Suneth Mendis

A personal blog by a technologist and a leader contextualising thoughts…

Can AI Replace a SOC?

,

When Anthropic announced Claude for Security, I had a few messages almost immediately:

“So… is this the end of the SOC?”

Short answer? No.

Longer answer? Something far more interesting is happening.

And if you’re leading cyber, digital, or risk — this matters.

We’re Asking the Wrong Question

“Can AI replace a SOC?” is catchy, but it misses the point.

The real question is:

If AI can reason across security data better and faster than humans, what should humans now be doing?

That’s a much more strategic conversation. Because most SOCs today are still built on an industrial model:

  • High alert volumes
  • Tier 1 analysts triaging noise
  • Escalation chains
  • Fatigue
  • Rinse and repeat

AI doesn’t just optimise that model. It challenges why we built it that way in the first place.

What Claude (and Others) Change

Tools like Claude aren’t just automating runbooks.

They’re reasoning across:

  • Email content
  • Endpoint telemetry
  • Identity anomalies
  • Cloud logs
  • Threat intel

That contextual synthesis is something traditional SIEMs and rule engines have always struggled with. And let’s be honest — a lot of SOC work is pattern recognition across fragmented signals. AI is very good at that.

What AI Can Realistically Take Off Our Plate

Let’s not overcomplicate it.

AI can absolutely handle:

  • L1 triage
  • Alert enrichment
  • False positive filtering
  • Drafting investigation summaries
  • Running containment playbooks (with guardrails)

In many environments, that’s 60–70% of the workload. If you’re running a 24/7 team largely to deal with noise, AI will compress that model significantly. That’s not science fiction.

That’s operating leverage.

But Here’s What It Won’t Replace

Security isn’t just detection. It’s judgment.

It’s understanding:

  • What the business really values
  • Where your crown jewels sit
  • How much risk you’re willing to carry
  • When to shut something down
  • When to accept exposure

AI can recommend. It doesn’t own the decision. And when regulators, boards, or customers ask hard questions, the answer can’t be “the model thought it was fine.”

Accountability remains human.

The SOC Isn’t Dying. It’s Growing Up.

What I actually see happening is this:

We’re moving from an analyst-heavy SOC to an engineering-led security operations capability. Fewer people staring at dashboards. More people designing detections, automations, and guardrails. Less reactive.

More hypothesis-driven. Less noise. More signal. That’s a good thing.

If you’re a strong detection engineer or automation architect, your value is about to increase — not decrease.

The Risk We Need to Be Honest About

If AI becomes central to detection, we inherit new risks:

  • Model manipulation
  • Over-trust in probabilistic reasoning
  • Hallucinated conclusions during investigations
  • Attackers learning how to evade AI workflows

In other words: We now need to secure the AI that secures us. That’s not trivial. But it’s manageable — if we design properly.

For Boards and Executives

If I were sitting with a board, I wouldn’t frame this as:

“Can we replace the SOC with AI?”

I’d frame it as:

  • How much detection efficiency are we leaving on the table?
  • Are we investing in security engineers or just headcount?
  • How are we validating AI-driven security decisions?
  • What new control risks does AI introduce?

That’s where the maturity conversation sits.

My View

AI won’t replace the SOC. But it will absolutely replace low-leverage security work. And that’s something we should welcome. Because it gives us the opportunity to elevate security from a monitoring function to a strategic, engineering-led capability. This isn’t about fewer humans. It’s about better use of humans.

And if we approach it deliberately, the AI-era SOC will be:

  • Smaller
  • Smarter
  • Faster
  • And far more aligned to business risk

That’s a future I’m optimistic about.