The MSSP vs. Enterprise SOC: How Autonomous AI Changes the SOC Service Model

Enterprise SOCs and MSSPs operate under entirely different business models, and these structural differences are creating divergent paths for AI adoption. One operates as a profit-driven service with standardized processes, while the other functions as an internal capability shaped by unique organizational needs with each presenting distinct opportunities and challenges for AI implementation.

Ahmed Achchak, co-founder and CEO of Qevlar AI, discussed with Erik Bloch, VP of Security at Illumio, what approach MSSPs and enterprises need to use when it comes to adopting AI. With over 30 years in cybersecurity and leadership roles at Salesforce and Atlassian, Erik brings a unique perspective on both sides of the SOC equation.

In this interview, Ahmed and Erik discuss:

→ Why AI adoption patterns differ dramatically between MSSPs and enterprises

→ How autonomous agents could solve the personalization vs. scale challenge for both models

→ The fundamental trade-offs between standardized processes and bespoke security operations

→ What both MSSPs and enterprises can learn from each other's approach to AI integration

For security leaders evaluating their SOC strategy and AI vendors promising autonomous operations, this conversation provides essential insights into where AI can deliver real value today—and where the hype exceeds reality.

MSSP vs Enterprise Devide: What's the Main Difference?

Ahmed Achchak: Erik, you've mentioned that MSSP SOCs are a "noun"— a product — while enterprise SOCs are more of a "verb" or capability. How does this fundamental difference shape the types of AI use cases each model is best positioned to adopt?

Erik Bloch: This is something I've given a lot of thought to, having worked on both sides. I've led security operations at large enterprises like Salesforce with their massive SOC, Atlassian, and smaller companies like Sprinklr. But I've also worked at NTT, one of the largest MSSPs, in their advanced services SOC facility in Sweden.

When I say an MSSP SOC is a "noun," it's because it literally is a thing: a place, a product, a profit center that you're selling as a service to make money. Versus an enterprise SOC, which is more like the IT help desk. It's a capability or function you're providing to the company where all kinds of things get dumped in and handled on the other side.

An MSSP delivers a uniform service to all clients, while an enterprise SOC is far more bespoke and custom to whatever that specific enterprise does and needs. When you bring AI into the equation, this difference becomes crucial. At Salesforce, when I started the security data science team, I assumed we could just bring in generic use cases and make them work. But they don't because every company is different, their networks are different, their equipment is different.

The solution you have to build is almost bespoke, like how you see SOAR platforms today with 50 different runbooks for handling phishing emails because everyone's infrastructure is different. Versus an MSSP where you're delivering that uniform service. From my perspective, the MSSP use cases are far more narrow, and AI today is far more capable of tackling those versus all the bespoke corner cases enterprises are running.

Will AI Drive Convergence or Divergence?

Ahmed Achchak: That's fascinating, especially since one of the hardest challenges for AI is dealing with context to understand the specificity of each organization. Let's assume autonomous AI does its job well and can handle high volumes of alerts as effectively as humans. Do you see enterprise SOCs adopting more standardized workflows using AI, while MSSPs push deeper into customer-specific value?

Erik Bloch: That's interesting because I know a lot of enterprises. The problem they face today isn't necessarily a lack of tooling. It comes down to a lack of process. Everywhere I've been, from large organizations to tiny startups, how they get from point A to point B — from a noise being made to resolving it — is completely different. How we did investigations at Salesforce was 100% different than at Atlassian, but the inputs and outcomes are the same.

There's no rhyme or reason, no best practice for how to SOC. I mean, there are NIST guidelines and SANS guidelines, but they're kind of one-size-fits-all. If you're a thousand-person company, your needs are vastly different than a 50,000-person company.

I hope larger companies will adopt better processes, because that's what's broken in security operations today: the lack of process, measurements, or metrics to see what you're doing and the value you're delivering. Today it's just a flood of things coming out, you tackle as much as you can, and report that you handled 2,000 events this month.

MSSPs know what they're doing. They know exactly how much every alert costs, exactly how much data every person processes. They're a profit center, so they want to maximize profits. They know their numbers, their metrics, what works and what doesn't, because their customers are going to ask them.

Enterprises are just playing whack-a-mole every day. Unless they adopt some type of process with measurements and metrics, they'll be on this hamster wheel forever. Tools aren't going to solve a process problem. Even if you bring them the AI tool that does everything, if there's no process to plug it into, it won't do anything.

The Context Challenge: Can AI Bridge the Gap?

Ahmed Achchak: That process point is crucial. But let's assume AI helps MSSPs scale in a context-aware fashion, so they can come close to the context of each customer without sacrificing efficiency. Do you think autonomous agents can unlock that level of personalization?

