Disclaimer: Opinions expressed are solely my own and do not reflect the views or opinions of my employer or any other affiliated entities. Any sponsored content featured on this blog is independent and does not imply endorsement by, nor relationship with, my employer or affiliated organisations.
Today I want to break down something that keeps coming up in conversations: the difference between SecOps Agents and AI SOC when they live inside a SIEM versus when they show up as a standalone product or as part of a SOAR.
Three different starting points, three different sets of trade-offs. None of them are wrong. They just optimize for different things, and if you don't understand which one you are buying, you will end up disappointed.
SIEMs own the data, and that matters
SIEMs have the upper hand on triage. Full stop.
If you are a team that sends everything to your SIEM, you will get great triage results inside it. The reason is simple. The SIEM has all the data. If the implementation is done right, the platform can query that data faster and more efficiently than anything bolted on from the outside. Timeline analysis, blast radius, correlation across sources, all the bells and whistles.
But there is a condition attached to this. ONLY if you actually get all the data there. And by data I do not just mean logs. I mean enrichments too. Identity context, asset context, threat intel, business criticality, ownership. The triage is only as good as the context the SIEM can reach without leaving its own walls.
This is where the story gets complicated.
Once you move past triage and into response, the SIEM starts to lose ground. SIEM vendors were smart to play the SOAR card years ago. The problem is that most of them never invested enough to make it shine. Acquired SOAR products got bolted on, kept on life support, and then quietly underfunded while the marketing kept going.
My take has not changed. Unless you have your entire response stack inside a single ecosystem, and very few teams actually do, you need a vendor agnostic agentic, automation, and orchestration layer. The SIEM is a great triage brain. It is rarely a great hands and feet.
Where pure play AI SOC and SOAR have the upper hand
Now flip the scenario. You don't send everything to your SIEM. Maybe you cannot afford to. Maybe you are running multiple detection sources. Maybe your EDR, your cloud detections, your identity alerts, and your email security all live in their own consoles.
This is where pure play AI SOC vendors and SOAR-style platforms shine.
They do enrichment better in this world because they were built for a fragmented data reality. They pull from wherever the data lives instead of assuming it all flows into one lake. The trade-off is that they are limited by whatever APIs are available on the SIEM and on every other system they ingest alerts and detections from. If the API is shallow, the agent is shallow.
On the response side, this is where SOAR-style and agentic platforms really pull ahead. Response is hard. It involves dozens of systems, conditional logic, human approvals, rollback paths, and edge cases that only show up in production. Slapping MCP on top of a tool catalog and calling it response automation does not make the cut. Response needs to be designed, not summoned.
TL;DR for the architecture decision
If you have all your data and all your response actions inside one ecosystem, ride the SIEM agent wave. It will probably work for you.
If you do not, and most teams do not, you need a layer that is vendor agnostic on both data and response. That is where pure play AI SOC and modern SOAR-style platforms earn their keep.
Vendor tracker update
A quick update on the AI SOC and Agentic SOC vendor list we maintain.
We are now tracking 73 vendors. The market keeps expanding, and we keep adding entrants as they show up with credible product and not just a landing page.
A few changes worth calling out:
We now have multiple visual views of the landscape. Different cuts for different questions. One view for category, one for go-to-market motion, one for how they handle the data and response split discussed above.
The next iteration will include a definition for each category. One thing I have learned from talking to practitioners and buyers is that the category names are doing a lot of heavy lifting and not always carrying the weight. AI SOC, Agentic SOC, autonomous SOC, alert triage copilot, they all mean different things to different vendors. We will pin down what each one actually means in our taxonomy so the comparison is honest.
If you want to be on the list, or if you think we missed you, reach out. The bar is product that exists and customers who use it.
Coming up: AI SOC is just a feature
Last thing. I will be joining Chris Hughes next week on Resilient Cyber, and one of the topics I want to dig into is why I think AI SOC is just a feature, not a category.
Short version of the argument. Triage automation, alert summarization, investigation assistance, these are capabilities. They will be embedded in SIEMs, in SOAR, in EDR, in detection engineering tools. Standalone AI SOC vendors that do not extend into the rest of the SecOps lifecycle will get squeezed. The interesting companies are the ones building agentic platforms that go beyond the triage box.
Join as a top supporter of our blog to get special access to the latest content and help keep our community going.
As an added benefit, each Ultimate Supporter will receive a link to the editable versions of the visuals used in our blog posts. This exclusive access allows you to customize and utilize these resources for your own projects and presentations.