AI-powered SOCs are dominating industry conversations, yet security leaders remain split on whether a truly autonomous SOC can ever exist. Despite certain vendors aggressively marketing fully autonomous SOC solutions, Gartner's analysis "Predict 2025: There Will Never Be an Autonomous SOC" suggests solutions in the market are unlikely to deliver against claims of full autonomy.
As someone who has run SOCs, I agree. Full autonomy isn’t the answer. What security teams really need is a flexible way to layer AI into their workflows without sacrificing control or reliability.
Today, I am excited to share how customers can use AI Agents in Tines to build AI SOC workflows.
There is no one size fits all for AI SOC. We believe the most effective implementations require consideration to meet your requirements. With our expert team, we’ll get you up and running promptly with your AI SOC.
How we got here
Security teams face a multitude of challenges today including alert fatigue, skill shortages, and burnout, and AI is well-positioned to help solve these challenges. Having led SOC teams myself, I’ve seen firsthand how relentless alert volume can wear down even the best analysts. That’s the reality AI has to address. Unfortunately, most AI SOC solutions today demo well but fail to provide the flexibility needed in a real SOC.
When customers repeatedly asked, 'Can Tines serve as my AI SOC backbone?', we were inspired to take action. We assembled a team to build a prototype AI-powered SOC using agents in Tines. The initial team included colleagues from our labs and security teams and our Field CISO, Matt Muller.
How we built it
When launching our prototype, our top design goal based on my experience as a security practitioner and conversations with our customers was to combine both autonomous and deterministic workflows to ensure maximum flexibility and agility. With other solutions in the market, security teams are forced to adopt rigid frameworks, limiting their ability to select the best AI strategy for each of their unique use cases.
We developed our prototype directly in our own production Tines tenant to validate AI SOC workflows against authentic data and real-world requirements that mirror our customers' environments. This wasn’t a lab experiment, we wanted to stress-test it in the same way our customers would. As with all other AI features in Tines, security in governance remained top priority. While our prototype leverages AWS Bedrock-powered AI within Tines, enabling customers to integrate their preferred AI models for AI SOC workflows.
During our initial prototype development, we continuously evaluated whether AI integration would provide genuine value or if a deterministic workflow could be just as effective. Following comprehensive testing of our AI SOC workflows, we've successfully deployed them both within our internal production environment and across multiple customer tenants.
What we learned
As a security practitioner myself, diving headfirst into building this prototype was exciting, and the team walked away with five key insights:
AI is a layer of the SOC, not a replacement: AI alone cannot carry the SOC. You also need deterministic workflows for reliability, repeatability, and governance. In a blog by my co-founder Eoin Hinchy earlier this year, he shared “Even as AI continues to evolve, it will serve primarily to augment human expertise, not replace it.” This statement remains true, and while AI SOC workflows are powerful, they will not completely replace analysts. Frankly, if a vendor tells you otherwise, you should be skeptical.
Interoperability is critical: When building AI SOC workflows, security teams need the ability to orchestrate across their own agents, third-party agents, and platforms. Each AI SOC has distinct needs, making it essential for organizations to have the flexibility to choose the best AI strategy across their security operations.
Frameworks still apply: Even when leveraging AI, it is still important to follow proven workflow automation frameworks, such as our SOC Automation Capability Matrix. Adhering to proven frameworks ensures repeatability and security across your autonomous and deterministic workflows.
Configuration vs time-to-value trade off: According to the SANS SOC Survey, generative AI tools scored lowest in satisfaction across all technologies measured, and 42% of respondents use AI/ML tools "out of the box" with no customization. This data aligns with what I've observed in the field: security practitioners are often impressed by AI security tools during demos, only to discover post-purchase that these solutions lack flexibility and fail to scale effectively.
One size does not fit all. A highly regulated organization, like a financial institution, will have different requirements, a different technology stack, risk tolerance, and budget than a tech startup. These differences must be considered when building AI SOC workflows.
5. Consumption control matters: Regardless of the model used, AI comes at a cost. When developing our prototype, we carefully evaluated which non-AI deterministic workflows worked just as well as those that incorporated AI, helping us understand where we could modify and reduce costs.
Our recommendations
I recently hosted a webinar on The Hacker News about where AI fits in modern automation. On this webinar, I discussed how the future of workflows is not limited to a single approach, and organizations will continue to leverage a mix of human-led, deterministic and agentic workflows. The same is true for security operations teams. To select the optimal approach for specific workflows, security teams must evaluate predictability, risk tolerance, complexity, and scale. Check out this diagram that outlines our recommendations based on this framework:
Next Steps
The SOC deserves real solutions, not hype. Our team is here to support you on your AI journey and help determine the best approach for your most important workflows. Now is the time to check it out for yourself. For more information, join our upcoming webinar and see how SAP built an AI SOC with Tines. Let's build a smarter, more efficient SOC together.