SOAR was created to help security teams work faster and more consistently by automating and orchestrating core security operations. It has always had to adapt to new and evolving technologies, but our current AI era has brought about a turning point. As cloud environments scale, manual playbooks can’t keep up. Now, it’s not enough to automate. We need systems that can understand the context they’re running in and adapt accordingly.
At Tines, we call this next phase the AI SOC. It’s built on intelligent workflows that combine deterministic automation with AI agents and humans-in-the-loop. This lets teams investigate faster, at unprecedented scale, and with less analyst time and effort – ultimately freeing your team to work on more complex, impactful work.
SAP, the largest non-American software company by revenue, is one of the innovators reimagining SOAR in the age of AI. In our recent webinar, Intelligent workflows: SAP’s approach to SOAR in the AI era, I spoke to Roland Costea, CISO, Enterprise Cloud Services at SAP, and Mark Michel, Director of Sales and Operations at LC Systems, to learn how SAP is using intelligent workflows and modern SOAR to manage one of the most complex environments on the planet.
Watch the on-demand webinar to learn more, or read on for some key takeaways.
New challenges create new opportunities
According to Roland, there are two big shifts that have shaped how we think about SOAR in the last year.
The first is that detection has gotten more prolific and more complex. Today, SAP processes close to 100 terabytes of data every day. That’s a 100% increase compared to three years ago. Every new data source comes with different operational challenges, rules, and manual checks, meaning triage workload has surged for small incident response teams.
The second is the rise of AI and advanced detection engineering. New tools for normalization, correlation, and analytics create both complexity and opportunities. Leveraging automation at scale could help teams deploy 5–6x faster than before – but if done the wrong way, it could introduce risk and compliance issues.
To navigate these shifts, teams must look to AI orchestration. “If we can orchestrate intelligently, we can move from reactive manual processes to intelligent, auditable operations,” says Roland. “The goal is not to replace people, it’s to empower them. We want automation that can improve speed and give us consistency to be able to have proper governance on auditability.”
For SAP, this became their guiding priority: speed without sacrificing control, and AI and automation that increases trust rather than hiding it.
If we can orchestrate intelligently, we can move from reactive manual processes to intelligent, auditable operations.
Roland Costea, CISO, Enterprise Cloud Services at SAP
Rethinking SOAR in terms of business impact
In the past, SAP’s incident response process was heavily manual and fragmented. An alert would require an analyst to go into multiple different tools just to collect basic context. Each investigation took up a lot of valuable analyst time, driving up the cost per incident even when they weren’t critical or even high-priority.
This way of working was slow, inconsistent, and not auditable. This didn’t just introduce operational risk and delays into everything they were doing – it also limited the level of customer experience they could deliver.
When thinking about how to evolve SOAR, Roland and team framed it in terms of tangible outcomes they wanted to achieve. Their goals were to reduce noise and waste, avoid redundant work, and minimize error. This translated to metrics like:
Lowering mean time to resolution (MTTR)
Improving consistency
Lowering time spent on detection engineering
They also wanted to find new ways to optimize performance. “If in one year, I can do 100 manual fine-tune deductions, I want to see how I can do 500,” says Roland. “That’s not about putting people to a problem. It’s about achieving speed improvements in certain workflows in a way that’s verifiable, compliant, sustainable, scalable, and that can be trusted.”
Getting back to basics to create a solid foundation
SAP started by automating repetitive tasks that slowed analysts down, like:
Enrichment and evidence collection: Playbooks pull CMDB entries, configuration data, proxy logs, and identity information into a single view so analysts didn’t have to hunt for data.
Deduplication and confidence scoring: Alerts that are clearly duplicates are collapsed, while others get a confidence score that helps prioritize attention.
Automated incident creation: Where appropriate, Tines orchestrates creating the incident in the ticketing system with the evidence already attached.
They also questioned the manual processes and old ways of thinking. “Before, it was, ‘Enable this log, send it to the SIEM’,” says Roland. He asked, “Okay, why do I have to do that? How is this log helping me? Do we need to collect the full log or is 1% enough? What kind of patterns from this dataset do you need to be able to successfully create that detection logic?”
When you collect 100 terabytes of data every day, these are questions that matter. “There are data architecture decisions that we had to take to be able to get to the level where we can orchestrate,” Roland says.
The results were immediate and measurable, with 3–6x speed improvements for certain workflows, less rework, and reductions in MTTR.
Taking SOAR to the next level with intelligent workflows
Once SAP had created a solid automation foundation, they wanted to build on it with context using AI-driven insights, workflows, and decision-making.
Here’s how they moved from playbooks to intelligent workflows:
Explainability is critical to the process. AI flags suspicious activity and generates the risk summary, giving humans the necessary context so they can validate, escalate, or tune. In other words: AI handles the “what” and “why” and humans own the “so what?”
Closed feedback loops teach models what’s useful vs. what’s noise. Analyst decisions feed back into detection pipelines to continuously improve AI models.
Specialized AI agents collaborate to execute parts of the workflow. Agents handle detection tuning, case correlation, and info sharing, while analysts approve changes. This way, the system evolves autonomously and remains auditable.
All of these components work seamlessly in tandem to create intelligent workflows. The trifecta works together holistically: automation handles repetitive tasks and data-intensive work, AI provides explainable insights, and human analysts focus on judgment and governance.
We want AI to handle the ‘what’ and ‘why’ and humans to own the ‘so what?’
Roland Costea, CISO, Enterprise Cloud Services at SAP
Looking to the future: SAP’s roadmap to an AI SOC
SAP is consistently fine-tuning their processes, making them better month by month. As they build their roadmap to an AI SOC that’s resilient, compliant, and trusted, Roland shared what they’re focusing on:
Proactive operations: Where possible, the team wants to move from reactive to proactive ways of working to preemptively address issues. “I want automation and AI to identify possible risks or emerging risks and actually recommend remediation paths before there’s an impact,” Roland says.
Human-AI collaboration at scale: We think a lot about improving collaboration within teams, but the next big question is, “How can we work better with AI?” To maximize effectiveness, Roland recommends that analysts become friends with it. “Analysts need to learn how to better interpret and challenge the output of AI, not just accept it as truth,” he says. “They need to focus more on analytical reasoning. Automation literacy will become a core skill for analysts.”
Closed-loop learning: AI evolves as you use it, making a powerful case for adopting it sooner rather than later. “Every input or decision that we take as humans actually feeds back into the AI detection logic, making the future response or action better.”
Automation literacy will become a core skill for analysts.
Roland Costea, CISO, Enterprise Cloud Services at SAP
Embedded compliance and explainability: Every decision or action must be easily evidenced. It needs to be time-stamped, explainable, and traceable. “This is critical for the overall audits and regulatory frameworks we need to adhere to in different countries around the world,” Roland says.
Flexible infrastructure: Different use cases require different approaches, and it’s important not to get boxed in to doing things one way only. “We want to choose between deterministic, autonomous, hybrid, and even manual workflows depending on the risk and comfort level we have either for that use case or in general as a company,” Roland says. This flexibility allows teams to run AI securely within their cloud environment.
From automation to autonomy
Since implementing intelligent workflows, SAP has seen improvements in core KPIs – like faster detection times, fewer missed alerts, and higher analyst capacity and efficiency – without compromising on non-negotiables like analyst oversight and compliance.
“The bottom line is that we’re not automating for the sake of automation or AI or because it’s a buzzword,” Roland says. “We’re automating to scale the trust and deliver the reliable, auditable, and fast security operations for our customers. That’s the main goal.”
Want to get more expert insights and start building your own AI SOC? Watch the full webinar on-demand now.