The cybersecurity landscape is buzzing with talk of fully autonomous security operations centers, a vision that has sparked both excitement and unease among practitioners who imagine rows of empty desks and machines making all the calls. At Infosecurity Europe 2026, however, the leading vendors presenting their newest platforms converged on a surprising consensus: the goal is not to eliminate human analysts but to liberate them from the most tedious, repetitive tasks that have long drained morale and productivity. Rather than chasing a myth of total automation, the conversation shifted toward how artificial intelligence can act as a force multiplier, handling the initial triage of alerts at machine speed while leaving the nuanced judgment, contextual reasoning, and strategic oversight to people. This reframing addresses a deep‑seated fear that AI will render security teams obsolete, replacing it with a more optimistic narrative where technology elevates the role of the analyst from ticket‑taker to investigator and engineer. By stripping away the copy‑pasting and low‑level ticket management that has plagued SOCs for over a decade, vendors argue that AI can create a leaner, smarter operation where human expertise is applied where it matters most—detecting sophisticated threats, refining detection logic, and guiding proactive defense initiatives.
Central to this vision is the insistence that AI systems must operate as transparent ‘glass boxes’ rather than opaque black boxes whose inner workings remain hidden from the analysts who rely on them. Brett Candon, VP of International at Dropzone AI, emphasized that true autonomy in security operations can only be achieved when every procedural step taken by an AI model is logged, explainable, and open to audit. This transparency enables human reviewers to trace the rationale behind each automated decision, verify that the model is applying the correct heuristics, and intervene when anomalies arise. By contrast, a black‑box approach would leave analysts guessing why an alert was escalated or dismissed, eroding trust and potentially allowing harmful blind spots to persist. Candon argued that when the AI’s reasoning is visible, it becomes a supportive partner that handles the heavy lifting of data collection, enrichment, and preliminary correlation, while humans retain ultimate authority over judgment calls. This model not only improves accountability but also accelerates learning, as analysts can study the AI’s workflows to understand detection patterns and improve their own investigative techniques. In practice, glass‑box AI fosters a culture of continuous validation, where the machine and the analyst constantly challenge each other to raise the bar for detection accuracy and response speed.
Human‑in‑the‑loop validation emerged as another non‑negotiable pillar of the autonomous SOC concept, with Patricia Titus, Field CISO at Abnormal AI, stressing that organizations still need sharp minds to periodically verify that their AI tools are performing as intended. Titus cautioned that without regular human oversight, even the most sophisticated models can drift, miss emerging tactics, or generate false positives that waste valuable analyst time. She described a routine where security personnel revisit the data periodically, scrutinize the AI’s outputs, and confirm that the tool is catching the threats it was designed to detect. This iterative feedback loop serves as a safety net, catching model degradation before it leads to missed incidents or alert fatigue. Titus also highlighted that such validation does not require a return to manual, copy‑paste‑heavy processes; instead, analysts can leverage the AI’s own logs and visualizations to quickly assess performance. By embedding human judgment into the AI lifecycle—training, tuning, and monitoring—organizations create a resilient system where automation amplifies rather than replaces expertise. The result is a SOC that benefits from machine speed while retaining the adaptive, contextual insight that only seasoned professionals can provide, ensuring that the defense posture remains robust against evolving threats.
The effectiveness of any AI‑driven security operation hinges on the quality and completeness of the underlying data infrastructure, a point underscored by Yonni Shelmerdine, Chief Product Officer at Vega Security. Shelmerdine warned that no amount of algorithmic sophistication can compensate for gaps in the security data pipeline; if critical logs are missing, filtered out, or delayed due to cost‑cutting measures such as aggressive cloud storage throttling, the AI will be blind to the very events it needs to analyze. He illustrated this with a scenario where a surge in cloud expenses leads an organization to archive or discard raw network flows, leaving the AI with an incomplete picture of lateral movement or data exfiltration attempts. In such cases, even a ‘super‑duper’ AI bot cannot infer what it never sees, underscoring the necessity of investing in resilient, scalable data collection and retention strategies. Shelmerdine advised that organizations treat their data architecture as a foundational layer, on par with the AI models themselves, ensuring that logs are ingested in real time, normalized, and made readily queryable. By aligning data engineering efforts with AI deployment, companies can avoid the pitfall of purchasing powerful analytics tools that are hamstrung by inadequate feeds. Ultimately, a strong data pipeline enables the AI to deliver accurate, timely insights, while giving human analysts the confidence to trust and act upon those insights.
