“79% of respondents said they use AI or machine learning (ML) tools, but only 36% have built them into a defined SOC workflow.” That juxtaposition—high uptake, low process integration—frames the central tension in the 2026 SANS SOC Survey.
Staffing: practitioners see a problem leaders say they notice
The SANS Institute surveyed 444 IT and security professionals in monitoring or SecOps roles and an additional 69 CISOs and senior security executives. A lack of skilled staff emerged as the top operational challenge reported by practitioners: 14% of practitioners cited staffing as their main challenge.
By contrast, 59% of the “cyber leaders” interviewed said management pays close attention to SOC hiring and retention needs, while only 32% of practitioners agreed. “That 27-point gap has persisted across every year this question has been asked,” the report noted. The document framed the discrepancy succinctly: “Executives describe an intent. Practitioners describe an outcome. Both are accurate accounts of different parts of the same decision process, and the distance between them is where retention problems are born.”
The report further breaks leader perception down: 22% of cyber leaders admitted management listens to retention requests but does not understand the urgency, and 14% said their management does not engage with SOC staffing needs at all.
AI permeation: wide use, uneven workflows
SANS found that AI/ML tools are now widespread in SOCs—79% of respondents reported using such tools—but adoption is frequently informal. Only 36% of respondents have AI or ML tools built into a defined SOC workflow. The most common approach is using pre-existing vendor tools without customization (38%); 31% customize existing tools; and just 20% build their own.
The report warned of operational risks from this pattern: “Analysts are reaching for AI tools individually, often without organizational structure around how they are used, validated, or governed,” it said. SANS cautioned that unstructured AI use is inefficient and “could produce results which can’t be validated.” The institute emphasized that a human in the loop remains vital to interpret tool output and recommended that SOCs “start by identifying vendor-provided AI tools that address documented capability gaps, deploy them operationally, and measure results against existing metrics,” then move to customization or purpose-built solutions where justified.
Tool demand and signal sources: SIEM vs EDR
Hiring and operational signal trends show a subtle mismatch. SIEM is the most sought-after skill in hiring—described by the report as nearly double the demand of EDR—yet the bulk of day-to-day SOC responses still originate from endpoint security alerts. Endpoint alerts account for 86% of day-to-day responses, while SIEM alerts account for 78%.
That contrast implies hiring priorities and operational signal flows are not perfectly aligned, a point the report surfaces without prescribing a single corrective path.
Maturity and coverage gaps: CTI, OT/IoT, and metrics
The SANS survey also identified gaps beyond staffing and AI. On cyber-threat intelligence (CTI), 74% of cyber leaders reported using CTI for SecOps and threat hunting—but only 26% use CTI to inform budget and spending prioritization.
Operational technology and IoT visibility remain limited: fewer than half of respondents (45%) fully or partially monitor OT/IoT computing assets through their SOC. SANS warned that this coverage gap will become more consequential as deployments increase.
Measurement practices present a separate maturity challenge. For a decade, the top reported SOC metric has been “number of incidents handled.” The report noted this metric measures volume rather than value, which means the SOC “cannot demonstrate business impact effectively.”
What this means for practitioners, cyber leaders, and procurement
- Practitioners and security teams: staffing shortfalls and the sensation that management attention does not translate into outcomes are driving retention friction; many analysts are turning to AI tools independently rather than through governed workflows.
- Cyber leaders and CISOs: while a majority say management listens on hiring, significant minorities acknowledge a lack of urgency or engagement; leaders also report using CTI operationally far more than they use it for budget prioritization.
- Procurement and vendor teams: because 38% use vendor AI tools without customization and only 20% build their own, vendors and procurement leaders will be central to closing the “maturation gap” SANS identifies—by supplying verifiable, operationally measurable AI capabilities that map to documented gaps.
The SANS survey paints a SOC landscape in which tools—and expectations about them—have raced ahead of workflow design and measurement. The institute’s own prescription is pragmatic: adopt vendor-provided AI where it fills documented gaps, measure outcomes against existing metrics, then only pursue customization or bespoke solutions when the operational case is proven. As SANS put it, the distance between executive intent and practitioner experience is not abstract—“it is where retention problems are born.”
