AI Can Speed Up The SOC, But Humans Own The Hard Calls

AI is making SOC teams faster at the work that consumes most of their time: correlating logs, enriching alerts, cross-referencing indicators, and drafting initial incident timelines. That acceleration is real and measurable. According to a Rapid7 survey, SOC analysts spend nearly 3 hours each day manually triaging alerts, and 67% of the alerts they receive go completely uninvestigated due to sheer volume. AI is compressing that front-of-funnel work from hours to seconds. But what has not changed is the set of decisions where speed without judgment creates more risk than it resolves. Isolating a production host, shutting down a service, rotating critical credentials: those calls still require a human who understands the business context that the model was never given.

Mohit Bansal is Senior Manager, Security Engineering at Webflow, where his job is keeping security practices sound while agentic AI reshapes how every team in the company builds. As AI-powered tooling expands the ways code is written, committed, and deployed, it widens the attack surface and opens new classes of exposure that legacy controls were never built to catch. His team operates at that frontier, staying ahead of incidents before they happen, in an environment where the AI-powered threat count is only trending one direction.

"AI is genuinely good for the front half of the funnel: triaging, enriching, correlating, and drafting the initial timeline. The critical decisions in the second half require practitioners with deep operational experience, people who can read a detection, weigh the business context, and know when a technically accurate alert does not warrant action. The model gets you to the decision faster. The expertise of the team is what makes the decision right," says Bansal.

The front half belongs to AI

Bansal describes the shift in incident response as structural: AI now handles the high-volume, pattern-matching work that analysts previously did manually.

“Three years back, humans were correlating the information, looking at the signals, looking at the dashboards," Bansal says. "Now AI gives you that much faster." Before that shift, analysts were cycling through static runbooks and repeating the same enrichment steps manually for every alert. A well-written runbook still encodes valuable institutional knowledge, and AI agents can now execute those procedures in seconds instead of hours. What changes the game further is that AI agents also update and refine the runbooks after each incident, adding new indicators, tightening correlation logic, and closing gaps that the previous execution exposed.

Each cycle produces a more comprehensive playbook than the last. When applied, AI agents open tickets with enriched context already attached: correlated log events, threat intelligence matches, affected asset ownership, and historical alert patterns from the same endpoint, pulling data from multiple sources so analysts are not hopping between four or five tools to reconstruct a timeline that the model built in seconds.

As AI models train on actual incidents, signal quality improves. "The false positives and false negatives are going to improve. We are going to get better signaling as we train them," Bansal says. The teams moving fastest on AI in SOC operations are not the ones with the biggest budgets. They are the ones feeding real incident data back into their models and measuring triage accuracy week over week.

The second half requires humans

Bansal draws a clear line at irreversible actions. AI can recommend. Humans must validate.

"If you have to kill a low-risk session or revoke a non-critical token, that is fine for the AI to handle," Bansal says. "But we cannot have AI just roam around and shut down services in production." The distinction is operational: reversible actions can be automated. Irreversible ones cannot, at least not with current model confidence.

Bansal identifies a subtler failure mode. "The detection fired exactly as designed. The data is accurate. But accurate doesn't mean critical. That's where the human comes in and says, "Yes, this is true, but it doesn't actually warrant action." he says. The gap is not that AI cannot reason about business context; it is that most organizations have not structured that context in a way models can consume.

When teams do feed in asset criticality, service dependencies, and business impact mappings, model confidence improves significantly. But confidence is not a certainty. The final call on whether a technically accurate alert warrants action still belongs to someone who can weigh consequences the model was never scoped to own.

This is the part that surprises teams new to AI-assisted SOC operations. The model does not fail because it got the detection wrong. It fails because no one told it that the flagged host is a staging server three days from decommission, or that the "anomalous" login pattern is actually the CEO traveling internationally on a schedule the model never received. The detection is correct. The action would be wrong. That gap between correct detection and correct response is where the most expensive SOC mistakes happen, and it is entirely a human-solvable input problem.

Incident response plans that work under pressure

Gartner identified AI-driven SOC solutions destabilizing operational norms as a top cybersecurity trend for 2026, noting that even as these technologies enhance alert triage, they introduce new staffing pressures and evolving cost considerations. The organizations where AI actually improves incident outcomes are the ones that updated their IR plans to account for a hybrid human-AI operating model. Many have not. Bansal warns that many organizations treat IR plans as documentation exercises rather than operational capabilities. Three elements separate plans that hold up from plans that collapse.

"If you club the incident commander and the technical investigation, your response gets tunnel vision," Bansal says. Clear role separation keeps decision-making and investigation moving in parallel. This matters more now than it did five years ago: when AI is generating the initial timeline and enrichment, the incident commander's job shifts from "what happened" to "what do we do about it." If that role is also buried in log analysis, the speed advantage AI provides gets wasted.

"Who can pull a service offline? Who can rotate secrets?" Bansal says. "If ownership is clear, you can act fast. But if your incident commander has to get VP approval, you are already behind." Decision rights agreed to before an incident separate response speed from response paralysis.

Bansal points to supply chain incidents as the clearest example of why post-incident analysis matters. "The same attacks are not going to happen again, but the same sort of attacks are going to happen," he says. "If you do post-incident analyses(PIA), you may fail at the first attempt, but you will succeed at the second."

The teams that build muscle memory tend to run quarterly tabletops modeled on the attack patterns teams are actually seeing. "Everybody could have a beautifully written plan, but if they don't have muscle memory around it, they are going to fail when the real incident happens."

The hybrid SOC model Bansal describes is not a transitional state. It is the operating model for the foreseeable future. AI accelerates the front of the funnel. Humans own the irreversible decisions. And the discipline that makes the system stronger is not better tooling but structured learning: blameless reviews, practiced response, and continuous feedback from real incidents into detection systems that improve with every cycle.

The teams that will define the next generation of SOC operations are the ones treating AI outputs the way they treat any other source of intelligence: verify, contextualize, then act. "The fundamentals remain the same," Bansal says. "The pattern is consistent: invest in AI and humans in the loop, run PIAs, run tabletop exercises. That is how teams get stronger."