Anwer Gertani

The Cyber Desk

SOC, IR, and Threat Intel: Three Different Paths to AI Maturity

April 19, 2026 · Anwer Gertani

SOCIncident ResponseThreat Intelligence

SOC automation is already mature in most enterprise environments. Threat Intel AI augmentation is deployable today. IR autonomy is furthest away. Forcing all three to move in lockstep is a mistake.

This is Post 5 of 7 in the series “Building Security Operations That AI Can Run.”

The three core functions of a security operation are at very different stages of readiness for AI augmentation, and the reasons are structural rather than technological.

SOCThreat IntelIRAgentic / Autonomous◎ TARGET○ LATERLLM-Augmented● NOW● NOW◎ TARGETML Automation● NOW● NOW● NOWManual / Ad-hoc● NOWSOCFastest · monthsManualML Automation← NOWLLM-AugmentedAgentic◎ TARGETThreat IntelMedium · 6–18 moManualML Automation← NOWLLM-Augmented◎ TARGETAgenticIRSlowest · yearsManual← NOWML Automation◎ TARGETLLM-AugmentedAgentic

SOC is the function most ready for AI augmentation right now. The alert triage decision — escalate or not-escalate, on a specific alert type, based on available context — is the canonical high-volume, well-defined decision that ML handles well. CrowdStrike documented a 27-second adversary breakout time in 2025. At that speed, human-only alert triage is not a viable primary detection mechanism for high-velocity attacks.

Large language models add a distinct capability layer on top of ML-based triage in the SOC. Where an ML model identifies that an alert is statistically anomalous, an LLM can contextualise why it might be significant. LLM-powered alert enrichment compresses the information-gathering step that precedes every analyst decision — which at sub-minute adversary breakout times is the operational difference between detection before lateral movement and detection after it. LLM augmentation in the SOC also introduces prompt injection risk: any LLM that processes adversary-controlled content can potentially be manipulated by content crafted to alter its reasoning.

Threat Intel is where LLMs deliver the most immediate and least-contested value. The core work of Threat Intel — correlating disparate intelligence sources, synthesising malware analysis findings into analyst-ready reports, tracking adversary behaviour across campaigns — is semantic work that LLMs handle well. Most enterprise Threat Intel teams are producing a fraction of their potential output because the synthesis step is manual. LLMs eliminate that bottleneck entirely, without requiring the long trust-building process that SOC automation demands.

Incident response is where AI autonomy should be approached most carefully. The decisions that matter most in IR carry legal, financial, and reputational consequences that require human accountability. Agentic AI can execute the information-gathering that feeds IR decisions in seconds rather than hours — but the decisions themselves should remain with a human. The practical implication is three parallel maturity tracks, each incorporating both ML and LLM capabilities at different points, running at their own pace rather than synchronising artificially.

← All writing