Security teams have always lived with asymmetry. Attackers can choose the time, the target, and the technique. Defenders have to be right across the entire environment, all the time.
AI accelerates that asymmetry. It compresses the attacker’s cycle time, scales their experimentation, and increases their precision. And it forces a hard conclusion: at a certain point, human-speed defense becomes structurally insufficient.
As Anomali Sr. Advisor Christian Karam said in a recent webinar, “We are realizing that machine attacks will need machine defenders.” That statement is less a prediction than a design constraint for the modern SOC.
The SOC’s Operating Model is Changing
There is a common mistake in AI conversations: focusing on tools before you reconsider the operating model.
Christian framed this as a broader shift:
“This is a redesign of business models as well for security teams. I think the business of security is about to change.”
If security is becoming an always-on, machine-speed function, the SOC cannot remain organized around workflows that assume humans must inspect, label, and triage everything.
The future SOC still needs expert analysts. But their job changes. Instead of spending their day doing high-volume classification and repetitive triage, they become stewards of:
- What the business cares about most
- What “normal” means in business context
- What actions are safe to automate
- What requires human judgment and escalation
Christian described this division of labor clearly: “There are certain things that are meant to be done by the machine and some other things are meant to be done by expert analysts to be the stewards of how to run operations across the enterprise.”
Why Context Beats Speed
Speed is part of the story, but not the whole story. AI will let defenders move faster, but it also forces defenders to understand more.
Christian pointed out a key challenge in security operations today: defenders are trained to look at artifacts, but modern attacks increasingly require understanding intent and business impact to truly understand risk. “We have to understand what are the revenue drivers? What is the supply chain? Why this partner is crucial for the business?” he said. It is what enables a SOC to prioritize correctly when a machine flags an anomaly that could be harmless or catastrophic depending on business context.
This is also why the most effective AI-enabled SOCs will be the ones that embed into business operations rather than remaining a detached monitoring function.
Some Security Cannot be Outsourced
As AI becomes more embedded in business processes, the differentiation comes from what only your organization knows.
Christian made an important point that many teams learn the hard way, saying, “I actually think it's very difficult to outsource that to a vendor partner. Only you within your internal organization can understand the fabric of how the business operates and what should be done around it.”
Vendors can provide platforms and tooling, and they can help operationalize patterns. But the highest value layer is the business-specific logic: what matters, what is acceptable risk, what should trigger containment, and what cannot afford downtime.
AI increases, not decreases, responsibility.
The Goal is Not More Alerts, it is Safer Outcomes
A machine-defended SOC is not one that generates more detections. It is one that executes safer outcomes faster. That requires a deliberate approach to automation. Not everything should be automated. But the right things should be automated aggressively.
If you want a practical principle, start here:
- Automate high-volume, low-value tasks first
- Keep humans for context-rich decisions
- Make automation auditable, reversible, and bounded
- Tie workflows to business outcomes, not tool usage
Christian also offered a vendor-side challenge that applies to every SOC buyer, noting, “They need to understand the agency, not just selling the tool and features and software.” Translation: demand solutions that help you achieve outcomes, not dashboards that help you manage noise.
A Roadmap Mindset for SOC Leaders
The SOC transformation is not a single purchase, so much as a roadmap.
We're focused on the qualification of the use case unless it has a business case. And so therefore there is a security tollgate that is very important before you put something in production and release,” Christian said, describing how organizations are becoming more disciplined, including governance and qualification gates before production.
That same discipline should apply to SOC modernization:
- Define what “machine-defended” means for your organization
- Identify workflows that must move to machine speed
- Build the governance and audit layer first
- Expand autonomy gradually as confidence grows
The “machine defender” idea is not about replacing people, but about putting people where they create the most value and letting systems handle what systems do best.
For the full conversation on how SOCs must evolve and why context becomes the security differentiator, go listen to the on-demand webinar The Road Ahead for Agentic AI and Security Operations.
FEATURED RESOURCES
Iran’s IRGC Names Western Tech Giants as “Legitimate Targets”: What CISOs Must Do Now
