As AI continues to automate routine security tasks, the traditional tiered SOC model faces an existential question: if machines handle L1 and L2 work, do we still need tiers at all?
In this conversation, Rob Van Os, strategic SOC advisor and SOC-CMM expert with years of experience building and maturing security operations centers, discusses what organizational structures will emerge and how teams can prepare for this shift.

Ahmed Achchak, CEO and co-founder of Qevlar AI, speaks with Rob about the future of SOC organization, the skills analysts will need, and why some companies will resist change longer than they should.

In this interview, Ahmed and Rob explore:

→ Why the tiered SOC model is becoming obsolete as AI matures

→ How to develop junior analysts when AI handles routine alerts

→ The new engineering skills SOC teams will need

→ Why the fully autonomous SOC may not be viable for complex environments

→ What major companies will do in the next three to five years

Shifting From Tier-Based SOCs to Skills-Based SOCs

Ahmed Achchak: Let's assume AI automates L1 and L2 tasks: alert triage, investigation, and so on. What organizational structure emerges from this? Are we looking at specialized roles like AI orchestrators and complex case specialists, rather than traditional tiers?

Rob Van Os: We're seeing this transformation happen right now. AI is being introduced into the SOC, and both the deployments and the AI systems themselves are becoming more mature and capable. This is fundamentally changing how we can do security operations.

The tier one and tier two levels are where you can get the most automation done because these are the less complex tasks. If you have a very tiered model and you're aiming for high-level automation through AI and other tools in those lower tiers, it will transform how these tiers are used. Will it remove them entirely? I'm not fully sure. It depends on the effectiveness of the AI and the trust you can put into it.

Ultimately, we'll need new roles in the SOC. We'll need people who can talk to these AIs, configure them, train them. A deeper understanding of AI on the engineering side is required to make that transition happen.

The Trust Factor: Why Confidence Matters More Than Capability

Ahmed Achchak: You mentioned two critical things: the performance of the AI itself and trust, which I think gets neglected when it comes to security operations. If you want to deploy an AI to production dealing with real alerts, you definitely need to build trust in the tool before you can achieve that.

Rob Van Os: Exactly. We need a certain level of trust that the machine will do the right thing. This is already a challenge in many organizations. They apply automation, but not response automation, because it's deemed dangerous. This has to do with context.

When is it dangerous to automate isolation of a host? Well, if that host is part of your critical assets and you isolate it, you'll probably disrupt a business function. That's what people are afraid of. But what they're actually afraid of is that we don't know what our assets are exactly. We don't know where our assets are and what their business function is, so we don't dare to isolate them automatically.

What we need to do is at least have that information, but also establish a level of trust that the machine will make the right decisions. We can do that by supervising the decision-making of the machine. When we have that level of trust—say about 99%+ of what the machine does is correct—does there need to be a human in the loop? I would say no, because humans can make mistakes just as well.

The Junior Analyst Problem: How Do You Train When AI Does the Work?

Ahmed Achchak: Your SOC-CMM framework emphasizes capability maturity. But if we abandon the tiering system, how do we solve the fundamental problem of developing junior analysts? They don't get to cut their teeth on routine alerts anymore since the AI is handling them.

Rob Van Os: This is one of the challenging questions I've discussed recently with people from the education sector in the Netherlands who provide cybersecurity education to students. They were asking the same thing: what is AI going to mean for the learning curve?

If you look at papers that Google and Deloitte have written on "skills before tiers"—a skills-based SOC rather than a tiers-based SOC—there's a different way of approaching it. You can still have a learning curve in those skills, but not necessarily confined to a tier.

If you apply more automation, you automatically go in the direction of a more skills-based SOC than a tiering-based SOC with hard limits on what you can do. Since AI will do the bulk of easier tasks, you'll have to have a learning curve together with a more senior analyst, looking at the more complex tasks that aren't fully automated yet and learning from those things together.

It will shift from the tier-based SOC to the skills-based SOC.

The Economics of AI: Does the Cost Model Still Work?

Ahmed Achchak: From a business perspective, tiered models were designed for cost efficiency. Junior analysts handled volume, senior analysts handled complex cases. With AI handling volume, does the economic justification for the tiering model collapse, or do we need a new cost model?

Rob Van Os: You're right about cost effectiveness. Tiering is a cost-effective way to manage resources. You don't let people with high skill levels deal with relatively simple tasks—you give them tasks appropriate to their knowledge level.

What we see now is we're trying to aim for high-level automation in the lower tiers. But there will still be customers who want monitoring done by an MSSP. If you use an MSSP, you have to do the incident response yourself—the MSSP SOC does the detection, but you do the follow-up within your own organization.

From a customer perspective, how the MSSP does it doesn't really matter. Whether they use AI or a skills-based SOC or a tier-based SOC, it's all about the results. AI should make the SOC more cost-effective.

But I don't see it as a full replacement of Tier 1. What I see is we'll replace the activities we did in Tier 1 and take the people currently working there and assign them slightly different tasks. Those tasks will include more engineering skills. When we go into a more AI-driven SOC, we'll need to enhance our engineering skills within the SOC.

