Every SOC vendor is adding AI. Very few are solving the right problem.

I’ve been watching the AI-in-security conversation evolve from my seat inside actual SOCs — not from vendor briefings or conference keynotes. And the gap between what’s being sold and what’s actually working is wider than most people realise.

So let me break it down: what AI does well in a SOC today, what it doesn’t, and where I think the real value is hiding.

What AI Actually Does Well in Today’s SOC

1. Alert Triage at Scale

This is the one genuine win. A mid-size SOC generates 5,000-15,000 alerts per day. A good SIEM with ML-based triage can reduce that to 200-300 actionable incidents. That’s not theoretical — I’m seeing it in deployments today. The ML model learns what normal looks like for your specific environment and filters out the noise that signature-based rules can’t catch.

The key word is “triage,” not “investigation.” AI is excellent at telling you what NOT to look at. It’s significantly less good at telling you exactly what happened and what to do about it.

2. User and Entity Behaviour Analytics (UEBA)

Behavioural baselines work well for detecting insider threats and compromised accounts. When a finance user who’s never accessed the HR database suddenly queries 10,000 employee records at 2 AM, the ML model flags it. Rule-based systems miss this because the activity itself is legitimate — it’s the context that’s wrong. UEBA catches context.

3. Phishing Detection

AI-powered email security (the kind that analyses language patterns, sender reputation, and link behaviour in real time) has significantly improved phishing detection rates. The static rules era of “check the From header” is over. AI models now catch spear-phishing and business email compromise with detection rates above 95% in well-tuned deployments.

What AI Still Does Poorly

1. Root Cause Analysis

Here’s where the hype hits reality. An AI that tells you “there’s an anomaly on host X” is useful. An AI that tells you “host X was compromised because a phishing email bypassed the gateway, an employee clicked a link, and the attacker used a living-off-the-land binary to move laterally via SMB” — that’s the goal, but it’s not reliable yet. Correlation engines still need human configuration to connect those dots correctly.

2. Incident Response Decision-Making

Should you isolate the host or let it run for further observation? Should you block the IP or keep monitoring? These decisions depend on business context, risk tolerance, and regulatory requirements that AI can’t factor in today. SOAR playbooks automate the mechanical steps, but the decision to trigger a playbook still needs a human who understands the organisation’s risk profile.

3. Zero-Day Detection Without Context

AI can detect anomalies. But distinguishing a novel attack from a legitimate new application deployment, a configuration change, or a planned maintenance window requires context that the AI doesn’t have unless you feed it your change management data. Most organisations don’t.

Where the Real Value Is Hiding

The most underrated AI application in security right now isn’t detection — it’s augmentation of the analyst. Specifically:

  • Natural language query interfaces: An analyst types “show me all SMB connections from workstations in the last 24 hours” and the SIEM understands. This eliminates the training overhead of proprietary query languages and makes threat hunting accessible to junior analysts.
  • Automated evidence collection: Instead of an analyst manually pulling logs from six sources, the SOAR collects the evidence package automatically based on the alert type. This cuts mean-time-to-triage from 30 minutes to under 2.
  • Similar case matching: When a new alert comes in, the system automatically surfaces three similar past incidents with their resolution steps. This is surprisingly effective for accelerating investigation — especially in SOCs with high turnover.

What I Tell CISOs

When a vendor pitches AI as a replacement for human analysts, I advise caution. When they pitch AI as a force multiplier that makes your existing analysts 3-5x more effective, I’m interested.

The best AI deployment I’ve seen wasn’t the one with the flashiest ML model. It was a FortiSIEM deployment where we tuned the ML-based alert correlation to reduce noise by 80%, and used the saved analyst time to do proactive threat hunting. That’s the ROI story that matters — not “AI replaces your team,” but “AI frees your team to do the work that actually prevents breaches.”

AI in the SOC is real. It’s valuable. But it’s a tool, not a strategy. The strategy still comes from people who understand your business, your risk, and your network — and that’s not something I see AI replacing anytime soon.

Sanjay Seth has been designing and operating NOC/SOC environments since 1992. He’s the CEO of P J Networks and architect of the PrahiX Ora unified NOC/SOC/SIEM/VMS platform.