Meet Kenneth
He gets to work before anyone else on his team and leaves long after they've gone home. On a good day, he eats lunch at his desk and triages alerts. On a bad day, he skips lunch entirely. His phone buzzes through the night. He knows the names of every analyst on his team, the quirks of every tool in their stack, and exactly how many tickets are sitting in the queue right now, a number that almost never goes down.
Kenneth is a SOC lead. And by nearly every measure, he is doing everything right. His team respects him. His manager trusts him. And yet, things are slipping.
More incidents are getting through. Response times are getting longer. Last month, a relatively straightforward phishing campaign took three days to fully contain, something that should have taken hours. Kenneth knows it. He lies awake thinking about it. But he doesn't know what to change, because he and his team are already giving everything they have. They are knee-deep in quicksand and cannot see over the wave of tickets and issues to see what the future might hold.
The gap between effort and outcome
Kenneth's situation is not a personal failure. It's a structural one that too many organizations do not even understand. It’s why some things never seem to change.
Most SOC teams operate in a constant state of alert overload. Analysts are handed hundreds, sometimes thousands of alerts per day. Upwards of 3,000 alerts daily, according to SANS, with analysts spending 80 to 90% of their time chasing false positives. They click through the same investigation steps, manually correlate events across tools that don't talk to each other, and write up findings in tickets that take longer to document than the actual investigation did.
The detection rate tells a brutal story. Despite all the tools, all the dashboards, and all the vendor promises, the average SOC misses a significant percentage of real threats, not because the analysts aren't good, but because the volume is impossible. You can't be thorough when you're just trying to keep your head above water.
GRC is another sore spot. In a recent survey by the World Economic Forum, two-thirds of CISO respondents say the proliferation of cyber regulations worldwide adds significant complexity. The process for managing risk, compliance, and governance is often completely disconnected from what's happening on the operations floor. Kenneth knows his team is stretched thin, but translating that into a meaningful risk posture report for leadership? That's a different conversation, often using different data, in a different system, maintained by a different team. Leadership ends up with a view of security that doesn't reflect reality, and decisions are made on incomplete information.
The result is a SOC that is expensive, overworked, reactive, and struggling to demonstrate its value to the business. According to EY, 58% of cyber leaders struggle to explain value beyond risk reduction — and only 13% get brought in early.
A cost center with a target on its back
SOC operations are not cheap. With headcount, tooling, licensing, training, and infrastructure, organizations can spend millions of dollars a year on security operations and still feel like they're falling behind.
And the pressure isn't easing up. The threat landscape keeps expanding. Attack surfaces are growing as companies adopt more cloud services, more third-party integrations, and more remote work infrastructure. Meanwhile, the security talent market remains brutally competitive. Experienced analysts are hard to find, hard to retain, and not getting cheaper. Lately, companies are even more reluctant to hire. AI is driving an expectation that more people are no longer the answer, and instead, using AI is the long term answer. Of course, that is easier said than done. Even if more hiring is possible, entry-level hires need months of training before they're fully productive, and by then the competition is already recruiting them.
Kenneth has watched three analysts leave his team in the past eighteen months. Each time, he backfills as fast as he can, tries to document what he knows, and absorbs the gap in the meantime. He doesn't complain about it. That's just the job.
But at some point, the math stops working. You cannot solve a capacity problem by asking the same people to work harder.
This is not a Kenneth problem
If you recognize Kenneth's situation, you've probably lived it yourself or you're living it right now.
In a recent survey, 66% of cyber professionals said that their job has been getting more stressful in the last few years.
Survey after survey of security professionals shows the same thing: analyst burnout is rampant, detection gaps are common, and most organizations don't have a clear, real-time picture of their actual security posture. The tools exist, but the signal-to-noise ratio makes them painful to use. The processes exist, but they weren't designed for the scale that teams deal with today.
The dirty secret of enterprise security is that most organizations are one understaffed shift away from a serious incident slipping through. Too many businesses see the SOC as needing to be just good enough to check the audit box and get a good cyber insurance premium. The human cost and the cost to the business in the event of a breach are the risks that are ignored.
The promise of a better way: toward an AI-ready SOC
The conversation about AI in security has been noisy, and a lot of the hype deserves the skepticism it gets. But there's something real underneath it. This is more than just “Protected by Marketing”.
Research on human-AI teaming suggests hybrid teams outperform both pure-human and pure-AI approaches by roughly 25%. When AI is applied thoughtfully to security operations, not as a replacement for analysts but as a force multiplier, it changes what's possible. It can correlate events across data sources in seconds rather than minutes. It can surface the alerts that actually need human attention and quietly filter the ones that don't. It can give analysts the context they need to make faster, better decisions without requiring them to bounce between six different tools.
More importantly, it can help connect Kenneth’s everyday operational reality to the broader risk posture conversation that leadership needs. When both sides work from the same data, organizations can start making smarter tradeoffs and start treating the SOC not as a cost center that inhales budget, but as a function that actively reduces risk and helps the business move faster.
Kenneth and his team aren't failing. They're doing the best anyone could do with the tools and processes available to them. The question is whether the company is willing to give them better ones.
Curious to learn more?
Dive deeper into what an AI-ready SOC looks like in practice in our AI-powered SecOps guide.
FAQ: Modernizing an overloaded SOC
How do you know your SOC needs modernizing?
Your SOC is signaling that it needs modernization if:
Your analysts spend more time fighting the tools than investigating threats
You are constantly dropping telemetry to keep SIEM costs in check
Leadership cannot get a clear, data-backed answer to “How secure are we?”
The symptoms are burnout, slow investigations, and leadership reports that do not match what the front line sees.
What is an AI SOC and how is it different from today’s SOC?
An AI SOC is a security operations center that uses AI and automation to augment “human analysts, not replace them. It relies on high-quality telemetry, a vendor-neutral data plane, and unified search so AI can triage alerts, recommend next steps, and surface patterns across tools and time. The key difference is that data is structured for AI from the start and workflows are built to keep humans in the loop.
How does SOC modernization provide better visibility and more accurate detections, while managing costs?
Modern SOCs gain greater visibility and manage costs by using a data lake strategy, making more data accessible than otherwise possible. Data is enriched with IOC and asset data to fix context on ingestion so the SOC can both make decisions faster and get ready for an agentic AI future. That future is where agents scale analysts and need better information to drive predictable, actionable results.