Far from eliminating entry‑level positions, the integration of AI is reshaping the daily responsibilities of junior security professionals, giving rise to a new hybrid role that vendors have dubbed the ‘tier‑1.5 analyst.’ Brett Candon explained that when AI assumes the burden of initial triage—collecting alerts, enriching them with threat intelligence, and performing basic correlation—junior defenders are no longer stuck performing repetitive copy‑pasting tasks. Instead, they step into a supervisory capacity, overseeing the AI’s investigations, validating its conclusions, and escalating only those cases that truly require human judgment. This shift allows newcomers to engage with higher‑order analytical work from day one, accelerating their learning curve and exposing them to complex scenarios that would traditionally take years to encounter. The tier‑1.5 concept also creates a clear pathway for career progression: as analysts become proficient at auditing AI outputs and refining detection rules, they naturally transition into more specialized functions such as threat hunting, malware reverse engineering, or security architecture design. By redefining entry‑level work in this manner, organizations can retain talent that might otherwise become disillusioned by monotonous tasks, while simultaneously building a workforce that is adept at collaborating with intelligent automation.
The impact of this transformation on job satisfaction and career velocity has been notable, according to Candon, who observed that analysts report feeling more engaged and valuable when they are spared the grind of manual ticket handling. When AI handles the tedious initial triage at machine speed, human analysts can devote their cognitive resources to interpreting context, assessing business impact, and devising targeted remediation strategies. This shift not only reduces burnout but also fosters a sense of accomplishment, as employees see the direct outcomes of their investigative work rather than feeling like cogs in a repetitive process. Moreover, the accelerated exposure to complex investigations enables organizations to promote junior staff into specialized roles far sooner than traditional timelines would allow. A promising analyst who might have spent two years mastering basic log correlation can, within months, be leading threat‑hunt exercises or tuning detection rules under the guidance of senior engineers. This rapid upskilling benefits both the employee, who gains market‑valuable expertise faster, and the employer, who cultivates a deeper bench of skilled professionals capable of handling high‑severity incidents. In essence, AI acts as a catalyst that converts potential frustration into motivation, turning burned‑out ticket takers into strategic cyber engineers who contribute to the organization’s long‑term resilience.
Patricia Titus shared a concrete blueprint from her own team at Abnormal AI that illustrates how organizations can operationalize this shift without sacrificing entry‑level talent. After deploying Abnormal AI’s behavioral‑modeling platform, her group discovered that the need for five permanent, full‑time tier‑1 ticket takers had evaporated; the AI was handling the bulk of low‑level alert processing with high accuracy. Rather than laying off those positions, Titus opted to redeploy the existing full‑time staff into higher‑value responsibilities, immediately elevating them to handle truly tier‑3 level investigations such as advanced persistent threat tracking and sophisticated malware analysis. To address the residual tier‑1 workload—primarily educational and foundational tasks—she created a university intern program that brings in college students to learn the grassroots basics of email security, behavioral analytics, and alert triage alongside the AI system. Interns spend their time reviewing AI‑generated workflows, dissecting why certain alerts were flagged or dismissed, and gradually taking on supervised investigative duties. By the time they graduate, these interns possess a deep understanding of both the underlying security concepts and the mechanics of AI‑driven automation, making them prime candidates for full‑time hire. Titus argued that this approach not only preserves a pipeline of skilled talent but also ensures that the organization retains the capability to fall back on manual processes should the AI encounter an unexpected failure or require a major update.
Titus’s advocacy against completely erasing entry‑level roles rests on a pragmatic principle: resilience. She warned that organizations that dismiss the idea of maintaining a tier‑1 workforce risk being left defenseless if the AI system experiences a downtime, a model drift, or a sudden change in the threat landscape that the automation has not been trained to handle. In such scenarios, the ability to revert to fundamental security practices—manual log review, basic correlation, and rudimentary triage—becomes essential for maintaining situational awareness and preventing escalation. By preserving a cadre of analysts who understand the grassroots of security operations, companies retain a vital fallback mechanism that can be activated during crises, ensuring continuity of monitoring and response. Furthermore, a solid tier‑1 foundation facilitates smoother AI audits, as analysts who have performed the underlying tasks manually are better equipped to spot inconsistencies in automated outputs. Titus emphasized that the goal is not to create a redundant duplicate of manual work but to keep a thin, knowledgeable layer capable of stepping in when needed. This layered approach balances the efficiency gains of automation with the robustness that comes from human depth, producing a SOC that is both agile and resilient in the face of uncertainty.
