Security Leaders Are Quietly Planning to Restructure SOC Staffing Around AI Agents

For most of 2025 and into early 2026, the enterprise discussion around AI in security operations centered on augmentation. The pitch from vendors was careful: AI assists. AI accelerates. AI supports. Recently, however, the conversation has shifted, and that framing no longer aligns with what security leaders are saying in private. In conversations with directors and senior managers overseeing security operations at mid-market and enterprise organizations, a consistent theme has emerged. They are planning workforce reductions in their SOC's lowest tier, with the explicit intention of replacing outsourced or junior analyst functions with AI-powered agents.

The plans are being modeled against current staffing costs, alert volumes, and investigation completion rates.

The Math That Made It Inevitable

The economic case has been building for years, but AI agent capabilities in 2026 have tipped the calculation. A typical outsourced L1 analyst costs between $45,000 and $85,000 annually, including the MSSP's margin, training overhead, and management time. Most enterprise SOCs employ six to twelve of these analysts across shifts to maintain 24/7 coverage. The managed security services market supporting this model is projected to reach $43 billion in 2026, with over 72% of enterprises outsourcing at least one security function.

Those analysts spend the bulk of their time on alert triage. Industry benchmarks suggest experienced L1 analysts process 20 to 40 alerts per hour. Meanwhile, Forrester reports that SOC teams receive an average of 11,000 alerts daily, and the AI SOC Market Landscape 2025 report found that enterprises with over 20,000 employees receive more than 3,000 alerts per day.

AI agents performing the same workflow in live demonstrations have shown dramatically different economics. During one enterprise demonstration, a single attack campaign generating over 170 alerts was automatically triaged, correlated, and escalated into a case in under two minutes, with full documentation, enrichment, and recommended next steps. "It's not even close anymore," said one security director. "The question isn't whether the agent can do it. It's whether I can justify keeping the headcount."

What the Restructured SOC Looks Like

The model most security leaders described is less a fully automated SOC and more a smaller, senior team working alongside AI agents that handle the workload. One director outlined his anticipated structure: reducing from roughly 10 outsourced L1 analysts to 3 or 4 senior Tier 2 analysts who manage and oversee AI agent output. The agents handle alert triage, false positive filtering, initial enrichment, and case creation. The human analysts handle complex investigations, threat hunting, and incident response.

"That layer of the SOC can already be handled by agents," the director said. "I don’t need that headcount anymore, I need a few advanced operators."

Agentic SOC platforms like Strike48 reflect this architecture. Purpose-built agents cover L1 triage, L2 investigation, detection engineering, threat hunting, and vulnerability management, each with specific instructional prompting, knowledge bases, and tool access. The L1 agent handles alert monitoring, correlation, false positive verification, and escalation. When it escalates to an L2 agent, sub-agents work in parallel on the following objectives: identifying patient zero, conducting historical event correlation, performing vulnerability mapping, and executing MITRE framework analysis.

The vision, as one platform architect described it, is to eliminate the need for humans to constantly monitor alerts. "We don't want the L1 analyst looking at an alert screen. That's old school. That's where the alert burnout gets replicated."

The Outsourcing Relationship Under Pressure

The restructuring plans carry significant implications for the MSSP industry. If enterprises begin replacing outsourced L1 functions with AI agents, providers will face pressure to redefine their value proposition beyond the bodies-in-seats model.

The Tines Voice of the SOC Analyst report found that 71% of SOC analysts report burnout. The SANS 2025 survey found that 70% of analysts with 5 years or less of experience leave within 3 years. And Cybersecurity Insiders reported that 73% of organizations cite analyst burnout as a direct consequence of alert fatigue. Several security directors noted that quality issues with outsourced analysts have made the transition easier to justify internally. Stories of outsourced teams abandoning alerts at the first point of friction, failing to complete investigations, or meeting SLA metrics without delivering substantive analysis have eroded confidence in the model.

The Training Inversion

One counterintuitive aspect of the restructuring is how it changes the training dynamic.

In the traditional model, organizations invest heavily in training junior analysts on tool-specific workflows and standard operating procedures. Turnover is high, particularly among outsourced staff, so training investments are frequently lost. The global cybersecurity workforce gap stands at 3.5 million unfilled positions, making it increasingly difficult to replace departing analysts.

With AI agents handling L1 functions, the training question shifts: how do senior analysts learn to manage, oversee, and audit AI agent output? How do they build the SOPs that govern what the agents do?

Several platforms address this through configurable knowledge bases. Organizations can load their own incident-handling procedures, standard operating procedures, and escalation policies directly into agents, thereby creating AI analysts trained on their specific processes. One organization described plans to feed its documented procedures into the system so agents would enforce them rather than generic ones.

"It's going to be a mess at the beginning because they're not going to understand it," one security leader said with the candor that stays inside planning sessions. "But we'll work through it, and then we'll revise what skill level we actually need."

The Quiet Part

The restructuring conversation is happening at dozens of organizations simultaneously. It is not being discussed publicly because the implications for existing staff and vendor relationships are politically sensitive.

No security director wants to announce layoffs tied to AI. No MSSP wants to acknowledge that their staffing model may be approaching obsolescence. And no vendor wants to be the one publicly saying that their product replaces humans.

But the planning is underway. The budgets are being modeled. And the security leaders who spent the last decade building out outsourced SOC teams are now quietly designing the organizations that will replace them.