC analysts
The question of whether AI can replace SOC analysts sits at the heart of many security discussions. According to Shahrizam, based on real-world SOC operations, he found that while AI can assist at every level, it cannot replace human judgement.
Citing some examples, he said AI can support L1 analysts by automating monitoring, triage, and false-positive reduction. At the L2 level, it can accelerate investigations, enrich alerts with context, and recommend response actions.
For advanced roles such as threat hunting, digital forensics, and incident response, AI acts as a force multiplier, helping analysts process vast datasets, generate hypotheses, and uncover hidden patterns, but final decisions remain human-led.
Advanced investigations, malware analysis, counter-intelligence, and strategic risk assessment still require human intuition, experience, and an understanding of business context.
Shahrizam said that rather than eliminating roles, AI reshapes them. This means analysts spend less time on repetitive tasks and more time on meaningful security work, improving both effectiveness and job satisfaction.
“This shift is particularly important in addressing analyst burnout, a growing issue across SOCs worldwide. By offloading routine work to AI-assisted workflows, organisations can retain talent while improving operational resilience.”
From autonomous to collaborative intelligence
The future SOC will not be a fully AI self-driving system. Instead, Shahrizam describes it best as one built on collaborative intelligence, where humans and AI agents work together to defend against increasingly AI-enabled adversaries.
In this model, he said AI excels at ingesting and correlating massive volumes of telemetry across endpoints, networks, identities, and cloud environments. It provides context-rich insights, prioritises threats, and accelerates response. Humans bring strategic judgement, ethical oversight, and the ability to interpret security events within broader organisational risk.
“This collaboration is most effective when supported by a unified threat detection, investigation, and response (TDIR) approach. An AI-powered SOC integrates security monitoring, detection and automation engineering, threat intelligence, hunting, orchestration, and response into a cohesive operational framework.”
“The goal is not blind autonomy, but speed, consistency, and scalability,” Shahrizam added.
He further explained that AI-driven capabilities can help analysts focus on the threats that matter most, accelerate detection development without deep query expertise, and provide rapid insights into malware behaviour.
On the response side, AI streamlines playbook creation, orchestrates containment actions, and ensures consistent execution of standard operating procedures.
Equally important is the evolution of skills. As SOCs adopt AI, Shahrizam predicts that the analyst role will evolve rather than disappear. “Tier 1 analysts become AI-assisted analysts, building literacy in AI outputs and validation. Tier 2 analysts transition into response orchestrators, blending SOAR expertise with AI-driven decision-making.”
“Threat hunters increasingly leverage machine learning and generative models, while SOC engineers take on expanded responsibilities around AI infrastructure, data pipelines, and governance,” he said.
Moving forward, Shahrizam says the autonomous SOC will ultimately not be about machines replacing humans. It is about breaking down silos, augmenting expertise, and enabling security teams to operate with confidence in a rapidly evolving threat landscape.
“The future of cyber defence belongs not to AI alone, but to both humans and AI working together,” he said.
