Disclaimer: Opinions expressed are solely my own and do not reflect the views or opinions of my employer or any other affiliated entities. Any sponsored content featured on this blog is independent and does not imply endorsement by, nor relationship with, my employer or affiliated organisations.
Alright, here it is. My yearly SecOps trends and predictions report.
Yes, I know it is March. The report was written in January. Life happened. If you want timely content, subscribe to a news outlet. If you want content that ages well, stick around.
Every year I try to make sense of where this industry actually is versus where vendors say it is. Last year I called out the AI copilot hype before everyone got tired of chatbots that summarize things but do nothing. This year I have good news and bad news.
Good news: AI finally started doing real work in 2025. The "AI Analyst" is no longer a slide deck fantasy.
Bad news: We automated the easy part. And somehow created more work for humans in the process.
Let me explain.
Where we stand
MTTD improved dramatically. We got really good at finding things fast. MTTR? Still flat. We are still terrible at actually fixing things.
But here is the part that made me laugh (in a sad way): a new bottleneck emerged. Mean Time to Decision.
Before AI, a SOC processed 200 alerts daily and made maybe 50 meaningful decisions. Now AI surfaces 2,000 alerts, auto-closes 1,700, and escalates 300 requiring human judgment.
We tripled the decision load.
Congratulations. We made the SOC more efficient at generating work for humans.
Why Everyone Started in the Middle
The industry went straight for triage and investigation. Makes sense. It was the easy target. Analytically complex but operationally simple. No write access required. No change management tickets. No risk of breaking production. Just read data, make a verdict, move on.
Detection engineering? Buried in log pipelines, data normalization nightmares, and the eternal fight between coverage and alert volume.
Response? Blocked by API limitations, tribal knowledge nobody documented, and organizations that would rather accept breach risk than give AI systems write access to anything important.
So vendors went for the middle. Quick wins. Happy customers. Logos on the website.
2026 will test whether AI can shift left into detection, shift right into response, and actually reduce the human decision burden rather than just reorganize it.
The SUDA Loop
You know the OODA loop. Observe, Orient, Decide, Act. Military strategy stuff that consultants love to reference.
Security operations needs its own version: See-Understand-Decide-Act (SUDA).
Most 2025 solutions handled one or two stages. See and Understand. Or Understand and Decide. Rarely the full loop.
The platforms that win 2026 will close the entire loop. Point solutions that only serve one stage will get absorbed or left behind.
AI SOC Is Not the Platform
The industry fixated on AI SOC throughout 2025. Understandable. Alert fatigue is painful and visible. Easy to demo. Easy to measure.
But here is my take: AI SOC is one solution. It is not the platform.
The real opportunity is infrastructure that provides building blocks: agentic workflows, deterministic workflows, case management, analyst copilot, integration layer. Combine them to build any security solution your program needs.
Agentic AI SOC. The use case everyone talks about.
Agentic IAM/PAM. Access requests, privilege escalation, orphaned accounts. Identity workflows are still embarrassingly manual in 2026. Let that sink in.
Cloud Security & Vulnerability Management. Findings pile up faster than humans can prioritize. Most sit in dashboards aging like fine wine that nobody drinks.
GRC Automation. Evidence collection, control monitoring, audit prep. The work nobody wants to do, done by systems that do not complain.
Detection Engineering. Threat intel in, detection rules out, coverage gaps identified, feedback loops closed. The dream we have been chasing for years.
Threat Hunting. Continuous hunts based on intelligence and baselines. Not sporadic efforts when someone has time between incidents.
Same platform. Different solutions. Built once, deployed many times.
The Honest Take
Most 2025 AI SOC investment automated the easy part. Organizations declared victory after deploying AI triage, then discovered faster alert closure but the same remediation backlog. Often more decisions queued for human review than before.
Real maturity requires fixing detections, closing the response gap, and making feedback loops actually work. Not just closing alerts faster.
Get the Full Report
This post is the highlight reel. The full report goes deeper:
The SecOps AI Shift Map framework for evaluating where AI actually operates
2025 landscape analysis across detection, triage, XDR, and automation layers
The Workflow Gravity thesis and why it matters more than Data Gravity
Platform building blocks and how to construct solutions beyond AI SOC
What this means for security teams, roles, and build-vs-buy decisions
Join as a top supporter of our blog to get special access to the latest content and help keep our community going.
As an added benefit, each Ultimate Supporter will receive a link to the editable versions of the visuals used in our blog posts. This exclusive access allows you to customize and utilize these resources for your own projects and presentations.