A lack of skilled staff is the top operational challenge faced by today’s security operations centers (SOCs), although practitioners and leaders have diverging perceptions of hiring needs, according to SANS Institute.
The 2026 SANS SOC Survey was based on interviews with 444 IT and security professionals actively working in monitoring or security operations (SecOps) roles, plus an additional 69 CISOs and senior security executives.
It found that 14% of practitioners cited staffing as their main challenge; the top-rated answer. However, over half (59%) of the “cyber leaders” interviewed claimed that management actually pays close attention to SOC hiring and retention needs. This contrasted with just a third (32%) of practitioners.
“That 27-point gap has persisted across every year this question has been asked,” noted the report.
“Executives describe an intent. Practitioners describe an outcome. Both are accurate accounts of different parts of the same decision process, and the distance between them is where retention problems are born.”
Read more: AI SOCs Will Still Need SOC Analysts, Security Vendors Say
However, both sides are closer than they think to each other’s perception of the challenges facing the SOC.
A fifth (22%) of cyber leaders admitted that management listens to retention requests but does not understand the urgency, while 14% said their management does not engage with SOC staffing needs at all.
SIEM is the most sought-after skill in hiring, with nearly double the demand of EDR, although most day-to-day SOC responses come from endpoint security alerts (86%) rather than SIEM alerts (78%).
AI Is Permeating the SOC
The study also revealed the extent to which AI is making an impact in the SOC. Although 79% of respondents said they use AI or machine learning (ML) tools, only 36% have built them into a defined SOC workflow.
The most popular approach is to use pre-existing vendor tools without customization (38%). Just 31% customize existing tools, while 20% build their own.
“Analysts are reaching for AI tools individually, often without organizational structure around how they are used, validated, or governed,” the report noted. “This is not surprising given how quickly the technology arrived. But it does represent a maturation gap that carries operational risk.”
SANS warned that using AI in an unstructured way is inefficient and could produce results which can’t be validated. A human in the loop remains vital to interpret the output of tools, it said.
“Most SOCs should start by identifying vendor-provided AI tools that address documented capability gaps, deploy them operationally, and measure results against existing metrics,” the report continued.
“Once the obvious use cases are covered, organizations can explore customization and, where justified, purpose-built solutions.”
Maturity and Coverage Gaps
The report revealed several other challenges facing today’s SOCs.
- Cyber-threat intelligence (CTI): 74% of cyber leaders use CTI for SecOps and threat hunting. But only a quarter (26%) use it to inform budget and spending prioritization
- OT/IoT coverage: Fewer than half (45%) of respondents fully or partially monitor OT/IoT computing assets through their SOC. That gap will become more consequential as these deployments increase, SANS warned
- Measurement: “Number of incidents handled” has been the top reported SOC metric for 10 consecutive years. Yet it measures volume, not value, meaning the SOC cannot demonstrate business impact effectively