Erik Bloch: I'm still wondering about that myself. Having been involved in the data science space, I see the challenges teams run into. A lot of teams start from the same place: we have all this data, how do we find the bad things? I find it's far easier to remove the haystack, or most of it, rather than looking for the needle.

You can use statistical modeling and machine learning to weed out 80% of the noise, leaving a much smaller subset for AI to tackle. But enterprises start from the inverse: how do we find the bad things? Data scientists come to security teams asking for TTPs and IOCs, and the incident response guys are swamped, so they're just tossing stuff at the wall to see what sticks.

I think MSSPs are positioned to do this first. They'll prove it works based on the level of service they want to deliver. They know what inputs they need because they're measuring everything. Once they have it working, enterprises will ask, "How are they doing that?" and outsource to them. Kind of like we did 15 years ago with "outsource all the things."

The Human Problem AI Can Actually Solve

Ahmed Achchak: Given your experience leading massive SOC teams, what's one internal human problem that AI can help address? And can MSSPs package this as part of their value proposition?

Erik Bloch: Having measured everything across my last few organizations, I know what the pain points are. If you break down the work SOC teams do, on average it's about 50-50. Fifty percent is dealing with machine-based detections, alerts, and noise. The other 50% is human-based stuff: people clicking phishing report links, password resets, requesting SOC 2 reports.

The number one most effective thing we can use AI for is garbage phishing emails. That's the top bucket by time and volume that my last three SOCs have dealt with. This scales linearly. The more people you hire, the more reports you get. It never scales proportionally with your team size.

At Salesforce, that was half of what the SOC did: a never-ending stream of phishing and junk emails with people hitting the report button. Why can't AI take an email someone forwards, look at it, click the link, and determine if it's bad? Then take the next step: go into your email system, use the message ID to delete it from everyone's inbox, blacklist the address. All the manual processes we go through.

This would remove a massive burden and alleviate the repetitive work that burns people out. They're there to catch bad guys, not to keep clicking links to see if they're malicious. I want AI to do the dishes and laundry so I can paint and do art, not the other way around.

The Metrics That Matter

Ahmed Achchak: Let's get practical. If you had five million dollars to improve a SOC, what would you spend it on first?

Erik Bloch: Probably a vacation for everybody first. I know how hard they work and how little reward they get. After that tropical island week off, I'd bring in a program manager for an enterprise SOC.

SOCs usually don't have PMs because they're very process-focused. I need someone to examine what they're doing, wrap a metrics program around it, put processes in place. Once you have good metrics around team utilization, alert dispositions, workflow adherence, detection fidelity, development versus tuning time, you start identifying what's working and what's not.

Once you know that, you can manage the process. You can say, "I need to get rid of tool X, change process Y." But until you have insights into what's working, what's not working, or even what you're doing, nothing will change. I've done this in my last two roles, bringing in a PM to help measure things and wrap metrics around our processes. Then you can start making informed changes.

What do AI vendors keep overselling?

Ahmed Achchak: What's one thing AI vendors keep overselling that needs more work in real SOC environments?

Erik Bloch: When I was at RSA looking at AI SOC vendors, they're all selling the exciting use case. "We're going to catch Chinese APTs, do investigations, kick them out, find advanced malware." To me, how often are you going to deal with a Chinese APT? In 35 years, I've dealt with them three times, Russians twice. It doesn't happen that often.

It's a cool demo for RSA and investors, but it's not realistic. The mundane things are phishing emails, routing tickets, and answering questions. The actual true positives that get escalated to incidents are less than 5% of all SOC work by volume.

Chinese hackers don't attack you every day. Phishing hits you every day. DLP alerts hit you every day. That's not exciting, so they don't demo solving a thousand phishing emails at RSA. But that's the real problem that needs solving.

Conclusion

The conversation reveals a fundamental truth about AI in security operations: success isn't just about the technology. It's about understanding where and how to apply it. MSSPs, with their standardized processes and clear metrics, are positioned to prove AI's value first. Enterprise SOCs, despite their complexity challenges, can learn from this success but must first solve their process problems.

As Erik Bloch emphasizes, the real opportunity lies not in the glamorous use cases vendors love to showcase, but in eliminating the repetitive, low-value work that consumes half of every SOC analyst's time. For security leaders, the message is clear: before chasing the AI revolution, ensure you have the processes and metrics in place to make any transformation successful.

‍

🎧 Listen to this episode on Spotify (link)

🍏 Listen to this episode on Apple Podcasts (link)

‍