Dec 10, 2025 Current Resources

How AI agents are driving the future of security operations

AI agents can transform security operations and ease workloads, but security teams need to look past the hype to find tools that truly augment human analysts and deliver measurable outcomes

Craig Lawson

Published: 10 Dec 2025

As organisations face mounting pressure to scale threat detection, investigation and response with leaner teams, many are turning to artificial intelligence (AI)-driven solutions to support this shift.

At the same time, there’s growing demand for security operations centres (SOCs) to evolve beyond and augment the human scale limitations as threats continue to become more complex.

This is where AI SOC agents are starting to play an important role, enabling organisations to manage the entire threat management lifecycle.

Yet beneath the buzz of full autonomy and “magic button” solutions lies a market still in its infancy. Startups are flooding in a huge amount of VC funding already, all with different approaches and design principles, making it harder than ever to separate substance from spin.

Gartner predicts 70% of large SOCs will pilot AI agents to augment operations by 2028, but only 15% will achieve measurable improvements without structured evaluations.

The potential of AI agents to transform security operations and ease workloads is real, but only if approached with rigour and evaluated through an outcome-driven lens.

Unlocking genuine value means looking past the hype. Carefully evaluating how AI SOC agents perform, integrate into existing systems and deliver measurable outcomes is essential before making strategic decisions in this rapidly evolving space.

Done right, SOCs will gain the ability to operate with greater independence, coupled with human oversight, to ensure an organisation is more resilient.

Transforming security operations

Security teams are currently running on empty. Analysts are buried in alerts and stretched too thin to keep up with the relentless pace of threats. In this environment, AI is no longer just another too – it’s becoming an integral part of the team.

AI SOC agents represent a new wave of automation in cyber security. They help complement existing automation tools to do more than just detect and triage – they act, learn from evolving threats, adapt to changing environments and collaborate with human analysts.

By interpreting natural language queries, enriching alerts with context with real-time threat intelligence and recommending next steps during investigations, AI SOC agents help organisations manage security operations at machine speed and scale.

The benefits are already being realised by security teams under pressure. Automating high-volume tasks reduces manual workloads so analysts can focus on complex investigations and strategic priorities. These agents drive greater consistency across processes, bridging skill gaps so even less experienced team members can handle more complex tasks based on the tribal knowledge AI SOC agents have captured.

Despite rapid advances, the idea that AI SOC agents can fully replace human expertise in security operations is a myth. Today’s reality is one of collaboration – AI agents are emerging as powerful facilitators, not autonomous replacements. The future of security operations will be shaped by how well organisations blend AI-driven augmentation with skilled human judgement.

Proceed with caution

Evaluating AI SOC agents should be approached with scepticism. In this early-stage market, vendors often overpromise, sometimes engaging in “AI agent washing,” so it’s important to validate claims through real-world performance for an organisation specifically. The ultimate display of effectiveness and efficacy is by running a proof of concept within your own environment.

Full autonomy also isn’t viable today. While AI agents can augment security operations, they can’t replace human security analysts. Some tasks will benefit more from AI augmentation than others, and human oversight remains crucial for complex decision making. Gartner predicts 45% of SOCs will reevaluate their build-versus-buy decisions for AI detection technology by 2027, with an emphasis on enhancing analyst capabilities.

Hidden costs can also present challenges. Pricing models may be tied to usage or require “bring your own AI” arrangements, and certain features could be capped or restricted as operational demand grows.

In addition, poor interoperability with existing tools or workflow inefficiencies can create new siloes within security operations or require costly re-architecture if specific product sets are supported by the vendor.

Getting started

Start by defining scope and governance before deployment. Establish autonomy boundaries, escalation workflows and audit trail requirements to maintain oversight as agents take on more operational tasks.

Every investment should be tie to measurable outcomes such as improvements in mean time to respond (MTTR) and mean time to contain (MTTC), reduction in false positives or analyst workload. Ask vendors for evidence of operational improvements in environments like your own before making any commitments.

Vendor viability is critical in this rapidly evolving market. Favour providers that are transparent about their roadmap and funding stability – and those with a track record of success with similar organisations. Treat vendor selection as part of the broader risk management strategy.

Seamless integration should be a top priority. AI SOC agents must work seamlessly with your existing security stack without introducing unnecessary complexity or requiring extensive retraining of staff.

Finally, consider alternatives before making any decision. Enhanced automation from current providers may meet immediate needs; managed services can offer operational AI capabilities without major disruption; or prototyping custom-built tools may be feasible if resources allow.

Focusing on governance, measurable outcomes and integration, will help cut through inflated claims and extract real value from AI SOC agent investments, while safeguarding resilience across security operations.

Craig Lawson is vice-president analyst at Gartner, focused on infrastructure security, security operations and cyber risk.