Introduction to the SOC Alert Problem
The security industry has seen a significant increase in spending over the past six years, with a rough doubling of investment. However, this increased spending has not led to a corresponding improvement in key metrics such as time-to-investigate and respond. In fact, according to Google Mandiant's recent M-Trends report, the global median dwell time is 14 days, while Crowdstrike's 2026 Global Threat report found that the average breakout time is 29 minutes.
These numbers are concerning, especially when considering that the average time to identify and contain a breach in 2025 was 241 days, with an average cost of $4.88 million, according to IBM's Cost of a Data Breach research. The industry is facing a challenge in keeping up with the increasing volume and complexity of alerts, and simply hiring more analysts is not the solution.
The Limitations of Human-Driven Alert Triage
SOC teams have already implemented various efficiency measures, such as tiering severity, auto-closing known-benign alert classes, suppressing noisy detection rules, and tuning and routing alerts. However, despite these efforts, the volume of alerts that require human investigation still exceeds the capacity of most teams.
In fact, the post-tiering volume that hits human triage can range from 120 to 150 alerts per day, requiring 40 to 50 analyst-hours daily. This is a significant challenge, especially for smaller teams, and hiring more analysts is not a viable solution. The problem lies in the operating model, not the team or tooling investment.
A Diagnostic for SOC Capacity Blind Spots
Before evaluating AI SOC tools, it's essential to run a diagnostic on your program to identify potential blind spots. Four questions can help map your SOC capacity:
- What percentage of alerts above your defined investigation threshold did your team actually investigate last quarter?
- How many detection rules has your team suppressed in the last 12 months without an engineering ticket to replace the coverage?
- What was your senior analyst turnover last year, and how long did each replacement take to reach productive contribution?
- If alert volume doubled tomorrow, what's the first thing your team would stop doing?
Answering these questions honestly can help identify areas for improvement and inform your evaluation of AI SOC tools.
Case Studies: Changing the Operating Model
Some teams have made significant progress by changing their operating model. For example, JB Poindexter & Co, a diversified manufacturer, deployed Prophet AI in 2025 and ran 4,407 investigations through the platform in the first 60 days, with a mean time to investigate under 4 minutes. This deployment returned roughly 1,469 hours of analyst time to their team, equivalent to 6.3 analyst-years of investigation capacity at full annualization.
Cabinetworks also saw significant benefits, running 3,200 alerts through Prophet AI in 33 days, with only six escalating to a human. This led to a 90% reduction in SIEM costs, primarily due to no longer needing to ingest and store raw EDR and identity telemetry.
Funding AI SOC Tools
CISOs often face challenges in funding AI SOC tools. Three patterns have emerged as viable funding paths:
- Unapproved headcount budget: Replacing the need to hire new analysts with an AI platform.
- SIEM cost reduction: Reducing SIEM ingest and storage costs by using an AI platform for investigation pivots.
- Tool displacement: Replacing an existing SOAR, case management workflow, or managed service with an AI SOC tool.
Most programs end up funding through a combination of paths one and two, with path three being a more challenging and longer-term conversation.
Where Humans Still Need to Lead
While AI SOC tools have significant benefits, there are areas where humans still need to lead. These include:
- Insider threat investigations that require human context.
- Novel TTPs with no analog in training data.
- Highly regulated environments with strict data residency rules.
In these areas, AI tools can support human investigators, but should not replace them entirely.
Common Questions and Concerns
When evaluating AI SOC tools, common questions arise, such as what happens when the AI gets it wrong. Prophet AI documents every step of every investigation, providing a clear audit trail and allowing for corrections to be encoded back into the system.
By understanding the limitations and benefits of AI SOC tools, and carefully evaluating their potential impact on your program, you can make informed decisions about how to improve your SOC's alert handling and investigation capabilities.
Source: BleepingComputer