Only about 10% of SOCs surveyed said AI has delivered "excellent value" to their operations, according to the SOC-CMM 2026 Maturity Report — a striking number for technology that moved from marketing line to budget item in just eighteen months.
SOC-CMM 2026: adoption surges, outcomes lag
The SOC-CMM 2026 Maturity Report drew on survey responses from roughly 200 SOCs collected between late January and mid-March 2026. It shows aggressive AI adoption alongside muted returns. Off-the-shelf large language models grew 55% year over year; AI co-pilots grew 145%; AI agents grew 118%; supervised machine learning grew 96%; and customized LLMs grew 64%. Yet only about 10% of respondents rated AI's value as excellent, and about 19% rated it as good. The remaining 71% reported some value or none at all.
The report quantifies a widening operational gap: the technology domain scores highest at an average of 2.7 out of 5, while process and people both score 2.3. Two improvement challenges climbed year over year — lack of best practices (+17%) and complexity of increasing maturity (+11%) — even as lack of budget and lack of management support declined. Effective SOC governance was singled out as the single most challenging area, cited by 39% of respondents.
The "taker" model and why it underdelivers
Most SOCs fall into what the report labels the taker model: about 65% deploy off-the-shelf AI inside an existing security stack without customization. Another 20% describe themselves as shapers, customizing purchased tools, and only 15% are builders, training models on their own data. The takers are the largest cohort and the one reporting the least value.
That pattern is uniform across hybrid SOCs, in-house SOCs, and MSSP SOCs, and cuts across regions and sectors. Put simply, many teams are buying AI but not changing the architecture in which it runs, and the result is widespread underperformance.
Architecture problem: fragmented tools accelerate silos, not workflows
The first wave of AI arrived as features bolted onto existing products: SIEMs with AI triage, EDRs with AI investigation, SOAR with playbook generation, ticketing tools with summarization. Each feature typically improved its own slice of work but did not share context with the next stage. SOC analysts now contend with multiple AI assistants — a triage agent that doesn't know what detection engineers silenced, a hunting agent oblivious to morning threat-intel flags, a ticket summarizer unaware of two-hop investigation results.
The practical effect is faster individual tasks and the same fragmented workflow. Every additional tool can add another handoff; buying more point AI without connecting stages compounds the original problem instead of solving it.
Conifers' CognitiveSOC™: an example of end-to-end agentic architecture
One platform presented in the report as built around the second-wave architecture is Conifers' CognitiveSOC™, launched in May 2026. The platform aims to connect threat intelligence, threat hunting, detection engineering, investigation, and remediation into a single operating fabric grounded in each customer's institutional knowledge. The five functions feed each other context so that hunts inform detection, investigations calibrate future detections, and remediation runs inside customer-defined guardrails.
Governance is embedded: every agent action carries a reasoning chain and an evidence trail, and customers set the scope and authority agents operate under, expanding autonomy in stages — described as a move from human-in-the-loop to human-on-the-loop oversight. The product is designed to sit on top of existing SIEM, EDR, identity, cloud, email, and ITSM stacks, supporting more than 60 integrations and requiring no rip-and-replace migration. Where that architecture is in place, the report says, teams see sharper investigations completed faster, tuned detections, continuous threat hunting, and remediation with audit-grade decision records.
What this means for CISOs, SOC teams, and vendors
- CISOs: The report highlights three procurement questions they should ask before buying the next AI SOC tool — does the AI operate across the full SOC lifecycle, how does it learn and persist institutional knowledge, and can every agent action be audited with a defensible reasoning trace and governed incrementally?
- SOC teams: The data warn that adoption is outpacing operational maturity. The needed shift is architectural rather than purely technological: connecting existing tools into a fabric that shares context rather than adding more isolated agents.
- Vendors: Those selling featural, stage-limited AI risk leaving customers with faster slices and no end-to-end value. Vendors that can deliver an agentic fabric grounded in institutional knowledge and governance are, per the report, the ones whose customers will move from "some value" to "excellent value."
The report closes with a practical urgency. Adversaries are already accelerating — Google's Threat Intelligence Group disclosed the first confirmed AI-developed zero-day earlier this year, Anthropic's Claude Mythos preview is identifying critical vulnerabilities at machine speed, and JPMorgan's CISO published an open letter in April 2025 warning that the economics of cyber risk are shifting. The SOC-CMM 2026 benchmark's 10% figure is not just a performance metric; it is a marker of which SOCs are architected to detect and act when the next AI-enabled exploit arrives, and which will be explaining what happened the morning after.
