{"id":16142,"date":"2026-04-27T09:06:04","date_gmt":"2026-04-27T09:06:04","guid":{"rendered":"https:\/\/newestek.com\/?p=16142"},"modified":"2026-04-27T09:06:04","modified_gmt":"2026-04-27T09:06:04","slug":"the-manager-of-agents-how-ai-evolves-the-soc-analyst-role","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16142","title":{"rendered":"The \u2018manager of agents\u2019: How AI evolves the SOC analyst role"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Every SOC analyst has heard it by now: \u201cAI is coming for your job\u201d.<\/p>\n

I hear it in conversations with SOC teams. I see it in the hesitation during evaluations. And increasingly, I feel it as a source of resistance \u2014 especially from the very people AI is supposed to help.<\/p>\n

But the reality is the opposite.<\/p>\n

Instead of eliminating the Tier 1 analyst role, AI is elevating it \u2014 from a job defined by repetitive tasks to one defined by judgment, oversight and decision-making. In short, it makes them more powerful as SOC commanders.<\/p>\n

The work was never the point<\/h2>\n

To understand what\u2019s changing, we need to be honest about the historical role of Tier 1 analysts.<\/p>\n

In a typical SOC<\/a>, a Tier 1 analyst might spend 20\u201330 minutes investigating a single phishing alert \u2014 pivoting across email logs, endpoint data and threat intelligence tools, validating signals and documenting findings. It\u2019s necessary work, but it\u2019s also highly repetitive and time-consuming.<\/p>\n

Modern security operations generate more data than humans can reasonably process. Investigating a single alert often requires pivoting across identity systems, endpoint telemetry, cloud logs and threat intelligence sources. Multiply that by hundreds or thousands of alerts per day, and you have a workload that is fundamentally misaligned with human capacity.<\/p>\n

More importantly, SOC analysts are too talented for this kind of non-human work. For years, we\u2019ve accepted this as the cost of doing business. AI changes that equation.<\/p>\n

From doing the work to directing it<\/h2>\n

What agentic AI introduces into the SOC is the ability to delegate.<\/p>\n

Instead of analysts manually gathering evidence and stitching together context, AI agents can now autonomously execute investigative steps: Querying systems, correlating signals and building evidence chains in real time. It doesn\u2019t remove the human from the process. It elevates them within it.<\/p>\n

The emerging model is one where analysts manage a system of agents \u2014 each responsible for a piece of the investigation \u2014 rather than performing each step themselves. The human role shifts from operator to orchestrator.<\/p>\n

What I consistently hear from security leaders isn\u2019t, \u201cI need my analysts to move faster.\u201d It\u2019s, \u201cI need my analysts to stop collecting data and start making decisions based on it.\u201d Those are fundamentally different problems. And the gap between them is where AI creates the most value.<\/p>\n

The rise of the \u2018manager of agents\u2019<\/h2>\n

This is where the Tier 1 role evolves \u2014 not disappears.<\/p>\n

In this new model, entry-level analysts are effectively managing a swarm of AI agents. They are responsible for reviewing investigations, validating conclusions and ensuring actions align with business context and risk tolerance.<\/p>\n

They are not \u201cin the loop\u201d<\/a>\u00a0for every step. They are \u201con the loop\u201d \u2014 overseeing outcomes rather than executing tasks.<\/p>\n

When analysts are forced to stay in the loop \u2014 checking every enrichment, every query, every intermediate step \u2014 they become a bottleneck. When they move on the loop, they can operate at scale, reviewing dozens or hundreds of investigations with the right level of oversight.<\/p>\n

This is how trust in AI is built: Not by asking humans to verify everything, but by giving them the visibility to verify anything.<\/p>\n

Transparency becomes the control plane. Analysts can see exactly what the AI did, how it reached a conclusion and where uncertainty exists. Over time, as accuracy proves out, they naturally increase their level of trust \u2014 just as they would with a new colleague joining the team.<\/p>\n

Why cybersecurity is different<\/h2>\n

The fear of job displacement is understandable. In many industries, AI is reducing the need for entry-level roles. Cybersecurity is one of the few domains where AI won\u2019t reduce work. It will expose how much work we\u2019ve been unable to do.<\/p>\n

