The average enterprise SOC receives 10,000 alerts per day. Each requires 20 to 40 minutes to investigate properly, but even fully staffed teams can only handle 22% of them. More than 60% of security teams have admitted to ignoring alerts that later proved critical.Running an efficient SOC has never been harder, and now the work itself is changing. Tier-1 analyst tasks — like triage, enrichment, and escalation — are becoming software functions, and more SOC teams are turning to supervised AI agents to handle the volume. Human analysts are shifting their priorities to investigate, review, and make edge-case decisions. Response times are being reduced.Not integrating human insight and intuition comes with a high cost, however. Gartner predicts over 40% of agentic AI projects will be canceled by the end of 2027, with the main drivers being unclear business value and inadequate governance. Getting change management right and making sure generative AI doesn’t become a chaos agent in the SOC are even more important. Why the legacy SOC model needs to change Burnout is so severe in many SOCs today that senior analysts are considering career changes. Legacy SOCs that have multiple systems that deliver conflicting alerts, and the many systems that can’t talk to each other at all, are making the job a recipe for burnout, and the talent pipeline cannot refill faster than burnout empties it. CrowdStrike’s 2025 Global Threat Report documents breakout times as fast as 51 seconds and found 79% of intrusions are now malware-free. Attackers rely on identity abuse, credential theft, and living-off-the-land techniques instead. Manual triage built for hourly response cycles cannot compete.As Matthew Sharp, CISO at Xactly, told CSO Online: “Adversaries are already using AI to attack at machine speed. Organizations can’t defend against AI-driven attacks with human-speed responses.”How bounded autonomy compresses response timesSOC deployments that compress response times share a common pattern: bounded autonomy. AI agents handle triage and enrichment automatically, but humans approve containment actions when severity is high. This division of labor processes alert volume at machine speed …
