The Augmented Analyst: How AI is Reshaping Security Operations in 2026

If you work in a SOC, AI is already changing how you collect, detect, triage, investigate, and respond to threats. The question is no longer whether your team will use AI, but how well you'll use it.

I recently presented at SANS Secure Your Fortress 2026, and I want to share what I covered, because if you work in a SOC, this stuff matters right now.

Where AI Fits in the SOC

Before I get into the tools, let me set up a simple framework. Every SOC does the same core things: collect data, detect threats within that data, triage the alerts that fire, investigate the ones that matter, and respond to what's real. Every one of those stages is being changed by AI, in some cases dramatically changed.

OpenAI conducted a survey across 600 customers to understand where AI delivers the most value. The top use cases were automation, research, coding, data analysis, and content creation. Those map almost directly to what SOC teams do every day, and that’s not a coincidence. The tools being built for the broader market are immediately applicable to security operations, and they are arriving fast.

The Five Areas Where AI is Already Changing the SOC

1. Data Collection and Telemetry Monitoring

Silent failures in logging pipelines are one of the most dangerous and underappreciated problems in security operations. A parser breaks, a firewall stops logging, someone quietly changes logging settings, and you don't find out until you're reconstructing an attack after the fact and realize you should have had a detection on it.

The old way was static rules and periodic penetration tests, hoping you'd catch the problem. AI-powered platforms can now continuously watch your data flows, monitor schema changes, and flag anomalies before they become blind spots. The new approach is always on, which is an important capability.

2. Detection Engineering

Keeping detection coverage current has always been overwhelming. You'd tag rules, do manual coverage checks, maybe do some purple teaming, and hope things stayed up to date. A lot of the time, whether those rules actually got reviewed came down to the opinion of whoever was on the team that week.

Now there are AI-based platforms that let you ask natural language questions. Are we covered for the techniques used in that supply chain breach that was in the news last week? You get back not just an answer, but automatically generated and deployed detections with clear coverage metrics. AI can allow more proactive coverage, fewer false positives, and easy coverage metrics; stuff every SOC needs but rarely has the capacity to maintain well.

3. Phishing Triage and Categorization

Here's the phishing problem that never had a great solution. The hardest emails to catch aren't the ones with malicious links or file attachments. They're the ones that are just text: a convincing request to wire money or share credentials, with nothing for a sandbox to analyze. Catching scam text required manual review by someone who really understood how scams worked.

AI is built to understand language. It is the perfect tool for exactly this problem. You can now break phishing analysis into parallel agent workstreams, with one evaluating email content for scam language, another analyzing file attachments, and another assessing linked URLs. The result is a categorized verdict with minimal analyst involvement. I'm predicting phishing is going to continue to decrease as an effective entry vector, and we're already seeing evidence of this in the most recent Mandiant M-Trends report.

4. Alert Triage and Investigation

One of the hardest things about triage has always been context. No single analyst can hold it all in their head: which systems are critical, which users have elevated access, and which services are customer-facing. AI can load all of that and use it to rank alerts more accurately and consistently than any static severity formula.

At the investigation stage, things get even more interesting. I saw a demo where instead of just giving you answers, the tool suggests the questions you should be asking. What users authenticated to this host in the last seven days? What network connections were established within 15 minutes of this Mimikatz execution? That kind of context-specific guidance can be a game changer, especially for newer analysts who would otherwise have to track down a senior analyst to know where to start.

5. Natural Language Interaction and Agentic Automation

Query languages across different security tools have always been a barrier. AI is like a universal translator, and that is a superpower. You can now just ask in plain language: show me publicly exposed S3 buckets, summarize all alerts from the last 24 hours, or block this domain on the firewall. Those requests get translated into the right queries or API calls automatically. You can even do it by voice. I personally use a tool called Wisprflow for AI-powered dictation, and the accuracy is remarkable. You can speak and record text on screen as fast as you can think it.

Agentic automation goes even further. Traditional SOAR playbooks are mostly deterministic. One unexpected input and the whole workflow breaks. Agentic systems can dynamically direct their own tool usage, loop until they've achieved a goal, and automate things that were genuinely non-automatable before. That unlocks a new class of workflow automation that is, frankly, exciting.

What’s Left for Humans?

This is the question I get asked the most, and honestly, it's been haunting me for a while. I've been asking nearly everyone I can: what do you think is going to happen to SOC analyst roles?

Here's where I've landed based on what we see today. AI is great at processing and synthesizing large amounts of data, flexible automation, pattern recognition, and context-aware guidance. Humans are still essential for critical decision making, approving high-stakes actions, verifying important results, and deep-dive investigation when the situation demands it.

What that means practically is that SOC analyst roles are going to expand in scope, which is a separate discussion as to whether there will be less analysts per team, that part is yet to be seen.  As agents handle more execution work, analysts will function more like generalists, reviewing and approving the output of multiple specialized agents across different domains. Specialty roles are going to converge. That doesn't mean you need less knowledge. You still have to be able to verify whether what the AI did was correct.

My specific recommendations for where to focus your skills:

• Generalist knowledge becomes more valuable. If your job is monitoring agents doing work across a broad range of scenarios, you need broad understanding, not one topic known extremely well and everything else not at all.
• Context is going to be king. The more you can formalize and structure information about how your network should run, the services, the users, what normal looks like, the more effectively AI can use that to support your work.
• Keep your deep technical skills sharp. There will always be cases where you need to verify something the AI got wrong. Make sure you can still at least do malware reverse engineering, packet capture deep dives, basic detection engineering, whatever your domain is, and know how to be resourceful when the time calls for it.

Your Homework

I want you to take action. Here's where I'd start:

• ChatGPT Study Mode: ask it about things you don't know. Genuinely useful for learning.
• Notebook LM: I love this tool. Load your SOC documentation, standard operating procedures, podcasts, and YouTube videos. Let your team ask questions of it in natural language. The options are nearly limitless.
• AI-powered dictation: try Wisprflow. Speaking queries is faster than typing them, and the accuracy is remarkable.
• Vibe coding: just try it. Come up with any simple idea and build it. The goal isn't the output; it's understanding the workflow so you know exactly how to use it when you actually need it at work.
• Agentic automation: experiment with Claude Cowork or Perplexity Computer. See what's possible.
• Scheduled AI tasks: set up a recurring prompt that summarizes relevant news or threat intel on a regular cadence. Perplexity Computer and Claude scheduled tasks can do this easily.

These are as close to magic as anything we have right now, and they will absolutely up your security operations game if you use them.

The Bottom Line

The SOC of 2026 looks different from the SOC of even two years ago. AI is changing what analysts spend their time on and raising the ceiling on what small teams can accomplish. The practitioners who adapt fastest will be the ones who start experimenting now, build familiarity with these tools, and develop the generalist judgment needed to supervise and verify AI-powered workflows.

If you want to go deeper on AI in security operations, check out my course SEC450: SOC Analyst Training – Applied Skills for Cyber Defense Operations, and tune into my podcast, Blueprint, at blueprintpodcast.live or wherever you get your podcasts.

Want to see this in action? Take a look at the full presentation from SANS Secure Your Fortress 2026 on YouTube, where I walk through live demos, tool breakdowns, and what I think the future of the SOC actually looks like. Watch the full presentation here.