This is Post 3 of 7 in the series “Building Security Operations That AI Can Run.”
The dominant organisational model for security operations divides the function into three teams that operate largely independently: a SOC that monitors and triages alerts, an incident response team that handles confirmed incidents, and a threat intelligence function that produces reports about external threats. Each team has its own tooling, its own metrics, its own reporting line, and its own definition of success. None of these metrics captures the thing that actually matters: whether findings from one function are systematically improving the performance of the others.
In a well-designed security operation, the three functions form a closed loop. The speed of that loop determines how much operational value it delivers. The chart below shows where most organisations lose the cycle time that makes the loop useful.
The first handoff — SOC alert to IR escalation — is usually the fastest part of the loop. Most organisations have reasonable escalation processes. The loop breaks at handoff 2: IR findings to Threat Intel. In most organisations this takes days to weeks, if it happens systematically at all. IR teams finish an engagement, write a report, and move on. The Threat Intel function gets the report eventually — if they get it at all — and by then the adversary has moved on too. The full cycle from alert to improved detection rule stretches to weeks or months. At that speed, the loop is not a feedback mechanism. It is a filing system.
Before AI can add value across this system, the system needs to be mapped and documented as a single connected process rather than three independent functions. That mapping covers the inputs and outputs of each function, the feedback mechanisms between them, and the expected cycle time at each handoff. Each handoff is a process step that can be instrumented, measured, and eventually automated. You instrument at the handoff points, not across the entire data environment. A SOC escalation to IR is a decision point worth capturing. An IR findings handoff to Threat Intel is a decision point worth capturing. Those are the points where AI closes the loop — and where the lack of a defined process means the loop never closes at all.
The practical output of this step is an operational architecture document that describes what each function does, what it receives, what it produces, where handoffs happen, and what the expected cycle time of the feedback loop is. This document is what you hand to an AI engineer when you ask them to design augmentation for your operations. Without it, they will build something that optimises one function in isolation. With it, they can build something that compresses the cycle time across the whole loop — which is the only optimisation that actually reduces organisational risk.