Offerings of fully autonomous security operations centers (SOCs) are flourishing on the cybersecurity market and trigger anxiety about a future with empty desks.
In reality, however, top security vendors exhibiting at Infosecurity Europe 2026 actually agree on one thing: AI won’t replace the SOC. It will replace the mind-numbing copy-pasting and routine ticket-taking.
Speaking to Infosecurity, Brett Candon, VP of International at Dropzone AI, said AI is shifting the traditional multi-tiered SOC model into a leaner, smarter operation powered by accelerated ‘tier-1.5’ analysts and strategic engineers.
AI SOC: A Glass Box, Not a Black Box
Automation has promised to fix the SOC for over fifteen years, but vendors argue that true autonomy requires absolute transparency.
Candon emphasized that AI must be treated as a supportive “glass box” rather than a mysterious black box. The goal, he noted, is to replace heavy manual investigation work while logging every procedural step so human analysts can easily audit the machine’s rationale.
Patricia Titus, Field CISO at Abnormal AI, agreed that human-in-the-loop validation remains a non-negotiable safety net. Organizations still need sharp minds to verify that the machine is performing accurately.
“You actually need someone who understands that to be able to go back and analyze the data periodically to make sure the tool, the AI tool, is actually catching what you want it to catch,” she said.
Furthermore, an AI is only as good as the security data infrastructure supporting it. Yonni Shelmerdine, chief product officer at Vega Security, pointed out that AI cannot bypass fundamental data architecture gaps. If critical security logs are frozen or filtered out due to high cloud storage costs, human engineering is required to fix the underlying pipeline.
Shelmerdine warned that if the data is gone, “no super-duper AI bot will be able to help.”
Intern Tier-1 and Professional Tier-1.5 SOC Analysts
Rather than eliminating entry-level professionals, this technological shift is entirely redefining their daily responsibilities, the three vendors told Infosecurity.
Instead of losing hours to repetitive data gathering, junior defenders are stepping straight into the role of what Candon called “tier-1.5 analysts,” acting as supervisors and auditors of AI-driven investigations from day one.
According to Candon, when AI handles tedious initial triage at machine speed, the human impact changes drastically. He noted that job satisfaction has increased and employees feel like they are doing more useful tasks within the SOC, allowing organizations to promote junior staff into specialized roles much faster than traditional timelines allowed.
Titus echoed this sentiment, noting that while tier-1 is traditionally where green SOC analysts “cut their teeth” on foundational security concepts, AI radically accelerates this onboarding period. Analysts can learn the basics significantly faster by reviewing and dissecting the automated workflows generated by an AI companion.
To operationalize this shift, Titus shared a practical blueprint from her own security team’s experience. After deploying Abnormal AI’s behavioral models, her team realized they no longer needed to hire five permanent, full-time “tier-1 ticket takers,” as she put it.
Instead, existing full-time staff were instantly elevated to handle high-risk, “truly tier-3 level investigations,” she explained.
Titus then transformed the remaining tier-1 responsibilities into a university intern program, bringing in college students to learn the grassroots basics of email security and behavioral analytics alongside the AI.
Titus strongly advocated against completely erasing entry-level roles, stating: “I think we would be foolish to eliminate tier-1 SOC analysts, largely because what happens if something happens and AI stops working, you need people to be able to go back to the grassroots and handle that tier-1.”
She explained that, by the time these interns graduate, they intimately understand how to audit AI systems and manage security posture, creating a direct pipeline of highly skilled full-time hires.
Emergence of A “Cyber Defense Engineer” Role in AI SOCs
As analysts climb the value chain, Vega’s Shelmerdine anticipates the rise of an entirely new industry archetype: the cyber defense engineer. Advanced defenders are increasingly shedding the passive analyst title to think of themselves as active system builders.
“AI isn’t going to replace the SOC, it’s a cyber defense engineer who will,” Shelmerdine said.
He described these modern professionals as engineers who control their SecOps platforms using advanced management protocols and natural language, effectively “vibe coding their queries, their hunts, their dashboards, their reports, [and] their triage.”
Rather than reacting defensively to an infinite queue of alerts, their daily focus shifts toward proactively engineering better detection postures and tuning AI tools.
Ultimately, the consensus across security vendors is clear: the autonomous SOC is not an empty room, but a significantly smarter one.
By stripping away the manual triage work that has plagued security operations for more than a decade, AI is acting less like a human replacement and more like a talent rescue mission, transforming burned-out ticket takers into strategic cyber engineers.
However, against a stark backdrop of sweeping corporate layoffs currently hitting the broader tech and cybersecurity sectors, it remains to be seen whether this idealistic vendor optimism will hold true or if economic pressures will ultimately tempt enterprises to sacrifice human expertise for pure automation.
You will be able to find Abnormal AI, Dropzone AI and Vega Security at Infosecurity Europe at Booths #D145, #E40 and #F160, respectively. Register for Infosecurity Europe here.