The New Skill Set: What "Engineering" Really Means

Ahmed Achchak: Do you have any specific ideas about what you mean by engineering skills? On our platform, for example, AI performance relies on the quality of data it has access to. If I get an alert about malware but don't have access to EDR data, the AI can't reach a meaningful conclusion. We have a feature that says, "I would have liked to check source A, B, C, but I haven't been given access,can you grant me access?" Was that the kind of detection engineering skill you were thinking about?

Rob Van Os: That's part of it. I think it's detection engineering, automation engineering, and AI engineering will become a specialized skill within the SOC. Building detection rules, tuning those rules, and CTI will still have a very strong presence since we're trying to match our capabilities with attacker capabilities.

The engineering will go into the detection part, the automation part, and the configuration, training, and maintenance of AI. What you mentioned is more like systems engineering, making sure the AI has access to the right data.

I wrote an article last week about having access to the right data for the autonomous SOC. For a fully autonomous SOC, you need infrastructure context, business context, infrastructure logic...What happens if I isolate one node and what does it do to the rest of the infrastructure? You need all that business context for automated decision-making.

If you don't have that information, you'll still need some level of validation for most cases. That's why I believe the fully autonomous SOC is probably not viable, especially for bigger, more complex environments with legacy systems. You should probably go for a partially autonomous SOC.

Learning from MSSPs: A Surprising Parallel

Ahmed Achchak: I tend to compare autonomous SOCs to MSSPs in a way. I'm not saying AI will replace MSSPs—I don't believe that myself. But it's similar in that MSSPs need access to data on the customer side to be effective. And for them to run remediations, they often need access to tenants or EDR, which they don't always have. Maybe AI SOC companies can learn from how MSSPs have managed to onboard customers.

Rob Van Os: That's an interesting comparison. There's a different business model behind an MSSP than an in-house SOC. The in-house SOC is a cost center; the MSSP is a profit center. That's a completely different starting point.

For an MSSP, it's very important to reduce and optimize costs to be commercially viable and competitively priced. The MSSP tries to scale really well, so they deal with the same types of alerts the same way for all customers. They're not looking for specials for individual customers because if you have specials for a hundred customers, the cost will be extreme—you can't scale.

You're less reliant on the specific context of the organization, which makes it easier to implement autonomous AI in tiers one and two. You're mostly dealing with generic infrastructure components similar for all clients—they all have Microsoft environments, similar servers, the same cloud features. It's reasonably predictable and generic, and that's where you can really scale up.

Avoiding Shadow Hierarchies

Ahmed Achchak: How do we avoid what we might call the shadow tiering problem, where some analysts inevitably become the default for hard cases, which recreates the hierarchy and goes against removing the tiering system in the first place?

Rob Van Os: If you look at the SOC-CMM model, it represents a SOC across five domains: business, people, processes, technology, and services. This is a problem that sits in the people domain, and you tackle it through proper knowledge management.

Why does a case go to a single person? Because that person has the knowledge and skill set. If that knowledge and skill set is unique, you have a go-to person, but you also have a problem—a single point of knowledge in your team. Knowledge management in SOC-CMM specifically addresses this issue.

We want a good overview of what knowledge sits where, who has what knowledge and skills. We connect that to a training and education program. That's the whole idea of maturity in that particular domain. It's a bigger problem than just having a go-to person because that person might leave your organization, and then there's nobody to go to. It's something you want to tackle immediately.

Will Companies Abandon Tiered Models in 5 Years? 

Ahmed Achchak: Given your research and expertise, if you had to make a prediction: will we see major companies abandon the tiered SOC model within the next three to five years, or will they cling to it?

Rob Van Os: They'll probably cling to it longer than they should. Will we see that change? It depends on how effective they are in adopting AI.

AI has a lot of potential, but will it work in every situation? I'm not sure, because it requires specific knowledge and engineering. When we look back about ten years to the introduction of SOAR and the promise of automation, some organizations have been really effective in automating a lot of their security operations. Others have been running SOAR for years and have hardly had any real benefits.

It really depends on whether they're able to effectively leverage the tooling. I think that's the biggest thing.

Looking Forward

As AI continues to mature and prove its capabilities in security operations, the question isn't whether SOC structures will change, but how quickly organizations will adapt. Rob's insights suggest that the path forward lies not in wholesale replacement of existing models, but in thoughtful evolution toward skills-based teams equipped with new engineering capabilities.

The winners in this transition won't necessarily be those who move fastest, but those who build the right foundation: trust in their AI systems, knowledge management practices that prevent shadow hierarchies, and access to the contextual data that makes automated decisions reliable.

For organizations still clinging to traditional tiers, the message is clear: the cost model that justified the old structure is already shifting beneath your feet.

‍

🎧 Listen to the full episode on Spotify

🍏 Listen to the full episode on Apple Podcasts

‍

‍

‍