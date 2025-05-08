Artificial Intelligence (AI) can replicate human decision-making processes. This technology can facilitate a transformative shift in cybersecurity operations, particularly in routine security operations.

Threat detection already uses AI capabilities such as machine learning (ML). Various SOC technologies use ML for tasks ranging from identifying threats to categorizing alerts, thanks to integration by major software vendors. However, automating security operations is subject to certain constraints.

Most security operations teams have rules of engagement, requiring a degree of certainty before execution. This certainty explains why automation is common in closed systems such as endpoint detection and response (EDR) systems. Both the endpoint software and the console are familiar with all relevant variables and can automate responses effectively.

A security specialist at a major hyperscaler provides a practical example. Their company requires minimal SOC involvement due to its deep understanding of every technology and asset in their stack. Their setup essentially functions as a closed system, allowing for extensive automation.

For organizations without such closed systems, particularly those enterprises dealing with security information and event management (SIEM) systems, the scenario is different. Here, a security orchestration, automation and response (SOAR) application playbook manages automation.

For instance, an auto-response playbook can be programmed to quarantine a host if it isn't a server and is running recognized malicious activities. However, this automation cannot activate unless the identity of the asset is known, such as whether it's a critical server or a workstation.

Context is paramount in automating security functions, and this is where human SOC analysts shine. Through manual, "swivel chair" data collection, judgment and analysis, they provide the necessary context for automation to operate effectively in open systems. Swivel-chair operations need to make way for the new paradigm of multi-agentic autonomous operations.