Looking ahead, Yonni Shelmerdine of Vega Security predicts the emergence of a new professional archetype: the cyber defense engineer. As AI assumes the role of the automated triage engine, advanced defenders are beginning to see themselves less as passive analysts who merely react to alerts and more as active builders who design, tune, and extend the security infrastructure itself. Shelmerdine described these engineers as professionals who control their SecOps platforms through advanced management protocols and natural language interfaces, effectively ‘vibe coding’ their queries, hunts, dashboards, reports, and triage logic. Rather than spending hours chasing down low‑priority notifications, their daily focus shifts toward proactively engineering better detection postures, refining behavioral models, and optimizing the AI tools that support them. This mindset encourages a continuous improvement loop where engineers treat the SOC as a programmable system, constantly experimenting with new detection hypotheses, validating them against live data, and iterating on the underlying code. By embracing this engineering mindset, security teams can move beyond reactive firefighting and invest in long‑term resilience, anticipating attacker techniques before they manifest in the wild. The cyber defense engineer thus represents a synthesis of traditional security expertise, software engineering skills, and AI fluency—a profile that is increasingly sought after as organizations strive to build smarter, more adaptive defenses.
For organizations aiming to reap the benefits of AI‑enhanced SOCs while avoiding the pitfalls of over‑automation, several practical steps can guide a successful transition. First, invest in transparency: choose AI solutions that provide detailed audit trails, model explanations, and easy‑to‑read logs, enabling analysts to verify and learn from automated decisions. Second, fortify the data pipeline: ensure that critical security logs are ingested in real time, retained for sufficient periods, and normalized across sources, treating data engineering as a core component of the AI investment. Third, redesign job roles around the tier‑1.5 concept, giving junior staff supervisory and auditing responsibilities over AI‑driven investigations while providing clear pathways to specialization. Fourth, establish a human‑in‑the‑loop validation schedule—regular, structured reviews of AI performance that involve both junior and senior analysts. Fifth, consider internship or apprenticeship programs that pair educational institutions with the SOC, using AI as a teaching aid to accelerate skill acquisition. Sixth, foster a culture of continuous learning where analysts are encouraged to experiment with natural‑language queries and custom detection rules, thereby evolving into cyber defense engineers. By following these steps, companies can harness AI’s speed and scalability without sacrificing the human insight that is essential for effective threat detection and response.
The optimistic vision presented by vendors must be weighed against the broader market context, where sweeping layoffs have rippled through the technology and cybersecurity sectors, creating pressure on organizations to cut costs wherever possible. In such an environment, the promise of reducing headcount through automation can become tempting, potentially leading some enterprises to pursue pure AI‑driven SOCs at the expense of human expertise. However, the analysts and engineers interviewed cautioned that short‑term savings from eliminating analysts could be offset by long‑term risks: missed detections, slower incident response, and erosion of organizational knowledge that hampers future innovation. Moreover, a SOC stripped of human oversight may struggle to adapt to novel attack vectors that fall outside the training data of its models, resulting in blind spots that attackers can exploit. Historical precedents in other industries show that over‑reliance on automation without adequate human governance often leads to compliance failures, reputational damage, and increased breach costs. Therefore, while economic pressures are real, the strategic recommendation is to view AI as a force multiplier rather than a replacement, preserving a core of skilled talent that can guide, validate, and extend the capabilities of automated systems. This balanced approach not only safeguards security posture but also positions the organization to attract and retain top talent in a competitive market.
In conclusion, the narrative emerging from Infosecurity Europe 2026 is clear: the autonomous SOC is not an empty room filled with silent machines, but a smarter, more agile operation where AI handles the repetitive grunt work and humans focus on analysis, engineering, and strategic decision‑making. By treating AI as a transparent, collaborative partner, investing in robust data pipelines, redefining entry‑level roles, and nurturing the next generation of cyber defense engineers, organizations can transform their security posture from a reactive cost center into a proactive, resilient advantage. For security leaders looking to act on these insights, the immediate actions are: evaluate current AI tools for explainability and auditability; conduct a data‑pipeline health check to ensure no critical logs are being lost; pilot a tier‑1.5 analyst model with a small team to measure impact on satisfaction and efficiency; launch an internship or apprenticeship program that leverages AI as a learning aid; and set up a regular validation cadence where humans review AI outputs and feed findings back into model tuning. These steps will help capture the benefits of automation while safeguarding the human expertise that remains indispensable to effective cybersecurity defense. The future of the SOC lies not in replacing people, but in empowering them to do higher‑value work with the support of intelligent technology.