The State of Security Operations Centers (SOCs) in 2025: Adapting to the Age of AI
The average enterprise SOC is inundated with a staggering 10,000 alerts each day. Each of these alerts requires 20 to 40 minutes of investigation, a task that even fully staffed teams can only handle 22% of. This overwhelming volume of alerts has led to more than 60% of security teams admitting to ignoring alerts that later turned out to be critical.
As the demands on SOCs continue to increase, the nature of the work itself is evolving. Tier-1 analyst tasks such as triage, enrichment, and escalation are being automated through software functions, with more SOC teams turning to supervised AI agents to handle the volume. Human analysts are now focusing on higher-level tasks such as investigation, review, and making edge-case decisions, resulting in reduced response times.
However, the integration of human insight and intuition is crucial. Gartner predicts that over 40% of agentic AI projects will be canceled by the end of 2027, citing unclear business value and inadequate governance as the main drivers. It is essential to get change management right and ensure that generative AI does not become a disruptive force in the SOC.
Why the Legacy SOC Model Needs to Change
Burnout is a significant issue in many SOCs today, with senior analysts contemplating career changes due to the overwhelming workload. Legacy SOCs with multiple systems delivering conflicting alerts and a lack of interoperability among systems are contributing to burnout among analysts. CrowdStrike’s 2025 Global Threat Report highlights breakout times as fast as 51 seconds and the increasing prevalence of malware-free intrusions, emphasizing the need for faster response times in the face of evolving threats.
Matthew Sharp, CISO at Xactly, points out that adversaries are already leveraging AI to launch attacks at machine speed, underscoring the importance of equipping organizations with AI-driven defenses to combat these threats effectively.
How Bounded Autonomy Compresses Response Times
SOC deployments that prioritize rapid response times often implement a bounded autonomy approach. AI agents handle tasks such as triage and enrichment automatically, while human analysts oversee containment actions for high-severity incidents. This division of labor enables the processing of alert volume at machine speed while ensuring that human judgment is retained for decisions that carry operational risk.
Graph-based detection is transforming how defenders perceive networks by revealing relationships between events rather than isolated incidents. By tracing attack paths, AI agents can identify suspicious activities more efficiently. The speed gains achieved through AI-driven triage are measurable, with AI agents achieving over 98% agreement with human expert decisions while reducing manual workloads by more than 40 hours per week.
ServiceNow and Ivanti Signal Broader Shift to Agentic IT Operations
Gartner predicts a significant rise in multi-agent AI implementations for threat detection, with ServiceNow and Ivanti leading the charge. ServiceNow’s substantial investment in security acquisitions and Ivanti’s introduction of agentic AI capabilities for IT service management signal a broader shift towards bounded autonomy models reshaping not only SOCs but also service desks.
Robert Hanson, CIO at Grand Bank, highlights the benefits of adopting bounded autonomy in service desks, enabling continuous coverage without the need for additional staff. This approach is gaining traction across industries such as financial services, healthcare, and government as organizations seek to enhance their resilience in a zero-trust world.
Three Governance Boundaries for Bounded Autonomy
Implementing bounded autonomy requires clear governance boundaries to guide AI-driven decision-making. Teams should define which alert categories AI agents can act on autonomously, which require human review regardless of confidence score, and the escalation paths for incidents that fall below a certain threshold of certainty. Human approval is essential for high-severity incidents before containment actions are taken.
Security leaders must establish robust governance frameworks before deploying AI across SOCs to leverage the time-saving and containment benefits of these advanced tools. As adversaries leverage AI to exploit vulnerabilities at an alarming rate, autonomous detection is becoming essential for organizations to remain resilient in the face of evolving threats.
The Path Forward for Security Leaders
Security teams can start by automating workflows where failure is recoverable, such as phishing triage, password reset automation, and known-bad indicator matching. By automating these processes and validating accuracy against human decisions, teams can streamline operations and enhance efficiency within the SOC.
In conclusion, the evolution of SOCs in 2025 is characterized by the integration of AI-driven technologies, the adoption of bounded autonomy models, and the establishment of robust governance frameworks. Security leaders must embrace these changes to adapt to the evolving threat landscape and ensure the resilience of their organizations in the face of sophisticated cyber threats.
