"AI isn't going to replace the SOC, it's a cyber defense engineer who will," Yonni Shelmerdine, chief product officer at Vega Security, told Infosecurity Europe. That blunt assessment captures a recurring theme from three vendors exhibiting at Infosecurity: automation will remove drudgery, but it will not empty SOC desks.
Dropzone AI and the "glass box" approach
Brett Candon, VP of International at Dropzone AI, argued that the path to a truly autonomous security operations center requires transparency. Automation has long promised to fix the SOC, he said, but only a "glass box" model — one that logs every procedural step — will allow humans to audit an AI's rationale. The stated goal is to replace heavy manual investigation work while preserving the ability for human analysts to verify machine decisions.
Abnormal AI, Patricia Titus, and human-in-the-loop validation
Patricia Titus, Field CISO at Abnormal AI, reinforced that human validation remains a "non-negotiable safety net." Titus told Infosecurity that organizations still need sharp minds to periodically review data and confirm that AI tools are "actually catching what you want it to catch." Following deployment of Abnormal AI's behavioral models, her team found it unnecessary to hire five permanent, full-time "tier-1 ticket takers," she said. Instead, existing full-time staff moved to handle high-risk, "truly tier-3 level investigations," while remaining tier-1 duties were converted into a university intern program to teach grassroots email security and behavioral analytics alongside the AI.
Vega Security, data pipelines, and the rise of the cyber defense engineer
Yonni Shelmerdine cautioned that AI depends on the quality of the security data infrastructure feeding it. If critical logs are frozen or filtered out to save cloud storage costs, an AI cannot compensate; "no super-duper AI bot will be able to help," he warned. From that constraint springs a new role, he said: instead of passive analysts, "cyber defense engineers" will control SecOps platforms, tune detections, and build systems using advanced management protocols and natural language. Those engineers will "vibe code" queries, hunts, dashboards, reports and triage, shifting the job from reactive alert handling to proactive engineering of detection posture.
Tier-1.5 analysts, interns, and rapid promotion
Across the vendors, a consistent operational picture emerges: AI handles initial, repetitive triage at machine speed and humans supervise, audit and investigate the remainder. Candon described a shift toward "tier-1.5" analysts — junior defenders who act as supervisors and auditors of AI-driven investigations from day one. The effect, he said, has been faster career progression and higher job satisfaction, with employees feeling they do more useful tasks. Titus likewise emphasized that AI accelerates onboarding: reviewing and dissecting automated workflows lets new analysts learn foundational concepts far more quickly than traditional ticket-taking would allow. Importantly, Titus argued against eliminating tier-1 roles entirely, noting that when AI fails, people must return to grassroots triage.
What this means for SOC analysts, cyber defense engineers, and enterprise leaders
- SOC analysts: Junior personnel are likely to see their day-to-day work move away from repetitive data gathering toward supervising AI outputs and auditing automated workflows; internships may be used to teach tier-1 fundamentals in conjunction with AI tools.
- Cyber defense engineers: Advanced defenders will spend more time engineering detection posture, tuning AI tools, and fixing data pipelines — especially where logs are missing or filtered due to cloud storage constraints.
- Enterprise leaders and procurement teams: Vendors on the Infosecurity floor argue that organizations should prioritize transparent, auditable AI ("glass box") and invest in underlying data architecture; they should also weigh the economic pressures in the wider tech sector that could tempt some firms to reduce human expertise in favor of automation.
The vendors' consensus was clear and nuanced: the autonomous SOC is not an empty room but a different one. AI will strip away manual triage that has long bogged down security operations and elevate human roles into supervision, audit and engineering. Yet the final paragraph of the vendors' argument leaves a sober caveat: with sweeping corporate layoffs affecting the broader tech and cybersecurity sectors, it remains uncertain whether enterprises will adopt this vendor-optimistic model of talent transformation — or whether economic pressures will lead them to substitute fewer humans for more automation.
Find the original Infosecurity piece here: https://www.infosecurity-magazine.com/news/ai-soc-still-need-analysts/




