The complexity of cyberattacks has grown, and Security Operations Centers (SOCs) are on the front lines. They face a continuously increasing volume of alerts, incidents, and potential threats. However, amidst this growing pressure, we need to take a critical look at how SOCs operate and where investments in automation can drive the most value.

As CEO, I’ve often seen the conversation around automation in security focus almost exclusively on remediation—automatically applying patches, isolating compromised systems, or rolling out fixes. It is important, crucial. However, let's not forget where SOC teams are spending the bulk of their time: investigation and analysis. In fact, investigation is not only more frequent, but it also requires more time and resources than remediation does.

Investigation is the challenge—and automating it hasn't been possible until now

Remediation is critical, but it is usually not the primary bottleneck in the security process. By the time a remediation is needed, analysts have already invested significant time and effort in investigating the issue. In most SOCs, teams are inundated with alerts, many of which are false positives. These alerts must be examined, contextualised, and investigated before a remediation strategy can even be formulated. This is where the real efficiency loss happens: in the time-consuming, manual process of analysing and triaging these alerts.

Most SOC teams spend more time determining whether a threat is real than they do fixing the problem when it is. If we can automate significant portions of the investigation process, the result is a dramatic increase in operational efficiency, freeing up analysts to focus on more strategic tasks.

"Most SOC teams spend more time determining whether a threat is real than they do fixing the problem when it is."

In the past, investigation hasn’t been a prime candidate for automation because older technologies, particularly SOAR tools, fell short. While SOARs perform well at automating playbooks and response actions, they struggled with the complex, nuanced work of investigating and correlating data accurately. Automating investigations with these tools often introduced risks, such as missed threats or escalated false positives.

But things have changed. Advances in AI and ML now enable automation of key investigative tasks, including:

• Data correlation: Automatically pulling together relevant data from multiple sources to build a fuller picture of a potential threat.
• Alert triage: Prioritising which alerts are most likely to represent real threats, helping analysts focus their time.
• Anomaly detection: Identifying patterns that deviate from normal behaviour and signalling them for further analysis.

These capabilities transform the investigative process, speeding it up and allowing analysts to focus on high-priority threats.

Shifting focus to automated investigation, completed by humans

I believe that the future of SOC efficiency lies in automating investigation. When we invest in tools that streamline this part of the process, we reduce alert fatigue, improve decision-making, and reduce the detection-to-remediation cycle. By doing so, we also empower our security teams to focus on the most pressing, complex problems, rather than drowning in low-value tasks.

"skilled analysts are still needed to interpret findings, make final decisions, and manage incidents"

Of course, automating investigation doesn’t mean removing human insight from the equation. It’s important to recognise that while technology can significantly speed up and enhance the investigative process, skilled analysts are still needed to interpret findings, make final decisions, and manage incidents. Automation should augment their capabilities, not replace them.

The goal is to leverage the strengths of both automation and human expertise. Automated investigation can handle the heavy lifting of data processing and alert correlation, allowing analysts to focus on nuanced decision-making and high-level strategic work.

What's next?

In my view, the hesitancy around adopting new technologies, especially in security, often stems from the understandable concern of over-reliance on automation. But as the volume and complexity of threats increase, one must admit that our traditional approaches are unsustainable. Automating investigation isn’t just about keeping up; it’s about scaling Security operations: ensuring they are resilient, adaptive, and prepared for the next generation of cyber attacks.

Security teams needs to stay ahead of evolving threats—without sacrificing the critical human judgment that remains at the core of effective cybersecurity. It’s time to rethink where we apply automation in the SOC and recognise that investigation, not just remediation, is the key to driving true efficiency gains.