A few days ago, I was sitting with the CISO of a Fortune 50 company, walking through how his security team was thinking about AI agents in the SOC.
The CISO, a laptop, and a sentence: “This is exactly what is wrong…”
The scene the author relays is simple: a CISO of a Fortune 50 firm, a careful security program already testing Claude against detection tools, and an architecture review that exposed a structural flaw. Lital Asher‑Dotan wrote one sentence to herself after the meeting — “This is exactly what is wrong with how most security teams are designing their AI architecture right now.” That sentence frames the argument: current designs are asking the wrong part of the decision process to do the wrong work.
25 million alerts and a near‑perfect mirror of Kahneman’s model
Asher‑Dotan draws a deliberate comparison to Daniel Kahneman’s System 1/System 2 model: Kahneman estimated 95% of human cognition runs automatically (System 1) and 5% is deliberate, effortful thinking (System 2). Research cited in the piece—an analysis of more than 25 million enterprise alerts—reports a near identical operational split: 98% of alerts can be resolved autonomously and less than 2% actually warrant human review.
The math matters in practice. The article gives a concrete example: an enterprise that receives 450,000 alerts per year can expect 54 real threats to be hidden in the low‑severity pile—alerts that look like noise and often never reach a human analyst because of queue pressure and cognitive limits.
System 1 as the SOC’s fast brain; System 2 as the analyst copilot
The recommended architecture separates functions explicitly. The fast SOC brain should operate like System 1: continuous, automatic, and forensic‑grade. It should:
- investigate 100% of signals without waiting for human prompts;
- perform memory scans, file analysis, and cross‑signal correlation across endpoint, identity, network, and cloud;
- produce verdicts and close clearly noisy cases, surfacing only the genuinely ambiguous or consequential for humans.
The slow SOC brain is where models such as Claude, Codex, and Cursor belong. These tools are not placed in the architecture because they are slow, the article stresses, but because they are best at deliberate work: complex case analysis, detection rule engineering, incident reporting, and threat hunting that requires synthesis and business context. Crucially, the slow brain should receive escalated cases already assembled by the autonomous layer—full context, correlated evidence, and a recommended response—so analysts supervise rather than triage.
Two current failure modes: overloading humans, or over‑spending on the wrong automation
Asher‑Dotan identifies two simultaneous failure modes. The first is human analysts stuck in System 1 roles: manual triage of hundreds of alerts a day that exhausts System 2 capacity, reduces coverage, and leaves threats buried. The second is the rising pattern of deploying frontier AI platforms directly against raw detection data and calling that an AI SOC. That approach, the article argues, is still System 2 doing System 1 work—only faster and more expensive. Running frontier models against every alert at current token costs, the piece says, is not viable in production; teams start skipping low‑priority alerts and the same 54 missed threats remain missed, but now under a different label.
When the two brains are correctly layered, every decision the slow brain makes feeds back into the fast brain. Tuning rules and closed cases accumulate, improving the autonomous layer’s accuracy over time.
What this means for security teams, procurement leaders, and MDR providers
- Security teams and technologists: Build a purpose‑built autonomous investigation layer to handle the 98% of alerts and feed curated, evidence‑backed cases to analyst copilots. Let human analysts focus on the deliberate, context‑dependent work the slow brain is meant for.
- Procurement leaders and enterprises: Beware of the economics of running frontier models against raw alert streams. The article stresses that bringing investigation in‑house is not merely a coverage or cost decision but a prerequisite for owning the knowledge layer—detection rules, case history, and triage logic—that powers effective analyst copilots.
- MDR providers: Outsourcing investigation accumulates the knowledge layer inside the vendor’s platform. Enterprises that want meaningful analyst copilot capabilities will need access to the investigative history and tuning that lives in their own instance.
Asher‑Dotan’s prescription is straightforward: design the SOC to mirror human decision architecture. Let the autonomous, fast brain execute continuous, forensic‑level triage across every signal; let the slow brain—Claude, Codex, Cursor and the human analyst—apply judgment to fully assembled cases. When the architecture is right, she concludes, “AI executes. Humans supervise.” And supervising, in that configuration, becomes the work analysts were actually hired to do.