The volume and complexity of threats are increasing faster than teams can scale. Attackers are already using AI to automate reconnaissance, generate code and accelerate exploitation<\/a>. Defenders don\u2019t have the option to sit this out.<\/p>\n

Threat hunting, detection engineering and control optimization have historically been under-resourced because teams were consumed by alert triage. When AI removes that burden, it creates much-needed capacity for analysts to do what they were trained to do. The work doesn\u2019t shrink. The right work finally gets done.<\/p>\n

A new baseline for entry-level talent<\/h2>\n

This shift also changes what we expect from entry-level analysts.<\/p>\n

Historically, Tier 1 roles were designed as places where analysts learned by doing repetitive tasks. That model no longer makes sense when those tasks can be automated.<\/p>\n

The baseline is moving toward understanding how AI systems operate: Interpreting their outputs, questioning their reasoning and guiding their behavior. Human-centric skills become more important, not less. Curiosity, critical thinking and the ability to connect disparate signals into a coherent narrative \u2014 these are the differentiators in an AI-driven SOC.<\/p>\n

We\u2019re already seeing organizations rethink how they hire for these roles<\/a>. There is less emphasis on credentials and more on how someone thinks and solves problems. When AI handles the mechanics, judgment is the job.<\/p>\n

Building trust that holds<\/h2>\n

If the future is so clear, why is there resistance? In most cases, it comes down to trust \u2014 and trust must be earned, not assumed.<\/p>\n

The deployments I\u2019ve seen fail share a common pattern: Organizations treat AI as a binary shift from no automation to full autonomy. That\u2019s not how security teams work, and it\u2019s not how they should be asked to work.<\/p>\n

What works is a progression. Start with limited, high-confidence use cases. Provide full transparency into how the system reaches its conclusions. Let analysts validate outcomes before expanding the scope. And critically, put practitioners in the room. Not implementation consultants or project managers, but people who have run SOC shifts, triaged thousands of alerts and earned credibility the hard way.<\/p>\n

This is why, when we deploy, we bring former SOC leads, threat hunters and detection engineers to work directly alongside analyst teams. They\u2019re not there to configure software. They\u2019re there to build trust in the system \u2014 because they\u2019ve already earned trust from the people using it. When analysts see that the people helping them deploy this technology have lived the same grind, the conversation changes. It stops being \u201cwill this replace me\u201d and starts being \u201chow do I use this well.\u201d<\/p>\n

That shift in orientation \u2014 from threat to tool \u2014 is what separates a successful deployment from one that stalls.<\/p>\n

The trust gap isn\u2019t a technology problem. It\u2019s a human one. And it closes the same way trust always closes: Through demonstrated competence, shared context and time.<\/p>\n

The future SOC is human-led<\/h2>\n

The end state here is not an autonomous SOC with no humans involved. It\u2019s a human-led SOC, powered by AI.<\/p>\n

AI agents handle the labor-intensive, evidence-gathering aspects of security operations. Humans provide direction, oversight and accountability. Together, they operate at a speed and scale neither could achieve alone. That\u2019s not a theory \u2014 it\u2019s what\u2019s happening in production environments today.<\/p>\n

Elevation, not elimination<\/h2>\n

The narrative that AI will eliminate Tier 1 analysts misses the point. The role isn\u2019t going away. It\u2019s being redefined.<\/p>\n

The analysts who succeed in this new environment will be those who can manage intelligence systems, interpret complex outputs and make high-quality decisions under uncertainty.<\/p>\n

They won\u2019t be replaced. They\u2019ll be promoted.<\/p>\n

This article is published as part of the Foundry Expert Contributor Network.<\/strong>
Want to join?<\/a><\/strong><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Every SOC analyst has heard it by now: \u201cAI is coming for your job\u201d. I hear it in conversations with SOC teams. I see it in the hesitation during evaluations. And increasingly, I feel it as a source of resistance \u2014 especially from the very people AI is supposed to help. But the reality is the opposite. Instead of eliminating the Tier 1 analyst role,… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16142","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16142","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16142"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16142\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16142"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16142"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16142"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}